preloader
Sign Up
Menu
Resources

Priority Over Publicity Over Performance: What are the Key Steps to Efficient Patch Management

Posted by
On 22 June 2025
0 comments

In Partnership With

Managing vulnerabilities requires multiple factors to work together: people, practices and performance – and as the Crowdstrike incident from 2024 showed how a rogue patch can have massive consequences.

Number of Conversations

Leading the discussion, Sylvain Cortes, VP strategy at Hackuity acknowledged the number of conversations on vulnerability management and issues with practices, and said the common feedback is that these often don’t work.

“I usually meet people with a lot of detection practices, and scanners for IT and cloud and code and external surface management – a lot of sources – and they struggle to have one single view of everything.”

He claimed that this is a common problem facing every organisation, as well as considerations on misconfigurations, what attackers are exploiting and issues on prioritisation – and whether a vulnerability needs to be urgently patched or not.

People Factor

Cortes said another factor in the discussion is around silos, as there are often different teams involved in scheduling and applying fixes. The security team is typically responsible for providing threat and risk information, but they are not the people who do the fixing.

“The others are fixing stuff and you need a ‘glue’ as the teams are moving in different directions, and we see organisations struggle with this between security and production teams to get the message out and do the right thing.”

The roundtable chair said the issues around vulnerability management “can be very painful” and as the landscape shifts and flaws increase or decrease in severity.

They also admitted that the issue of working with another team to deploy fixes can involve “jumping through hoops” as you work with the other team to fulfil their demands, and especially as you need to roll patches back.

Comments were made that whilst technology is important, what is key is people “and influencing people to enact the actions” that you need to do. One participant said this is about a cultural mindset “and cracking the cultural nut” that will help you along the way.

Others recommended picking your battles with other teams, but ensuing that trust is key, and also be prepared to do PR with other teams, with one participant saying they offered tea and biscuits to other teams. Another recommended saying ‘we found this, can I help’? rather than ‘you must do this’ is a good tactic to win favour with other teams.

Assets and Prioritisation

One subject that was repeated throughout the discussion was about asset management, as if you don’t know what you’re running, how can you fix it? A participant said that there is no way to do prioritisation without effective asset management.

Another point was on the fuss around zero-day flaws that apparently require immediate attention, but the Chair said that the same amount of attention should be given to “400-days” as they can be just as important.

A participant recommended looking at “real world risk and what was exploited by who” to give you better risk prioritisation, and consider how to prioritise between critical flaws by looking at common methods of exploitation, and remediate those first.

Critical Systems

Another point made was that there is too much concentration on Microsoft patches, and less on the rest of the estate, and how often are these included in a patch plan?

One participant said that you need to understand what your critical systems are, and know what you cannot do without – and keep that working. Another participant said that if you don’t know what is critical to your business operation, then you need to keep everything patched, and that can make your plans even harder to manage.

As well as that, a participant said that if a flaw sits “deep in the network” you can choose to patch or not, depending on how much it is likely to be impacted and exploited.

Later in the discussion came the concepts of when issues around missed patches hit the headlines, and how this can cause budget to be allocated and “the purse strings loosened”, so it is best to talk in the language of the business to make sure they understand the implications. “Make sure the C-suite doesn’t lose sight and drive risks home to them and implications of not investing budget and CEO sitting on BBC breakfast,” said one participant.

In conclusion, the Chair said there is an importance to not “sit in the ivory tower and send edicts” and everything needs to be taken in consideration of your business and apply back, “as  if you don’t prioritise [it will] impact on your security posture.

Cortes said context matters a lot, and there are options around CVSS and CISA’s Known Exploitability Vulnerabilities Catalog (KEV), but “everything is generic and you need to add your own context and own prioritisation” to be ready to operate.

With more than 40,000 CVEs published in 2024, you need to determine what is relevant to your organisation, and Cortes said the idea is often to aggregate everything, bring everything into a central point and add threat intelligence to it to understand what is likely to be used by an attacker.

“Also important in dealing with vulnerabilities is knowing where it is in the running in order to fix it, which system is using it and prioritisation and define if it is a risk of not,” he concluded.

Cracking the Culture in Vulnerability Management: how a VOC-based approach helps

Vulnerability Management (VM) isn’t just about tools or processes – it’s about people.Too often there are different team involved in scheduling and applying fixes, while the security teams provide threat information, they’re not typically doing the fixing. There needs to be an approach which provides the ‘glue’ between security and production so that they’re moving in the same direction and taking action where it’s most needed.

The key to improved VM lies in building bridges between these teams across the organisation to take the necessary actions to reduce risk. Security teams must build relationships, communicate effectively, and align priorities with business objectives.

From Noise and Chaos to Context and Action: Why effective VM needs situational awareness

When everything is treated as urgent, true urgency loses meaning. In cybersecurity, this can lead to alert fatigue and poor prioritisation.

Not every vulnerability requires an immediate patch; urgency depends on context with factors like exposure and business impact taken into account. If you don’t know what is critical to your business operation, then you need to keep everything patched, and that can make your plans even harder to manage.

A risk-based approach ensures that critical vulnerabilities are addressed quickly, while lower-risk ones are managed appropriately. Effective triage, guided by situational awareness, prevents chaos and enables smarter decision-making.

Asset Management and Vulnerability Management must work together

You can’t secure what you don’t know exists. Without accurate, real-time visibility into assets hardware, software, vulnerability data lacks context and precision.

Asset Management provides the foundation: identifying what systems are in use, where they reside, and who owns them. Vulnerability Management builds on this, identifying and prioritising risks within those assets. Together, they enable informed decision-making, focused remediation, and efficient risk reduction. When aligned, these functions transform security from reactive patching to proactive, strategic protection of an organisation’s digital environment.

Newer In The Land Of A Thousand PenTesters, Context Is King
Back to list
Older Stop Wasting Time on Compliance, Start Managing Your Risk