The level of responsiveness required to manage security patches is "painful," says Joe Dial, information security administrator at the Newport News, Va., offices of Siemens VDO Automotive, an auto electronics maker. Keeping up with patches takes up most of Dial's time, even though he also manages the facility's Internet connectivity and other networking projects.
Patch management requires companies to trust their vendors, who often protect their intellectual property by not disclosing just how they're fixing a vulnera- bility. Microsoft is one such vendor; its monthly patch downloads introduced the term "Patch Tuesday" into the IT vernacular. "In the past, [Microsoft] made it easy to be hacked," Dial says. "As a result, you have to be extremely proactive, which is hard when you don't know what's included in the patches Microsoft offers."
Dial credits Microsoft for issuing patches promptly, at least. Oracle, on the other hand, issues patches quarterly, and they often disrupt Siemens VDO Automotive's systems. Third-party patches, which gained prominence this year when Microsoft was slow to patch its Windows Meta File vulnerability, aren't an option for Siemens VDO Automotive. "I'm not going to go to hacker or cracker Web sites and do secret handshakes with people just to keep up with all of the threats to my network," Dial says.
General Motors' IT operations are completely outsourced, but chief security officer Eric Litt ultimately is responsible for the carmaker's systems and data security. GM makes all its own IT-related decisions but requires a lot of help from vendors. Litt would like vendors to provide enough information about new vulnerabilities so GM can protect itself before the patches arrive. That doesn't always happen. The real solution, he says, lies in vendors selling more secure products.
Outsourcers Fill Businesses' Security Gaps
and Global Differences
InformationWeek Global Security Survey 2006: Controlled Chaos