Most businesses do not understand the difference between patch management and vulnerability management. To make matters worse, IT departments and Managed Service Providers habitually use them interchangeably, which may negatively affect your cybersecurity program’s effectiveness. While patch management and vulnerability management maintain a compatible relationship, they have separate duties, and may impact your organization’s IT risk.

What is Patch Management?

Patch management applies software updates to fix specific problems a manufacturer found in their product. When speaking of patch management, most people think of Microsoft and the monthly reminder to reboot to apply patches to their computer. However, that is only the beginning. Individual software on a computer also needs to be patched. Software like Java, Adobe and web browsers also need to be patched, as do hardware and networking appliances such as firewalls, switches, routers, and firmware on computers and servers.

Although vulnerability management is a larger topic than patch management, it complements patch management by detecting whether IT personnel applied patches correctly.

What is Vulnerability Management?

Vulnerability management is discovering, prioritizing, reporting and remediating vulnerabilities across the network infrastructure. A common misconception is that a patched system has no vulnerabilities.

Unfortunately, patches do not mitigate all vulnerabilities. Sometimes a person needs to complete a complicated task to fix a vulnerability. That was seen by guidance from Microsoft on May 30, 2022, with the Microsoft Support Diagnostic Tool Vulnerability (CVE-2022-30190). At the time this article was written, Microsoft does not have a patch for this vulnerability and work must be done to the Windows Registry to fix it.

If an organization is simply doing patch management, they would have a false sense of security that vulnerabilities do not exist. A properly configured vulnerability management program would detect the vulnerability and inform you know that additional work is needed.

Do I need Patch Management and Vulnerability Management?

A good cybersecurity program should be prepared to handle both patch management and vulnerability management. Think of vulnerability management as doing double duty in your organization. It is there to “audit” your patch management while educating you on additional IT risks to your organization. Now is the time to ask your IT department or Managed Service Provider about how vulnerabilities are being detected, prioritized, reported and remediated. On top of that, you should be seeing reports on what was patched versus what is still outstanding.

Do we install all patches and mitigate all risks?

Your organizations should see reports on patching, vulnerabilities and their remediation so business decisions can be made about IT-based risk. However, there should be a process to “accept risk,” as not all patches may be able to be applied and some vulnerabilities may not be remediated.

For instance, you may need to run an outdated web browser or Java to have a legacy system continue to function. Running an outdated version of software comes with risk, which management throughout the organization should understand. Sometimes, an organization can install additional technical controls to mitigate risk.

When should you do Patch Management and Vulnerability Management?

Patch and vulnerability management is a process an organization completes at intervals. Patches should be applied monthly, and vulnerabilities should be scanned annually (monthly or quarterly is better). A properly functioning vulnerability management program can help ensure patches are installed and help an organization make decisions on risk. Making informed decisions on IT risk will help avoid a breach.

Remember, even if you are doing both patch management and vulnerability management, it is a good idea to have an independent third party conduct an engagement to ensure your system is giving you valid information. Auditing your IT
and cybersecurity program at regular intervals shows your regulatory examiner you are taking cybersecurity seriously and can help avoid fines and civil penalties if your organization were to have a data breach.