Vendor Study: Tech Leaders Eschew Patching Over Business Concerns

Worried about interrupting operations, more than 80% skip critical updates that leave their systems at risk, study finds

Concern over interrupting business operations keeps 81% of CIOs and CISOs from deploying security updates and patches, a practice that puts their IT environments at greater risk, according to research from endpoint protection vendor Tanium. More than half of the 500 IT leaders polled said they’d made that questionable compromise more than once.

The Lowdown:  Tanium’s Global Resilience Gap study also found that 32% of IT decision-makers say their organization’s departments and business leaders work in silos, leaving them with a lack of visibility and control over IT operations. This lack of visibility directly affected the business, with 80% of CIOs and CISOs discovering a critical update or patch they thought had not been distributed to all affected devices.

The Details:  The study also revealed other IT security and operational trade-offs that CIOs and CISOs make in the face of wider business pressures. Some 94% of respondents admit they make significant compromises in the way they protect their organizations from IT disruptions from threats and outages.

The Buzz:  “A resilient organization can depend on its people, processes, and technology to quickly adapt to cyberattacks, outages, and other forms of disruption,” said Ryan Kazanciyan, CTO at Tanium. “However, our research shows that over 80% of CIOs and CISOs have admitted to holding off on crucial updates due to concerns about the impact it might have on business operations. Given that global cyber-attacks such as WannaCry were catalyzed by poor security hygiene, organizations need to ensure that they can confidently effect change to protect critical assets, monitor impact, and recover from the unexpected.

“As organizations look to build a strong security culture, it’s essential that IT operations and security teams unite around a common set of actionable data for true visibility and control over all of their computing devices,” Kazanciyan added. “This will enable them to prevent, adapt, and rapidly respond in real time to any technical disruption or cyber threat.”