There is one thing you must do – and keep doing – to start down the path toward true enterprise resilience: Patch everything. All the time. Starting now.
To make your enterprise truly resilient you need a firm, reliable foundation of security. The successful laying of that foundation begins with patching. Why is this step so critical to effective security and enterprise resilience? Here are a few reasons:
According to the Verizon 2015 Data Breach Investigation Report, “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007—a gap of almost eight years.”
Gartner analyst Anton Chuvakin addressed this grave security concern in one of his blog posts.
“Although patching has been ‘a solved problem’ for many years, even decades, a lot of organizations struggle with it today—and struggle mightily,” he observed. “In the darkest woods of IT, patching third party applications on a desktop remains a significant challenge for many organizations.”
By the way, the National Vulnerability Database managed by the National Institute of Standards and Technology (NIST) states that some 86 percent of reported vulnerabilities come from third-party applications. So even the most robust patching of operating systems is inadequate to assure that your environment is secure enough to be truly resilient.
Do whatever it takes to ensure that all of your enterprise’s critical applications, operating systems, servers, and user devices are patched and updated consistently and in a timely fashion. Then begin the following actions:
- Plan – To make and keep your enterprise as resilient as possible, you and your team must develop and implement a comprehensive, business-centric plan for achieving and sustaining the resilience levels your business demands. Whether described as “high availability,” DR/BC, or otherwise, the goals of your plan should be the same—maximum resilience. And that plan requires a well-thought-out planning lifecycle, which in turn depends upon a formal, detailed policy for DR/BC.
- Analyze – Your plan should also be based on a business impact analysis (BIA) that maps out all critical processes, systems, and services, their owners, and their interdependencies. You and your team should then establish formal recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical business functions and supporting services. In addition, all of your service level agreements (SLAs) should be closely aligned with these objectives.
- Engage – To be as successful as possible, your plan must also include specific guidance for keeping the constituents IT supports engaged and informed about efforts to maximize resilience, security, availability, and recoverability. Such marketing and sales efforts may be unfamiliar territory for many in IT. However, they can be essential in gaining support from and eliminating objection or obstruction by those constituents.
- Update – Finally, a comprehensive plan must also include specific recovery and continuity plans and procedures. It must also include processes for testing these regularly and for regular review of all relevant policies, plans, processes, and procedures.
No enterprise can be fully agile or trustworthy if that enterprise is not sufficiently resilient. In fact, insufficient resilience can kill an enterprise in the face of a major disruption or disaster.
Begin by patching everything, all the time, starting now. Then, assess whatever current DR/BC resources and efforts are in place at your enterprise. Evaluate and triage these, then build upon them to reach and maintain the levels of resilience you, your constituents, and your enterprise want, need and deserve.