Tripwire 2016 Patch Management Study

Tripwire's 2016 Patch Management Study evaluated the attitudes of 480 IT professionals involved in patch management as well as trend data on enterprise patch volume.

“Finding vulnerabilities and remediating them are two interrelated processes; neither is particularly effective alone. This interplay between vulnerability and patching isn't unique to Tripwire as a vendor. It's part and parcel of running information security in any large organization. Our survey aimed to gain a valuable perspective on the state of patching in the enterprise so that we could better build products that help to reduce risk.”

Tim Erlin, director of IT risk and security strategist

How would you characterize the volume of security patches released for the average enterprise desktop or client?
Light, we have extra resources available 1%
Manageable, we can keep up 49%
High, there are times we can’t keep up 43%
Overwhelming, we can’t keep up 7%

Does your IT staff have difficulties understanding the difference between applying a patch and resolving a vulnerability?

Does your IT staff have difficulties knowing which patches should be applied to a specific system?

In your opinion, do products that ship both as standalone products and embedded into other products (i.e. Adobe Flash) create challenges in understanding the impact of security patches?
No 14%
Yes 86%

“The relationship between patches and vulnerabilities is far more complex than most people think. A single patch may fix multiple vulnerabilities on some platforms, but not others. There can be confusion between patches and upgrades, or patches and upgrades may address different, but overlapping sets of vulnerabilities. This complexity continues to increase making it more difficult for enterprise patch management teams to achieve and maintain a fully patched state.”

Tim Erlin, director of IT risk and security strategist