Published on the 22/05/2025 | Written by Heather Wright
And maybe you can ignore some of that patching…
“You don’t make a population healthy by giving everyone an asprin,” says Craig Lawson. “What you do is treat every patient individually.”
And that, according to Lawson – a Gartner research vice president – is how organisations need to address patching.
“Think how much time we are wasting patching stuff that makes no difference to your security posture.”
Speaking at Gartner’s Infrastructure, Operations and Cloud Strategies conference, Lawson said no one has ever been able to out-patch threat actors at scale, and his conversations with some of the biggest banks, retailers, government agencies and hyperscalers, has shown that none of them have conquered patching either.
“If you have organisations that are literally spending billions on their IT programs, including patching, and they can’t do it, what about the rest of us?”
But Lawson argues that patching every vulnerability may not be necessary, labelling the belief that if we patch more frequently we’ll be more protected as ‘one of the biggest, worst, egregious fallacies in all of IT’.
Instead, he called on organisations to consider their threat debt – the technical debt your organisation carries that will be exploited by threat actors.
He says his research shows just eight to nine percent of vulnerabilities in each calendar year are actually exploited in the wild.
“If we’re talking about threats, that should be a really important priority in how we deal with it.”
Few exploitations are zero day, either, he says – they’re potential boomerangs which can come back and hit the attacker in the face – but the majority, regardless of severity are exploited in one or two days from disclosure.
“When we say no one has ever out-patched threat actors at scale, that is why. They are exploiting a statistically small number of vulnerabilities, very quickly, regardless of severity.”
Nonetheless, many organisations try to patch everything, often to meet internal SLAs, but that practice hasn’t resulted in a decrease in attacks.
“Think how much time we are wasting patching stuff that makes no difference to your security posture.
“I’d love that data showing how much patching we did last quarter that made no difference to our security posture.”
He compared it to bridges falling down and money being pumped in to make sure it doesn’t happen, only to have more bridges fall down.
“You’d think someone would come along and say ‘do you know why bridges fall down in the first place?’
He warned too that ‘patches break things’ – and to clients an outage from a patch fail is no different to an outage from a breach – and some patching, such as Java, may require multiple other subsystems to be patched first.
He suggested organisations move from vulnerability management to exposure management, which takes into account whether a vulnerability is exploitable for the specific organisation and a ‘cohabitation metric’ which considers all the other controls deployed.
“We have all these other compensating controls deployed… we have app controls, DNS filtering, zero trust, network segmentation, web, email, firewall. You probably have at least 10 compensating controls and patching is another one.”
He suggested sharing the metric with others within the organisation to show ‘what is actually going on’.
Collaboration across the organisation to identify the key threats and patches required.
“The diagnostics inform what your treatment plan should look like. You don’t get to a treatment plan without accurate diagnostics up front,” he says.
“The better job we do of quantifying threat debt and then retiring it, the better off we will be.”
