Security Patches and Negative ROI Equal Corporate Stupidity

ROI (return on investment) is a key concept in IT spending today.

The board is much more likely to spend money on IT, if ROI can be demonstrated in a reasonable period of time. It's a very sensible, sound business idea. Yet, many companies are actually practicing what could be called negative ROI - they choose IT products which cost them more money the longer they have them. In the current business environment, this could be described as corporate stupidity.
I'm talking about the vexed question of security patches. Using software which requires frequent patching because of security problems, means you're pouring money down the drain. It creates a situation in business akin to anarchy. What's more, it's a situation which is totally unnecessary because there are solutions to the problem.

When a security patch alert is issued you have two options. You can stop whatever it is that you are doing, no matter how important or crucial, and you can spend the day (or next several days) applying patches to servers. Or you can decide that what you had intended to do before you knew about the patch, is vital and cannot be postponed. You then hope nothing will happen.

Other factors come into play as well. Installing patches is boringly repetitive and an uninspiring chore, which usually requires expensive, skilled technical staff (probably in short supply) to carry it out. Servers often have to be brought down, so the natural tendency is to postpone patching. The thinking may be to wait until the next patch is required and install both of them together. When you postpone patching, as many people do, you are accepting insecurity as a way of life.

This is a situation that hackers want and expect. They know people delay patching, so when a security problem is announced, they target it - knowing it's unlikely to be fixed immediately. A clear example of this situation happened with the SQL Slammer worm, which affected an estimated 35 percent of the world's SQL servers by exploiting a security risk in SQL Server 2000. A fix for this problem was actually issued in July 2002.

On the other hand, if you do take the route of fixing patches immediately, where does that leave the IT department? When skilled staff are engaged in firefighting, commitments given to deliver in other areas go out of the window, leaving the IT department's reputation in tatters.

Instead of being driven by business need, the IT department (and by consequence the company) is driven by problems with software they may have bought years earlier, and by the actions of hackers. As for strategic planning and management - they don't even get a look in. It's no longer a question of 'What can the business deliver today?' It's a question of 'If we don't install these patches and something happens, we could be in serious trouble and someone might lose their job.'

The financial implications of patching are considerable. Skilled IT staff are scarce and valuable, so employing them to firefight is a waste of money. In larger companies, the task of applying patches to multiple servers could keep someone occupied full time (if anyone wanted the job). Then there are the costs of being unable to follow through on business plans because of delays from the IT department; and of having systems out of action while servers are being fixed.

There are solutions to the problem of security patching. Firstly, choose software which is more secure and has minimal need for patches. And also be aware that there are often significant ongoing costs associated with so-called 'free' software. Free can mean cheap to begin with, but much more expensive in the long run.

Figures recently released by Zeus Technology illustrate the problem. They show a huge difference in the annual cost of applying security patches to the three leading web servers - Microsoft IIS, Apache and Zeus.

Zeus estimates that in 2002, it cost Microsoft IIS users around £30,000 ($47,300) annually to apply security patches to 10 servers, it cost Apache users around £7,000 ($11,000) and Zeus users around £120 ($190). For larger organizations with 100 servers, it cost IIS users around £312,000 ($491,136), Apache users around £60,000 ($94,500) and Zeus users around £1,200 ($1,890).

Although Zeus is the only web server of the three which is specifically paid for (Apache is free and Microsoft IIS comes with the NT operating system), the low maintenance costs shown by these figures mean Zeus achieves payback within months. It is then very significantly cheaper to maintain than the other two leading web servers.

John Paterson, CEO of Zeus, commented: "People are becoming increasingly aware of web security . What they are less familiar with is the true cost of actually maintaining that security. Unfortunately, many organizations are faced with a choice of taking their servers down for a day and applying security patches, or running risks with them as they are. That's a choice companies shouldn't have to make."

Another solution is to use security appliances where possible. These utilize hardened operating systems and eliminate many of the shortcomings of server based security. Appliances have become increasingly popular over the last couple of years and their success can be seen, in part, as a direct response to the issues of negative ROI through server patching. People have come to recognize the benefits of not having to patch with appliances. They've also appreciated other benefits such as the plug-and-play design, the low cost, easier installation and easier management.

Appliances are available today for firewalls, anti-virus, VPNs , anti-distributed denial-of-service (DDoS), content management and other security functions. WatchGuard's Firebox Vclass, for example, is an ASIC-based (application specific integrated circuit), high performance firewall and VPN appliance; Allot's NetPure device provides policy-based web/URL filtering; and the RapidStream/Check Point appliance family provides extremely fast, ASIC firewall and VPN solutions.

Increasingly multi-function appliances are available which offer a variety of security options in one device. Fortinet, for example, produces FortiGate, an ASIC-based anti-virus firewall which also includes a VPN, content inspection and intrusion detection. Because it's ASIC-based, it has the added advantage of being extremely fast.

Appliances are finding their way into companies and organizations from SOHO to enterprise. They are ideal for SMEs, where fewer skilled staff and less funds are available and the choices would be to remain insecure or employ someone they can't afford on a totally unpredictable basis. Appliances can also be very useful for wireless security in small companies.

Security devices are increasingly penetrating larger companies too, where they are appreciated for their ease of deployment, ease of management and the fact that they are server independent. Speedy ROI is another advantage of security appliances for larger companies, as is their usefulness in branch offices.

This trend is confirmed by a recent IDC survey, which indicated that hardware appliances are becoming the primary avenue by which customers purchase security. Sales of integrated security appliances have risen recently as organizations have recognized the ease of their deployment, even at remote sites where technical skills can be scarce.

Given the availability of options, as well as the increasing costs and risks involved with security patch deployment, it's hard to understand why some people will continue to waste time, effort and money on patching. Increasingly, the great majority will switch to secure web servers or security appliances. This will give them not only increased security, but also what everyone is looking for - positive ROI.

Ian Kilpatrick is chairman of Wick Hill Group, a company specializing in secure infrastructure solutions for e-business (


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.