Mastering Patch Management: Key Criteria and Evaluation Metrics

Companies still struggle with patch management, due to a variety of factors including IT complexity and the velocity and volume of vulnerabilities and bugs identified in operating systems and applications. Patch management, a critical component of every IT department, involves the process of handling updates or modifications of computer software applications called ‘patches’. A strong patch management strategy is crucial in protecting enterprise data from potential vulnerabilities, but this can be difficult to develop and manage. That’s why many enterprises look for a comprehensive patch management solution to help them.

This is the second in a series of blog posts that summarize GigaOm’s Radar Report on Patch Management and spotlight what you should look for in a patch management solution. In our first blog post, we talk about taking stock of your operating environment (on-premise? hybrid? fully remote?) and your IT infrastructure. Once you’ve done that, consider the following areas as you review patch management vendors.

Identify your requirements

The primary goal of a patch management solution is to keep your systems secure by closing any known vulnerabilities promptly. Identifying requirements based on your operating environment and IT infrastructure is a great start. GigaOm goes a step further in its analysis by noting specific “key criteria,” which they define as “technical capabilities define the perimeter of the market landscape.”

GigaOm lists the following as key criteria for patch management solutions and includes a chart highlighting vendors’ capabilities across these criteria in the most recent Radar Report on Patch Management:

  • Agent/Agentless architecture
  • Inventory
  • Patch lifecycle management
  • Patch testing
  • Patch deployment
  • Patch prioritization
  • Third-party or in-house applications
  • Trusted source repositories

Based on your operating and IT environment, these requirements may be less critical for you. For example, if you have a configuration management database (CMDB) that serves as your system of record for devices, you may not need that capability in a patch management solution.

Table details are redacted, per vendor usage restrictions. To see the full table, please download the report.

Consider a range of evaluation metrics

Next up, you should evaluate your requirements and market criteria. GigaOm provides a set of metrics to use in your evaluation that go beyond ranking the technical capabilities. These include:

  • Flexibility
  • Cost & Value
  • Scalability
  • Resource Load Management
  • Security
  • Usability

By evaluating these areas, you can get a better sense of non-technical requirements that can impact the purchasing process or your organization as a whole.

In our last installment of this blog post, we’ll share how GigaOm’s Radar Report can help you identify the right patch management solution. But if you want to dive into the report now, you can download a complimentary copy today.