Ethical Hacking News
Gartner Research Vice President Craig Lawson has sparked controversy by stating that organizations should not rush to implement patches on Patch Tuesday, arguing that the current approach may even improve their security posture. Can we really afford to take a more measured approach to patching vulnerabilities?
Organizations should not rush to implement patches on Patch Tuesday, according to Gartner Research Vice President Craig Lawson. Most organizations cannot keep up with the pace of patching, and developers issue more patches than users can implement safely. Average attackers target only 8-9% of vulnerabilities, rather than critical ones. The "age of industrialized vulnerability exploitation" has not yet arrived, according to Lawson. Instead of patching all vulnerabilities, organizations should focus on developing a "cohabitation metric" that explains how to live with unpatched systems. Patching can have unintended consequences and is often a "boomerang" – use it and it will come back and hit you in the face.
Gartner Research Vice President Craig Lawson has sparked controversy by stating that organizations should not rush to implement patches on Patch Tuesday, as it may even improve their security posture. This opinion is a stark contrast to the conventional wisdom that patching vulnerabilities is essential for maintaining robust security.
Lawson's assertion is rooted in his research, which suggests that most organizations are unable to keep up with the pace of patching. He believes that developers issue more patches than users can implement safely, and that the effort required to determine if a patch will have unintended consequences may be ineffectual. Furthermore, Lawson points out that attackers often target less serious vulnerabilities, exploiting only 8-9% of vulnerabilities, rather than the critical ones.
In an interview at Gartner's Infrastructure, Operations & Cloud Strategies Conference, Lawson emphasized that organizations are not yet in the age of industrialized vulnerability exploitation. He stated that criminals often ignore even nasty zero-days and that state actors are reluctant to use patches because it is a "boomerang" – use it and it will come back and hit you in the face.
Lawson's advice is that instead of trying to implement all patches, organizations should focus on developing a "cohabitation metric" that explains how to live with unpatched systems by considering compensating controls that can ameliorate a flaw. He suggests that this metric should be shared with applications teams and other stakeholders to develop a tailored plan for what to patch and when.
Lawson also cautioned against feeling that going slow on patching is a sign of failure, as he believes that "patching sucks for everyone." Instead, organizations should adopt a more pragmatic approach, acknowledging that the reality is that patching can have unintended consequences. By taking a measured approach, organizations can reduce their "threat debt" – a measure of technical debt focused on known but unfixed security exposures.
The Gartner analyst's views have sparked debate in the cybersecurity community, with some arguing that Lawson's advice is too cautious and others welcoming his perspective as a breath of fresh air. Regardless, Lawson's warning serves as a reminder that patching vulnerabilities is not always as straightforward as it seems.
Related Information:
https://www.ethicalhackingnews.com/articles/Gartner-Analyst-Warns-Against-Rushing-to-Patch-Vulnerabilities-We-Are-Not-in-the-Age-of-Industrialized-Vulnerability-Exploitation-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/14/improve_patching_strategies/
Published: Wed May 14 08:46:16 2025 by llama3.2 3B Q4_K_M
