Risk-Based Patch Prioritization

Show Notes

Patch management is fundamental to effective cybersecurity. So why are most organizations still struggling with patch prioritization and implementation?  

Ivanti’s research — a global study of more than 2,400 executive leaders and cybersecurity professionals — explores how risk-based patch prioritization elevates patching to a proactive, high-performing security strategy.  

Listen to “Risk-Based Patch Prioritization” to get all our original research on the advantages of a risk-based approach to patch prioritization and patch management, and learn directly from Ivanti’s cybersecurity efforts the steps you need to take to implement this strategy.  

Get more resources 

To read the report and access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti.com/proactive-security 

For more Ivanti research on IT, security and the future of work, visit ivanti.com/research. 

About Ivanti 

Ivanti elevates and secures anytime, anywhere work so that people and organizations can thrive. We make technology work for people, not the other way around. Today’s employees use a wide range of corporate and personal devices to access IT applications and data over multiple networks to stay productive wherever and however they work. Ivanti is one of the only technology companies that finds, manages and protects each IT asset and endpoint in an organization. Over 40,000 customers, including 88 of the Fortune 100, have chosen Ivanti to help them deliver excellent digital employee experiences and improve IT and security team productivity and efficiency. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued, and we are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit ivanti.com and follow @GoIvanti. 

Chapters

• 0:00: Introduction
• 0:29: Part 1: Patch prioritization: critical yet chronically mismanaged
• 4:03: Part 2: Data gaps: an ongoing concern
• 7:12: Part 3: Organizational silos compound patching problems
• 10:10: Part 4: AI and automation close the gap
• 14:06: Outro

Transcript

Risk-based patch prioritization elevates patching to a proactive, high-performing security strategy. Ivanti's research examines the advantages of this approach and the steps to implement it.  

You’re listening to the audio version of Risk-Based Patch Prioritization, part of Ivanti’s state of cybersecurity research series. To see more Ivanti research visit ivanti, I-V-A-N-T-I.com/research.  

[Music begins]  

Part one: Patch prioritization: critical yet chronically mismanaged 

Patch management is fundamental to effective cybersecurity. So why are most organizations still struggling with patch prioritization and implementation? 

[Music ends]  

Given the size and complexity of attack surfaces, no organization can reasonably address all vulnerabilities all the time. Patch prioritization ensures the most critical vulnerabilities are addressed first, optimizing resource use and minimizing security risks. 

Yet when it comes to patch management, Ivanti’s research shows “everything is a priority.” Nearly all security professionals rate every factor listed as “moderate” or “high” urgency … but when everything is a priority, nothing is a priority. 

Vendors often assign their own severity ratings to alert customers to the potential impact and urgency of newly discovered vulnerabilities. Unfortunately, there’s no industry standard associated with these ratings, so companies are left to compare and prioritize patch releases based on these isolated recommendations. On top of that, ratings are rarely updated to account for active threat context even as vulnerabilities change. 

It’s no surprise then that 39% of cybersecurity professionals say they struggle to prioritize risk remediation and patch deployment, and 35% report they struggle to maintain compliance with regard to patching. 

This “everything is a priority” approach is neither effective nor sustainable. 

The most effective approach to patch management is risk-based prioritization, which builds on risk-based vulnerability management principles. Rather than relying solely on vendor severity ratings or basic CVSS scores, this method considers real-world factors such as exploit availability, asset importance and potential business impact. 

Organizations focus their patching efforts on those vulnerabilities that pose the greatest actual threat to their specific environment. This strategic approach ensures teams address the most critical security gaps first, making better use of limited resources while strengthening overall security posture. 

[Sting]  

How can you take action? 

Here’s what Chris Goettel, Ivanti’s Vice President of Product Management, has to say. 

“So, most of the vulnerabilities that are actively being targeted are not the ones that we're prioritizing response to. This is where getting into more of a risk-based approach to prioritization is required to be able to keep up with that. So, really, what we're ending up with is call it three different tracks of remediation. My normal routine maintenance that happens once a month doesn't matter what my SLA is. 

The priority updates, things like the browser updates or communications applications like zoom and other things like that, that users are using typically are more highly targeted and need to be responded to on a more frequent basis. And then that zero-day response track. If I've got everything configured properly, all the updates that come out continuously, doesn't matter which type they are, all fall into one of those three priorities and get taken care of in the course of my regular activities that are configured within the systems I'm using.” 

[Music begins]  

Part two: Data gaps: an ongoing concern 

The majority of cybersecurity professionals (87%) lack access to critical data that can help them make informed security decisions. 

[Music ends]  

If companies are to make risk-based decisions, they need access to real-time, high-fidelity data from across their entire environment, yet Ivanti’s research shows a sizable share of organizations fall short. 

Ivanti's research uncovers the most common data gaps that prevent companies from making more informed security decisions: 

The first of these is visibility gaps: 45% of companies report data blind spots, such as shadow IT, which create serious challenges for security professionals monitoring their attack surface. 

We also see contextual gaps: 41% of companies indicate they lack contextual data about which vulnerabilities are exposing their systems to threat actors. 

And finally, compliance gaps: More than 1 in 3 organizations (37%) report blind spots related to patch configurations, compliance status and/or meeting patch SLAs. 

These gaps have serious consequences. AI and automation are often cited as solutions to improve security decision making and operational efficiency, yet data gaps severely limit AI’s ability to analyze comprehensive datasets and generate accurate insights — a major barrier to making informed, evidence-based decisions. 

Siloed data, inaccessible data and missing data all contribute to ongoing, persistent data quality issues, which is a problem no AI tool can solve. In fact, 37% cite “data quality problems” as a significant barrier to using AI tools for cybersecurity. 

[Sting]  

How can you take action? 

Here's what Corinna Fulton, Vice President of Solutions Marketing, has to say: 

"It's really Important to understand the context of that data and how it is actually going to be used when we think about data in service to remediation efforts. So the first thing that we want to think about is visibility of attack surface. The second is thinking about the context of the vulnerabilities within your organization, and whether it actually is a threat, is going to help you make the right decisions about remediation and prioritization. Speaking of that, the third kind of context that we wanna think about is actual threat intelligence: the real context of threat analysis, what's happening with that vulnerability, both in the wild and as it relates to what's going on in your actual environment. And then one last type of context that's really important in thinking about data, if an asset is out of compliance, that also is causing a gap in your ability to prioritize effectively and then actually remediate the risk that is most important." 

[Music begins]  

Part three: Organizational silos compound patching problems 

Security professionals report widespread organizational silos between IT and security teams, driven by disconnected tech stacks and cultural divides between the two. 

[Music ends]  

40% of organizations report that the different tools used by IT and security teams contribute to friction between the two groups. But this tech divide represents only part of the problem. 

Ivanti’s research also points to cultural and strategic misalignments between IT and security teams that undermine decision making. More specifically, among security professionals: 

46% believe IT teams lack urgency when addressing cybersecurity problems. 

And 40% indicate IT teams don't adequately understand the organization's risk tolerance. 

These misalignments are especially apparent when it comes to patch management. Security teams are often focused on rapidly testing and deploying patches to minimize the window of exposure to threats, while IT teams must balance these remediation efforts against the operational impact on business functions, such as potential downtime and productivity loss. This push-pull dynamic can lead to disagreements over patching cycles — security wants speed; IT needs stability. 

Compounding the issue, the “everything is urgent” mentality can pressure IT to deploy patches before adequate testing, increasing the risk of system crashes, unplanned outages or the need to roll back updates. 

The interplay of these organizational silos and misaligned priorities often leads to fragmented communication and unclear ownership of patch management responsibilities — all of which contribute to ineffective patch prioritization and increased security vulnerabilities.   

[Sting] 

How can you take action? 

Here’s what Karl Triebes, Ivanti’s Chief Product Officer, has to say. 

“Given the size and complexity of the attack surface, organizations struggle with being able to reasonably address all vulnerabilities all the time. And the new gold standard for companies to use is risk-based patch management. And this is a much more strategic, much more focused, much more business-centric approach to ensuring that compliance. So risk-based patch management prioritizes and then applies patches based on the level of risk of each vulnerability poses to an organization. 

This goes to the idea of organizational silos and how we break those down between IT and the security teams. A common way about thinking about priorities because of the silos you know and having a common language to do that. Well, the risk-based vulnerability management and this risk-base scoring, again, allows for the ability to contextualize and understand where to prioritize with what workflows need to be addressed.” 

[Music begins]  

Part four: AI and automation close the gap 

Today's sophisticated threats demand continuous, proactive monitoring and remediation. AI and automation point the way forward. 

[Music ends]  

AI and automation solutions offer organizations a way to fight back against sophisticated threat actors: 

They offer ways to transform prioritization: AIs synthesize massive quantities of data and analyze vulnerabilities based on the organization-wide threat context and risk context. 

And they offer ways to streamline remediation: Intelligent systems automate patching workflows, which can smooth over existing operational disconnects between security and IT teams, as well as reduce costly inefficiencies in the patching process. 

2025 may be the year companies are finally positioned to leverage AI. We asked security professionals, “What group will use AI more effectively in 24 months: threat actors or security teams?” More than half (53%) say security teams will use AI more effectively, compared to 21% who say threat actors will exploit it to their advantage. 

Despite the widespread optimism about AI's potential to shift the advantage toward defenders, organizations must first overcome substantial regulatory, talent and financial hurdles to realize this transformative promise. 

• 48% of security professionals cite regulatory and data privacy barriers. 
• 46% report they lack the talent to deploy sophisticated AI-fueled technologies. 
• And 46% complain that the cost of AI tools limits their adoption. 

It’s no wonder that fewer than half of organizations Ivanti surveyed use AI and automation for scenarios where it has proven to be highly effective: predictive IT maintenance, detecting usage / traffic anomalies and automating incident-response processes. 

[Sting] 

How can you take action? 

Here’s what Chris Goettl, Ivanti’s Vice President of Product Management, has to say. 

“If you're using a risk-based prioritization system, you're already taking into account a lot of AI and ML methodologies. So that's where the different types of AI can help the most. It's going to help to pull in massive amounts of information, prioritize that and make that risk adjusted score as efficient as possible. Now, this isn't just CVSS scoring. This is pulling in information from vulnerability testing tools, from discussions on the dark web, from a variety of different sources to be able to do both analyze existing information that we've already got and also get into more of a predictive model.   

The other half of this is automation. Saying, okay, we need to stop trying to do everything and start focusing on the things that matter most. And that's what is putting our organization at risk. We know we've gotten regular monthly updates that we're going to have to remediate. We know that there's certain applications like the browsers or communications platforms that we want to remediate more frequently and we know that we've got the need to occasionally do a zero-day response. If we configure that in our systems, what we've done is identified our risk appetite and configured our automation to remediate those things as they come up.” 

[Sting]  

If you enjoyed listening to this report and want even more Ivanti research, you can subscribe to this podcast to get the latest Ivanti research in your feed as soon as it’s released.  

You can read the report and see the rest of Ivanti’s research at ivanti, I-V-A-N-T-I.com/research.  

You can follow Ivanti on social media at GoIvanti, and you can visit us at ivanti.com to learn more about our products and solutions.  

Thanks for listening!