3 Questions: Bank gets a handle on patch management
This interview with Paula Chesbrough, senior vice president and IT director at Eagle Bank in Everett, Mass., originally appeared in the IT Business Edge weekly report Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit www.itbusinessedge.com.
Question: We hear a lot about the overwhelming task of staying current with patch updates, given the regular tides of malicious code afloat on the Internet. How many Windows servers are in operation at the bank, how many Windows versions are you running, and what has been some of your trial-and-error (or success) as you've come to grips with patch management?
Chesbrough: We have 11 Windows servers currently and will add two or three next year. Initially, we ran a program that can be found at Microsoft's Web site for patches. We did not have a set routine at the time and did it as time allowed, perhaps every other month. We recognized we were behind the curve in doing it this way and often we missed the fact that we needed patches for more than just the operating system—Exchange, IIS, etc. We were attempting to find a more automated and encompassing method when SilverBack offered its patch management program. We tested it and found that it provided a consistent and more automated method to evaluate our patches. Now we review the report weekly, assess the risks of any missing patches, and download as needed. Once a month we download everything and can get a clean slate by running the patch assessment via SilverBack once again.
Question: Describe the strategic objectives and business pressures relative to Eagle Bank that made a new approach to patch management so critical?
Chesbrough: We are a one-person shop with 105 users and seven locations. We use technology as a competitive tool. Therefore, a new approach to patch management is critical.
Question: How hard do you have to fight to get approvals for IT security-related purchases? Does the bank's executive committee require a stringent ROI analysis? How well do they understand that the return is often a cost avoidance?
Chesbrough: As a federally regulated financial institution subject to frequent exams of our internal operations, the bank's executive committee and audit committee recognize the need to ensure that the technology environment we operate within is as secure as it needs to be to prevent unauthorized access to customer and bank information. They also understand that many of the actions taken in IT cannot be cost-justified by measurement against ROI. They do look for risk analysis that points to the potential for compromise and they expect adequate research of vendors for interventions to minimize or eradicate the risks, and thorough cost comparisons of potential vendors.
TechRepublic originally published this article on 30 January 2003.