Most organizations have a formal patching policy. This is also a requirement under both DORA and NIS2. Research shows that most patching policy contain deadlines within which the different categories of vulnerabilities must be patched. But only some of these organizations can actually measure whether they comply with their own policy. Paradoxically, it is therefore precisely the more mature organizations that are demonstrably not compliant. Why? The better you measure which vulnerabilities you have not yet patched or mitigated, the more impossible it becomes to actually be compliant with your own policy. Why? The better you measure which vulnerabilities you have not yet patched or mitigated, the more impossible it becomes to actually be compliant. Research shows that many organizations report a backlog of sometimes hundreds of thousands of vulnerabilities. The gap between policy and practice is therefore large. This gap can have serious consequences under NIS2 and DORA for directors’ liability if the security community does not become transparent and is willing to have an open conversation about the actual status quo of patching practices. We will then have to develop patching policies that work both from a cybersecurity and liability perspective.
