Both in Security as in the “business as usual” operations, patch management is a financial draught. OpEx in IT has many hidden slings and arrows, and patch-management (and its bigger sibling, release-management) is one of them. Any time (and this is often, nowadays!) a vulnerability is detected in any of the distributed pieces of software, it is recommended to roll out the patches as quick as possible.
In a private environment, following the simple instructions is a piece of cake: automatic detection of patches while connected to the internet will trigger an unobserved or accepted download followed by a few clicks to install and relaunch). Not so in regulated, secured or simply sizeable environments, in which a controlled patch-management may cause many difficulties in the organization, due to interdependencies of security, network and other issues. If, for example, a hospital or a military organization gets loads of blue-screens due to any incompatibility in the above mentioned areas, employees will suffer, valuable time is lost, responsiveness is removed and overall opportunity costs sky-rocket. These damages are hardly calculated, but very well felt by the organization and the budget which is drained by unallocated costs.
Taking input from here, we may follow the calculation as this:
“The cost of any administrative process to a business consists of the following components:
- The human resource cost (unit time cost of employees committed to the process multiplied by their number) – H
- The frequency of the process (how often it is executed) – f
- The time required to execute the process (how long does it take to fully complete all tasks associated with the process, including dealing with failures and retries) – T
- The scope of the process (how many people/applications/systems are impacted by the process) – S
- The lost opportunity cost (a reflection of the value generated if the resources consumed and impacted by this administrative process was reallocated to a service) – O
Reducing any of these components will result in a reduction of the total cost of the process and our simplistic model can be expressed mathematically as:
Total Cost = (f x H x T x S) + O
Our model is far from precise however it is a suitable starting place for identifying and quantifying ways of reducing the costs of administrative processes. For example let’s look at how CTI impacts the cost of vulnerability and patch management, as we have noted it can reduce the frequency, time and scope of the process (we’ll tackle lost opportunity later), however it could potentially increase the human resource costs, at least in the short term, as we’ll need to hire and assemble a CTI team. Overall we can clearly see the benefits CTI based on this simple analysis alone.”
Opportunity cost may push the level even higher, and it may be different in varying sectors and organizations:
“At a minimum we could consider the lost opportunity cost as the amount that would have been gained by the business from putting the capital allocated to the administrative process into a savings account. Under free market conditions this would normally result in a gain in line with rate of interest but for the sake of argument lets call it 5%. So we can say the absolute minimum cost of an administrative process will be:
Total Cost = (f x H x T x S) * 1.05
However this is, in my opinion, a highly conservative estimate of the lost opportunity cost.”
Roth & Partners disposes of a tool, generated by a partner with many years of experience in the area and will be able to apply its valuable details to your organization on demand. There are also excellent tools to underpin a “managed program office” (as opposed to the classical PMO-approach that does not use the military mission planning R&P applies).
Some benefits regarding the patch- and release management are summarized in the following figure: