Skip navigation
Skip navigation
You are using an outdated browser. Please upgrade your browser.

Ian Kilpatrick, chairman Wick Hill Group, says the need to apply security patches means many companies are actually choosing negative ROI - the longer they have the software, the more it costs. Is this corporate stupidity?

June 03: 1241 words

ROI (return on investment) is a key concept in IT spending today. The board is much more likely to spend money on IT, if ROI can be demonstrated in a reasonable period of time. It's a very sensible, sound business idea. Yet, many companies are actually practising what could be called negative ROI - they choose IT products which cost them more money the longer they have them. In the current business environment, this could be described as corporate stupidity.

I'm talking about the vexed question of security patches. Using software which requires frequent patching, because of security problems, means you're pouring money down the a drain. It creates a situation in business akin to anarchy. What's more, it's a situation which is totally unnecessary because there are solutions to the problem.

When a security patch alert is issued you have two options. You can stop whatever it is that you are doing, no matter how important or crucial, and you can spend the day (or next several days) applying patches to servers. Or you can decide that what you had intended to do, before you knew about the patch, is vital and cannot be postponed. You then hope nothing will happen.

Other factors come into play as well. Installing patches is boringly repetitive and an uninspiring chore, which usually requires expensive, skilled technical staff (probably in short supply) to carry it out. Servers often have to be brought down, so the natural tendency is to postpone patching. The thinking may be to wait until the next patch in required and install both of them together. When you postpone patching, as many people do, you are accepting insecurity as a way of life.

This is a situation that hackers want and expect. They know people delay patching, so when a security problem is announced, they target it - knowing it's unlikely to be fixed immediately. A clear example of this situation happened with the SQL Slammer worm, which affected an estimated 35% of the world's SQL servers by exploiting a security risk in SQL Server 2000. A fix for this problem was actually issued in July 2002!

On the other hand, if you do take the route of fixing patches immediately, where does that leave the IT department. When skilled staff are engaged in firefighting, commitments given to deliver in other areas go out of the window, leaving the IT department's reputation in tatters.

Instead of being driven by business need, the IT department (and by consequence the company) is driven by problems with software they may have bought years earlier, and by the actions of hackers.

As for strategic planning and management - they don't even get a look in. It's no longer a question of 'What can the business deliver today?' It's a question of 'If we don't install these patches and something happens, we could be in serious trouble and someone might lose their job.'

The financial implications of patching are considerable. Skilled IT staff are scarce and valuable, so employing them to firefight is a waste of money. In larger companies, the task of applying patches to multiple servers could keep someone occupied full time (if anyone wanted the job!). Then there are the costs of being unable to follow through on business plans because of delays from the IT department; and of having systems out of action while servers are being fixed.

There are solutions to the problem of security patching. Firstly, choose software such as the Zeus Web Server which is more secure and has minimal need for patches. And also be aware that there are often significant ongoing costs associated with so-called 'free' software. Free can mean cheap to begin with, but much more expensive in the long run.

Figures recently released by Zeus Technology1 illustrate the problem. They show a huge difference in the annual cost of applying security patches to the three leading web servers - Microsoft IIS, Apache and Zeus.

Zeus estimates that in 2002, it cost Microsoft IIS users around GBP30,000 annually to apply security patches to 10 servers, it cost Apache users around GBP7,000 and Zeus users around GBP120. For larger organisations with 100 servers, it cost IIS users around GBP312,000, Apache users around GBP60,000 and Zeus users around GBP1200.

Although Zeus is the only web server of the three which is specifically paid for (Apache is free and Microsoft IIS comes with the NT operating system), the low maintenance costs shown by these figures mean Zeus achieves payback within months. It is then very significantly cheaper to maintain than the other two leading web servers.

John Paterson, CEO of Zeus, commented: "People are becoming increasingly aware of web security . What they are less familiar with is the true cost of actually maintaining that security. Unfortunately, many organisations are faced with a choice of taking their servers down for a day and applying security patches, or running risks with them as they are. That's a choice companies shouldn't have to make."

Another solution is to use security appliances where possible. These utilise hardened operating systems and eliminate many of the shortcomings of server based security. Appliances have become increasingly popular over the last couple of years and their success can be seen, in part, as a direct response to the issues of negative ROI through server patching.

People have come to recognise the benefits of not having to patch with appliances. They've also appreciated other benefits such as the plug-and-play design, the low cost, easier installation and easier management.

Appliances are available today for firewalls, anti-virus, VPNs , anti DDoS, content management and other security functions. WatchGuard's Firebox Vclass, for example, is an ASIC-based (Application Specific Integrated Circuit), high performance firewall and VPN appliance; Allot's NetPure device provides policy-based web/URL filtering; and the RapidStream/Check Point appliance family provides extremely fast, ASIC firewall and VPN solutions.

Increasingly multi-function appliances are available which offer a variety of security options in one device. Fortinet, for example, produces FortiGate, an ASIC-based anti-virus firewall which also includes a VPN, content inspection and intrusion detection. Because it's ASIC-based, it has the added advantage of being extremely fast.

Appliances are finding their way into companies and organisations from SOHO to enterprise. They are ideal for SMEs where less skilled staff and less funds are available and the choices would be to remain insecure or employ someone they can't afford on a totally unpredictable basis. Appliances can also be very useful for wireless security in small companies.

Security devices are increasingly penetrating larger companies too, where they are appreciated for their ease of deployment, ease of management and the fact that they are server independent. Speedy ROI is another advantage of security appliances for larger companies, as is their usefulness in branch offices.

This trend is confirmed by a recent IDC survey,2 which indicated that hardware appliances are becoming the primary avenue by which customers purchase security. Sales of integrated security appliances have risen recently as organisations have recognised the ease of their deployment, even at remote sites where technical skills can be scarce.


Given the availability of options, as well as the increasing costs and risks involved with security patch deployment, it's hard to understand why some people will continue to waste time, effort and money on patching. Increasingly, the great majority will switch to secure web servers or security appliances. This will give them not only increased security, but also what everyone is looking for - positive ROI.


If you use or quote from this feature, please can you give credit to the author, with contact details where possible. Please also send a copy (preferably 2), if possible, to Annabelle Brown, 31 Kew Gardens, Whitley Bay, Tyne & Wear, NE26 3LY.

Ian Kilpatrick is chairman of Wick Hill Group, a company specialising in secure infrastructure solutions for ebusiness. Contact 01483 227 600, email, web For further press information please contact Annabelle Brown on 0192 252 8548, email

1. Zeus used figures from SecurityFocus,, on the number of serious web server security vulnerabilities in 2002, as a basis for its research.1 Zeus then conducted further research of its own to extrapolate the figures and reach an annual cost for patching known security vulnerabilities.2 For full figures email Annabelle Brown on Or dial Scroll down and on bottom right click onto the link marked 'The other cost of Internet security'.

2. Security Appliance Market Forecast and Analysis 2002-2006: Hardware continues to be the choice for security application deployment. IDC # 28319

This press release was distributed by ResponseSource Press Release Wire on behalf of Annabelle Brown in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit