Cyber security professionals tasked with vulnerability patch management and roll-out duties say they are struggling to effectively prioritise critical updates and tend to fall back on the approach of describing ‘everything’ as a priority, an approach described as completely unsustainable, according to a new report compiled by Ivanti.
In its new 2025 Risk-based patch prioritisation report, released this week, Ivanti lamented a lack of industry standard ratings for vulnerabilities and patches, meaning users are left to compare and prioritise updates based on isolated recommendations.
Against factors influencing patch prioritisation, such as a vulnerability’s impact to critical systems, whether or not it is being actively exploited or has been detected by a vulnerability scanner, its CVSS score or vendor severity score, whether or not it needs to be patched for compliance reasons like inclusion in the CISA KEV database, or whether or not it has been identified as a priority by management, a majority of cyber pros said they rated all of the above as having either a high or moderate impact on their urgency.
“But when everything is a priority, nothing is a priority,” wrote the report’s authors, who said in light of these stats it was no surprise whatsoever that 39% of cyber pros said they struggle to prioritise risk remediation and patch deployment, and 35% said they struggled to maintain compliance.
Chris Goettl, vice president of product management for endpoint security at Ivanti, said that most vulnerabilities he saw being actively targeted in the wild are not, in fact, the ones that security teams are prioritising.
“Which is why we need a risk-based approach to patch prioritisation and remediation,” he said. “Organisations need to manage multiple distinct tracks of remediation: routine monthly maintenance, higher-priority updates for commonly targeted applications like browsers and communication tools, and urgent zero-day responses as an example.
“By properly configuring systems, all continuous updates are assigned to one of these tracks and handled as part of continuous patch management processes versus once a month,” he said.
Data gaps and siloed teams
Security professionals also said they lacked sufficient data to help them make informed decisions about what to patch, with the most frequent gaps arising in areas such shadow IT, contextual gaps about what vulnerabilities are exposing their systems, and blind spots linked to patch configuration, compliance status, or meeting patch service level agreements.
“If we think about organisations that really want to elevate their remediation efforts, there’s some important contextual data they’ll need to have to do so,” said Daren Goeson, senior vice president of product management for Ivanti’s secure unified endpoint management (UEM) lines.
“Number one is visibility of their attack surface, second is the context of vulnerabilities within the organisation’s attack surface, third is thread intelligence to determine how risk is evolving, and fourth is compliance view that focuses on the real risk within the organisation.”
Organisations also found existing silos between cyber security and IT teams were creating problems, with cyber teams prone to blaming IT teams for lacking a sense of urgency and failing to understand the organisation’s risk appetite. Ivanti said there was often a push-pull dynamic in play where security teams say they need to respond rapidly but IT teams say they need stability, the two being at odds with one another.
Additionally, the report said, the ‘everything is urgent’ mentality causes more problems by pressuring IT teams to push updates without properly testing them, while the interplay between silos and misaligned priorities leads to miscommunication and unclear ownership of patch duties, introducing yet more risk.
Does AI hold the key?
Ivanti suggested that advances in artificial intelligence (AI) and automation could hold the key to helping overcome the problems outlined in the report, although it also noted that organisations said they saw multiple barriers – including cost and skills – preventing them from taking advantage of these capabilities.
The report highlighted two ways in which AI solutions could offer organisations a way to improve their patch management strategy – through fast analysis of vulnerabilities based on factors like threat and risk context, and by automating patch testing and deployment workflows.
“If you’re using a risk-based prioritisation system, AI can pull in massive amounts of information from a variety of different sources and tools, analyse that information and use predictive models to make risk-based scoring as efficient as possible,” said Goettl.
“After you identify your risk appetite, the next step is configuring automation to continuously monitor and remediate any needed updates in alignment with your risk prioritisation,” he concluded.