In my virtual CISO consulting engagements and vulnerability and penetration testing, the process of patch management ALWAYS comes up for discussion. Given the threats, the vulnerabilities, and the risks – everything that’s at stake – I cannot think of any single aspect of a well-functioning information security program that’s more important than patch management. It’s one of a few things in security that you CAN control!
The absolute last thing you want facilitating an incident or breach is a software patch that could (should) have been applied. Here are some articles that I have written about the subject over the years that may help you with your efforts:
https://www.toolbox.com/tech/it-strategy/blogs/maybe-there-is-a-patch-for-stupid-031315/
https://www.principlelogic.com/blog/cool-products/the-industrys-first-patch-management-program/
https://www.toolbox.com/tech/it-strategy/blogs/niche-security-flaws-should-not-be-your-focus-031315/
https://www.principlelogic.com/blog/hacking/what-happens-when-third-party-patches-are-ignored/
https://www.toolbox.com/tech/it-strategy/blogs/securitys-new-mo-underimplemented-053116/
https://www.toolbox.com/tech/tech-security/blogs/defining-the-problem-leads-to-good-security-072919/
https://www.securityinfowatch.com/home/article/10523887/get-with-it
Cheers!