Solid systems can crumble. In the high-stakes world of enterprise computing, we know that there are multiple layers throughout modern IT stacks straddling cloud and on-premises deployments that can be made to expose their inherent fragility and susceptibility to failure. When it comes to cybersecurity, too many organizations are gambling with their security by relying solely on “vendor patches” as their primary defense strategy. According to Cyber Security Intelligence, cyberattacks increased by 20% in 2023, with more than one billion attempts recorded.
For Tomás O’Leary, CEO and founder at Origina, this patch-dependent approach is like driving a car with worn brake pads i.e. you know they need replacing. Still, you’re continuing to operate at full speed, hoping nothing forces you to make an emergency stop.
Origina is a global independent software maintenance vendor for IBM, HCL and VMware with a dedicated team of 600+ independent product experts working proactively to protect, extend and enhance all versions of IBM, HCL and VMware perpetually licensed software, providing a cost-intelligent alternative to traditional software vendor support.
An uncomfortable truth
“The uncomfortable truth is that the traditional ‘wait for a patch’ mentality is fundamentally flawed. Not only do organizations remain vulnerable during the often lengthy period it takes vendors to create patches, but in many cases, patches might never materialize at all. This statement is particularly true for end-of-support software, where vendors typically stop providing security fixes altogether,” said O’Leary.
He reminds us that the risks of patch dependency are stark.
According to Statista, the average cost per data breach reached $4.88 million in 2024, up from $4.45 million the previous year. These escalating costs reflect a troubling reality: traditional patch-based security approaches are failing to keep pace with modern threats. When critical vulnerabilities are discovered, every day spent waiting for a patch represents another day of exposure to potential attacks.
O’Leary says that the solution isn’t to abandon patches entirely, but rather to implement a layered, proactive approach to security – and several practical strategies have proven effective.
Practical strategies
“For instance, the most underutilized yet effective security measure is software product hardening, which involves configuring and optimizing your software to minimize potential attack surfaces,” said O’Leary. “Analysis from Origina’s security team shows that proper hardening can prevent up to 85% of known vulnerabilities from being exploited, without requiring source code modifications. We’ve seen organizations reduce their attack surface by 60% through basic hardening techniques like removing unnecessary services, implementing strict access controls, and configuring secure defaults. These measures can be implemented immediately, without waiting for vendor intervention.”
He notes that virtual patching proves especially valuable when critical vulnerabilities emerge in customized systems.
For example (and drawing from experience working with Origina customers), when a global telecom company discovered their systems were exposed to a critical vulnerability with 100% exposure risk, they couldn’t wait for traditional patches that might disrupt their customized configurations. Instead, they implemented virtual patching as an immediate protective measure, maintaining both security and system stability while avoiding the risks of rushing emergency patches into production.
“Waiting for official vendor notifications isn’t enough in today’s threat landscape. Organizations need access to real-time threat intelligence and vulnerability advisories from multiple sources. Building out this capability includes monitoring dark web activities and emerging threat patterns,” confirmed O;Leary. “By combining machine-driven intelligence with human analysis, organizations can identify and mitigate potential threats before they are exploited.”
O’Leary further reminds us that the UK’s National Cyber Security Centre warns that AI is lowering the barrier for cybercriminals to carry out effective attacks, with threat actors already using AI-powered language models to write malicious code. This enhanced access will likely contribute to the global ransomware threat over the next two years. Meanwhile, Cybersecurity Ventures predicts that cybercrime will cost the world $9.5 trillion in 2024, equivalent to the world’s third-largest economy after the U.S. and China.
Building a comprehensive security strategy
“A comprehensive security strategy must be contextual, understanding your specific environment and business needs. It should be risk-based, prioritizing actions according to threat likelihood and potential impact. Most importantly, it must embrace a defense-in-depth approach, which implements multiple layers of security controls that work together to protect your assets,” explained O’Leary. “The modern threat landscape demands a fundamentally different approach to security. When threat actors are using AI to accelerate and amplify their attacks, organizations can’t afford to move at the speed of vendor patch cycles. Robust, multilayered defense must become the new standard, including encryption, security hardening, and virtual patching.”
It appears then, that the stakes couldn’t be higher.
From the Origina team’s perspective, every day spent waiting for a patch is a day your organization remains exposed. The cost of inaction or inadequate protection continues to climb. The traditional reactive security model, built around patch dependency, is increasingly putting organizations at risk.
“A modern security posture demands a proactive, multilayered approach that combines threat intelligence, system hardening, and virtual protection. The tools and expertise exist to defend against today’s sophisticated threats – but they require a fundamental shift from reactive patch dependency to proactive security resilience,” concluded Origina’s O’Leary. “Ultimately, your organization’s security shouldn’t depend on a vendor’s patching schedule; it should be built on a foundation of continuous, comprehensive protection.”
Ultimately – perhaps somewhere towards the end of this current decade – when we get to a point where we can say “hey, remember reactive patch dependency?” as it it were some kind of archaic malpractice, then we will know that we have moved onwards progressively and effectively. At least, thanks to Origina and others, we’re saying it out loud now so that we can start to do something about it.
