To patch or not to patch? And what is patching anyway?

Estimate Hourly Rate to Patch System

You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.

For example, someone making $80,000 per year will typically work 52 weeks of 40 hours, or 2080 hours. $80,000 divided by 2080 is $38.46/hour. Multiply that hourly rate by 1.3, and you get $50.00/hour.

Estimate Hours to Patch System

Estimating an average time for patching systems can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. To do this job correctly, you must consider all versions of operating systems and have a complete inventory of all your application software. In our experience, manually patching systems takes, on average, about 1.5 hours for each device.

There are many variables to consider. Some are:

How long does it take you to download patches for each system/site?
Are you able to patch multiple systems in parallel?
How many software applications are you patching?
How many reboots are involved, etc.?
What kind of reporting must be completed to satisfy auditors and regulators? And how will you collect and document that information to prove compliance?

What Is Smoke Testing Servers

Smoke testing is a type of software testing performed by Alvaka after a software patching sequence to ensure that the system is working correctly and to identify any misconfigurations or conflicts within the patched system.

The process typically involves ensuring that servers are rebooted in the correct sequence, verifying that each server has fully completed its reboot, and then relaunching applications in the proper order. Once these steps are completed, systems are tested to confirm everything is functioning correctly before users return to work in the morning. Depending on the environment, this process generally takes about 30 minutes per server. PCs are not usually included in smoke testing, or if they are, only a limited number are tested.

Speaker Bio – Scott T. Nichols

Mr. Nichols has over 25 years of experience in the Information Security and Healthcare Technology industries. Mr. Nichols leads the Global Product Security program at Danaher Corporation, representing over 30 companies, including 4 medical device manufactures and 8 life sciences companies. Focusing on security by design for Danaher’s medical devices, diagnostics, life sciences, water quality, environmental and applied solutions product portfolios. Mr. Nichols is the chairman for the Danaher Global Product Security Council and serves on the steering committee for the Medical Device Innovation Consortium (MDIC). He is a certified healthcare information security and privacy practitioner (HCISPP) and a certified HIPAA privacy security expert (CHPSE).

Speaker Bio – Hamlet Khodaverdian

Hamlet Khodaverdian is Vice President of Americas at LMNTRIX, a company specializing in threat detection and response to address advanced and unknown cyber threats that bypass perimeter controls. As a business technology executive with more than 20 years’ experience, he has held various roles in multiple companies, leading sales teams, software engineering teams, IT infrastructure teams, business intelligence and data science teams. Previously, he has been at Canon R&D, Western Mutual Insurance Group, Alliance Funding Group, Quick Bridge Funding, and has been involved in a number of startups.

Through his various leadership roles, Hamlet has gained extensive experience in building high- performance teams, in addition to extensive experience with enterprise risk management, security architecture (both infrastructure related and software engineering related), governance and compliance.

Speaker Bio – Len Tateyama

Len Tateyama is the Director of IT at NetSecure, by Alvaka Networks, leading the company’s Network Operations Center and Field Services teams. Len is responsible for the developing and maintaining technical infrastructure and the delivery of managed and consulting services to clients. With twenty years of experience leading information technology, he has held various executive positions in the highly regulated environments of financial management and banking sectors.

Areas of expertise include managing operational support teams; data center build-outs; selection and management of managed services providers; service delivery models; network and security systems design; storage area networks; disaster recovery/business continuity; application development and maintenance; large scale project management; vendor and contract management; risk assessment; and budgeting.

Speaker Bio – Brian Keith

Brian Keith serves as a Protective Security Advisor (PSA) for the Los Angeles District. As a PSA, he coordinates, facilitates, and performs vulnerability assessments for local critical infrastructure owners and operators, and serves as a physical and technical security advisor to federal, state, and local law enforcement agencies. In addition to conducting vulnerability assessments, Brian supports homeland security efforts by serving in an advisory and liaison capacity for the State Homeland Security Advisor. Prior to serving as a PSA, Brian was appointed as Deputy Director for Critical Infrastructure Protection (CIP) to Governor Arnold Schwarzenegger’s Office of Homeland Security (OHS). Throughout the past 20 years, he has conducted several law enforcement technology presentations at the Federal Bureau of Investigation’s (FBI) National Academy in Quantico, Virginia, and the New York State Police Union Association.

Speaker Bio – Sheriff Don Barnes

Sheriff Don Barnes has over thirty years of law enforcement service to the people of Orange County, joining the Orange County Sheriff’s Department in 1989. Over the course of his career with the department, he has held every leadership rank, culminating with his election as the 13th Sheriff-Coroner for Orange County in November 2018.

The Sheriff has worked to be an advocate for law enforcement and public safety both at the state and federal level. He currently serves as an executive officer with the California State Sheriffs’ Association (CSSA) and serves as the chair of CSSA’s Technology Committee. At the national level, he serves as chair of the Major County Sheriffs of America’s (MCSA) Intelligence Commander Group. In that capacity the Sheriff is working to ensure open communication amongst local, state and federal law enforcement regarding critical threats facing our nation. This work is also accomplished through his service as MCSA’s representative to the Department of Justice’s Criminal Intelligence Coordinating Council (CICC).

Speaker Bio – Frank Ury

Frank Ury is an Orange County leader in both governance and technology operations, sales and business development with a background in setting infrastructure, and IT operations strategies and roadmaps. Frank’s technology career includes senior technology positions in many major companies, including DXC Technology, HP Enterprise Services, Intel Corporation and Black and Decker. Having served for 12 years as a Councilmember and Mayor of the City of Mission Viejo, Frank was influential in assisting the District with the development and financing of the Lake Mission Viejo Advanced Water Treatment Plant. Frank currently serves on the Big Data-Open Data Committee for the Southern California Association of Governments, and on several regional cybersecurity advisory boards.

Speaker Bio – Pierson Clair

Pierson Clair is a managing director in Kroll’s Cyber Risk practice, based in Los Angeles. Pierson brings an uncommon perspective to cyber risk challenges from his years as a leading digital forensic examiner, technical security consultant, researcher, and educator. He has conducted extensive academic research at the forefront of cyber risk, most currently on changes of investigative significance in Mac and mobile device hardware and software. Prior to this emphasis, he focused on the dynamics within the complex framework of protecting critical national infrastructure as well as intelligence, espionage, and terrorism. In addition to working on analytical projects with members of the Intelligence Community and the U.S. Department of Homeland Security, Pierson has provided sophisticated digital forensic services for a wide range of private sector clients and law enforcement agencies.

Speaker Bio – Lance Larson

Investigator Lance Larson. Ph. D., – Lance Larson is a Cyber Investigator for the Orange County Intelligence Assessment Center (OCIAC), a Department of Homeland Security-funded fusion center. Lance has been a police officer with a law enforcement agency for nineteen years. During his tenure with the department, he has served multiple assignments including a role as the technical leader for the first online crimes against children sting in California, patrol, special investigations, and his current role helping to protect the cyber security infrastructure within Orange County at OCIAC. Dr. Larson holds a Ph.D. in Applied Management and Decision Sciences – Information Systems management, is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (CEH), GIAC Certified Cybersecurity Incident Handler (GCIH) has authored two books, and teaches both undergraduate and graduate information systems and homeland security courses for the California State University System in San Diego.

Speaker Bio – Kevin McDonald

Kevin is a trusted technology and security practitioner and public policy advisor to some of America’s most influential people and organizations. He advises corporate executives, federal and state legislators, law enforcement, high net worth individuals and other business leaders. He is a sought after consultant, writer, presenter and trainer on the issues surrounding personal, physical and cyber security, compliance and advanced technology. Kevin has written for and been interviewed by dozens of national publications and on major television, radio and digital outlets.

Speaker Bio – Mark Essayian

Mark Essayian is President of KME Systems Inc., an IT support company he founded in 1993 that provides technology products, process, security and business continuity consulting to a wide range of clients. KME Systems helps clients improve profitability via the way they communicate with and assist their respective clients.

Mr. Essayian’ s background has involved technology for over 30 years. He attended the University of California Irvine where he earned a degree in Physics with an emphasis in computer science and engineering. Mark is expert and passionate about assisting clients along their IT journey to protect their assets, culture and people.
Mark has presented for the Wall Street Journal, SCORE, Microsoft partner network, technology manufacturers, IT peer groups and numerous executive meetings. Mark also currently serves on advisory boards for several manufacturers and is a source of information to the IT industry.

Speaker Bio – David McNeil

David McNeil is the principal for a leading risk management and commercial insurance brokerage, EPIC Insurance Brokers and Consultants. David speaks on cyber issues for business. He is a recruited member of the Orange County Sheriff’s Technology Advisory Council (TAC); Anaheim Police Department Special Operations TAC; FBI InfraGard (SIG’s Cyber, Dams, Water and Wastewater); and the Homeland Security Defense Group. Specialties include the fields of High Tech, Manufacturing, and U.S. Infrastructure protection regarding the water industry.

About The Cost Calculator

This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.

If you are presenting to management for a budget, and using this calculator as the basis for a Return on Investment (ROI), you will need to do more homework. An ROI measures as a ratio of the cost of investment against its expected benefit. For patching, calculating benefit can be very difficult to determine. How do you measure the cost of a system breach you have not yet had? You can estimate what expenses, penalties, and losses a company might incur when a breach occurs; but there is no certainty of a breach event and what those costs actually are. There are also regulatory compliance issues and/or potential fines for not patching, but those, too, can be vague. For calculating these potential risks and costs, it is advisable to enter into a discussion with your management team.

How To Estimate The Hourly Rate

You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.

For example, someone making $80,000 per year will typically work 52 weeks of 40 hours, or 2080 hours. $80,000 divided by 2080 is $38.46/hour. Multiply that hourly rate by 1.3, and you get $50.00/hour. Of course, rates of pay, taxes and benefits will vary from city, state and company; but 30% is usually a good number to use. Don’t forget to account for time-and-a-half or after-hours rates of pay if patching is being done in the late evening, early morning, or weekends (in order to avoid impacting user productivity).

Smoke Testing Servers

Smoke testing is a term used to describe the testing process for servers after patches are applied.

The process typically involves making sure servers are rebooted in the right order, making sure they have completely rebooted, restarting applications in the right order, and then testing to be certain everything is working properly when users return to work in the morning.

This typically takes 30 minutes per server, depending upon your environment.

PCs are not typically smoke tested, or if so, not all of them.

How To Estimate Hours

Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.

There are many variables to consider. Some are:

How long does it take you to download patches for each system/site?
Are you able to patch multiple systems in parallel?
How many software applications are you patching?
How many reboots are involved, etc.?
What kind of reporting must be completed to satisfy auditors and regulators? And how will you collect and document that information to prove compliance?

CEO Message

Alvaka's Philosophy

Alvaka Facilities

Management Solutions

Services Overview

Ransomware Prevention

Ransomware Recovery

Infrastructure Monitoring

DFARS Compliance

NIST 800-171

Vulnerability Management as a Service

"Net" Solutions

AlvakaNet

NetPlan

NetSecure

Network Management Consulting

"Worx" Solutions

Software Patching

Backup & Disaster Restore

Advanced Email Security

Advanced Email Filtering

Staff Augmentation

To patch or not to patch? And what is patching anyway?

Kevin McDonald, COO & CISO – Alvaka Networks

You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.

For example, someone making $80,000 per year will typically work 52 weeks of 40 hours, or 2080 hours. $80,000 divided by 2080 is $38.46/hour. Multiply that hourly rate by 1.3, and you get $50.00/hour.

There are many variables to consider. Some are:

How long does it take you to download patches for each system/site?

Are you able to patch multiple systems in parallel?

How many software applications are you patching?

How many reboots are involved, etc.?

What kind of reporting must be completed to satisfy auditors and regulators? And how will you collect and document that information to prove compliance?

Smoke testing is a type of software testing performed by Alvaka after a software patching sequence to ensure that the system is working correctly and to identify any misconfigurations or conflicts within the patched system.

Smoke testing is a term used to describe the testing process for servers after patches are applied.

CEO Message

Alvaka's Philosophy

Alvaka Facilities

Management Solutions

Services Overview

Ransomware Prevention

Ransomware Recovery

Infrastructure Monitoring

DFARS Compliance

NIST 800-171

Vulnerability Management as a Service

"Net" Solutions

AlvakaNet

NetPlan

NetSecure

Network Management Consulting

"Worx" Solutions

Software Patching

Backup & Disaster Restore

Advanced Email Security

Advanced Email Filtering

Staff Augmentation

To patch or not to patch? And what is patching anyway?

Kevin McDonald, COO & CISO – Alvaka Networks

Share This Story, Choose Your Platform!

Smoke testing is a term used to describe the testing process for servers after patches are applied.