IT Week: As vice-president of product management at patch management specialist PatchLink, can you explain how firms like yours provide their services?

Chris Andrew: The key thing is to work very closely with customers to work out the right strategies and provide the best practices. A common mistake is that people think providing a patch management service is just like an antivirus service. But it is not something you can just blast from a central server.

How should companies approach the task then?

Patch management is not one product, it is a process that needs to be built into an organisation. We provide all the components necessary but it can only work properly when the right processes are in place.

Sometimes new problems can be caused by applying patches ...

There is no chance of any of our patches bringing down a network, if that is what you mean. After receiving the patch from a vendor, we test it on a variety of platforms and then publish our findings for firms. Each customer is then encouraged to test the patch in their own environment, but in smaller groups at first and then working their way up. As long as our customers follow the proper steps in the right order they will not have any problems.

Does patching older systems present a problem?

We do all flavours of Windows, even the ones Microsoft would probably rather forget about. We still carry patches and test for Windows 95 and NT4, for example, because we get a lot of requests for them from our customers. Other operating systems include IBM AIX, Red Hat Linux and Sun Solaris - basically everything that has had criticality, we have patched.

So how quickly can patches be deployed through such services?

Our staff work around the clock to get all patches out to meet our 72-hour window, which allows us to test them thoroughly. But more typically the deployment takes place faster - within 36 hours. We also deliver across a secure connection. If a worm or denial-of-service attack comes out, it cannot be taken for granted that you will be able to get the patch safely to the affected system otherwise.

How will patching develop?

We're heading to integrated solutions that deal with patches and vulnerabilities, and offer extra features like scanner integration and zero-day threat protection. Spyware is the next big growth area. In addition, one of the greatest challenges this year is likely to be in securing mobile devices. We have already seen trojans for mobile phones. Patching of hardware like routers and switches is also in our plans.

ABOUT CHRIS ANDREW

Chris Andrew joined patch management specialist PatchLink in January 2000 as director of engineering.

Andrew is currently responsible for the development of new technology and products.

Previously he worked at Novell, where he was engineering manager for web and server development on NetWare 5.1.