If a finance director presented accounts without evidence, no board would sign them off. If a supply chain manager said, “Trust me, the contracts are in place,” without documentation, they would be shown the door. Yet when it comes to cybersecurity, many boards still accept a shrug. Patching is “being done,” apparently. No evidence. No oversight. No assurance.
This is not a technical quibble. It is a governance failure.
The data could not be clearer. The 2025 Verizon Data Breach Investigations Report shows that around seventy percent of breaches begin with the exploitation of a known vulnerability. Academic research published this year in The Hidden Dangers of Outdated Software found that nearly one in three attacks targeted systems that were simply not patched in time. These were not zero-days or state-sponsored tools. They were vulnerabilities already catalogued, already fixable, already preventable.
The MOVEit breach in 2023 illustrates the point. A single missed update in one widely used platform cascaded across supply chains, exposing the personal data of more than 90 million individuals. Some of the organisations affected never touched MOVEit directly, they were collateral damage, victims of a partner’s failure. For some, the financial and reputational hit was survivable. For others, it was existential.
This is why patching cannot remain an IT department housekeeping task. It must be treated as an essential management function with board-level oversight. When a third of all attacks stem from unpatched systems, and when supply-chain failures can put entire operations at risk, patch management belongs on the same governance plane as financial controls and legal compliance. It is a duty of directors, not a discretionary activity for technicians.
That means reframing the conversation. Boards should not be asking, “Is patching being done?” but “Can you show me the evidence that it is being done, prioritised by business risk, and independently verified?” Just as you would expect signed accounts or audit trails, you should expect clear, comprehensible reporting on cyber security.
At Cerberus Networks, we deploy modern platforms such as Microsoft InTune, and our in-house NetWATCH platform to automate these tasks, but the technology is secondary. The primary value is in the process: continuous discovery of every system, intelligent prioritisation of which vulnerabilities matter most, and transparent reporting that makes patching activity visible to leadership. That visibility turns a technical function into a governance control.
The truth is uncomfortable but unavoidable: businesses are often only a missed update away from a serious breach. For too many, that breach will not just hurt, it will end them. Patching is not hygiene. It is not housekeeping. It is governance. And until boards treat it as such, the risk remains existential.
If you are not 100% certain that you have this covered, talk to Cerberus Networks about how to turn patching from an IT blind spot into a governance control you can rely on.