Patch like a caveman

I have a new day job. My new employer is Nucleus Security, a company that ingests, enriches, and distributes vulnerability management data. It’s a fantastic product and I’m happy to be there. This week, Nucleus introduced me to the world with a blog post where I talk about two approaches to patching.

Cavemen conquered the world. Sometimes the best thing we can do is save our effort for when it counts.

I won’t spoil it here, but when I say someone patches like a caveman, I’m not insulting you.

Early in my career, I had middle managers lecture me all the time about working smart, so we could do more with less. They didn’t know anything about my job, but they were convinced they knew more about it than me. So they wrote a bunch of generic platitudes on a whiteboard and expected me to be more productive because I wasn’t dumb anymore.

I figured it out eventually, but their Kmart wisdom didn’t have anything to do with it.

Or they’d tell me to work harder. And that was that. If it took working 25 hours a day to get the work done, find 25 hours. Let that be a motivator.

Needless to say, neither type of management got much out of the people who worked for them. So I tell sysadmins who struggle under the load of patching that I won’t insult them by telling them to work smarter or harder. They’re smart, they work hard, and they know their systems better than I do. I haven’t done this stuff since 2009. They did it last month. But they need to save that hard work for when it counts. Don’t work smarter or harder. Work dumber and lazier. My general method is in Nucleus’ blog post.

Nucleus wants to sell you its vulnerability management product. That’s how we make money. But we want to improve the state of vulnerability management. The field has existed for 25 years and yet nobody’s mastered it. So I’m going to try to write about a post a week for them about vulnerability management, and probably how it ties into something Nucleus related, but some of it will work in other tools too.

I’ll still write some VM-related stuff here too from time to time. There’s no reason for me to write about something specific to Qualys or Tenable over there. I’ll keep writing about Qualys and Tenable here. We don’t compete with them. We take their data, pull in whatever other data you have, merge it, give you a dashboard and some reports, and send the data on to the other systems that need it. It’s slick.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: