Why Johnny can’t patch

I’ve spent nearly 2/3 of my career dealing with Microsoft patches at one level or another, so when it comes to excuses, I think I’ve probably heard them all.

This diary entry from the Internet Storm Center has good answers to the most common objections. I think a two-day patch cycle may be overly aggressive, and I know it drives infrastructure folks nuts when CISOs read stuff like this and then say, “Patch my stuff in two days like this guy,” but most organizations can take his advice, and even if they slow it down to 30 days instead of two, they’ll still be in a better place than they are today.

IT jobs shortage? Slide over to security

IT jobs are getting scarce again, and I believe it. I don’t have a cure but I have a suggestion: Specialize. Specifically, specialize in security.

Why? Turnover. Turnover in my department is rampant, because other companies offer my coworkers more money, a promotion, or something tangible to come work for them. I asked our CISO point blank if he’s worried. He said unemployment in security is 0.6 percent, so this is normal. What we have to do is develop security people, because there aren’t enough of them.

I made that transition, largely by accident, so I’ll offer some advice. Read more