I’ve spent nearly 2/3 of my career dealing with Microsoft patches at one level or another, so when it comes to excuses, I think I’ve probably heard them all.
This diary entry from the Internet Storm Center has good answers to the most common objections. I think a two-day patch cycle may be overly aggressive, and I know it drives infrastructure folks nuts when CISOs read stuff like this and then say, “Patch my stuff in two days like this guy,” but most organizations can take his advice, and even if they slow it down to 30 days instead of two, they’ll still be in a better place than they are today.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.