Determining Patching Responsibility

March 22, 2018

Recent news (and my latest blogs!) have focused on the (sorry) state of patching. While this is a common state, it’s generally not the fault of the IT staff. They would love to patched to within “N-1” and have security patches installed. However, the business is (or claims to be) 25x8 and so interruptions to the business aren’t allowed and maintenance never gets done.
A Metaphor
Let’s move the discussion to something closer to home. My family just finished our ski vacation. We drove our own vehicle, and the trip was harder on it than our normal day-to-day work. When we got home I heard it talking to me. I checked my oil and my repair history (it been a while since the last "big" maintenance cycle). 
I can decide whether to proceed business as usual: The annual (compulsory) inspection is 10 months away and discuss whether to do any additional maintenance THEN because it isn’t convenient now. After all, I just had my annual checkup and it passed all the legal requirements—plus I waited two hours for them to finish! A day without the car is too much hassle, so I'll postpone until it’s convenient. But that moment may never come. Do you ever find it convenient to spend a day at the garage?
Or I could wait for the motor to lock up. Yes, that would be convenient—at least for the sales people to sell me a new car. Who knows what else is broken or breaking because I couldn’t be bothered to do regular maintenance.
Of course, I shall be changing car types and the service garage. Why couldn't they make sure my car was available 25x8? I mean, I do check the oil and refill the gas tank? Shouldn't that be enough? Why doesn't my car "just work" all the time? 
Back to the Real World
The words spoken are usually quite different - but it does come down to a metaphor like that above. Management (me) refused to follow the manufacturers recommendations for regular maintenance and/or just apply common sense.
In short, rather than IT staff begging for a maintenance window (the service garage sending reminders to come in), business management (i.e., the user) should be demanding that maintenance be done at appropriate intervals—and plan the business so that these can be done.
Smile Please!
I hope this can help you the next time you mention some patches need to be applied when the business says that they’re too busy. Come back later when we have time.

