Do you have scheduled fixed day(s) of a month for downtime to patch each critical system?


Yes, 1 day of the month47%

Yes, 2 days of the month20%

Others (please specify)6%


3.3k views2 Upvotes10 Comments

Director in Finance (non-banking), 10,001+ employees
Patch agents are receiving patches and updating systems 24/7, the only scheduled activity is a reboot if systems are going more than seven days without restarting 
Assistant Director IT Auditor in Education, 10,001+ employees
As needed, and also regular schedule like MS patch Tuesday.

Chief Security Officer in Software, 10,001+ employees
Patch scheduling depends on severity (CVSS score). Most are fixed during scheduled maintenance windows, but high and critical are dealt with as needed to remediate as quickly as possible.
ISSO and Director of the IRU in Healthcare and Biotech, 10,001+ employees
Depends on the criticality of the vulnerabilities. We can do urgent immediate patches if necessary outside the cycle.
CIO, Self-employed
I answered no, because it's not a fixed day of the month.  Rather, we have a weekend each quarter where we negotiate a quarterly IT outage.  In our work on patching what we found was that it was far easier to hold individual applications accountable for finding their own downtime (negotiating the specific duration/date of each outage with their business customers).  But when broader outages were required (think core switches and routing, shared VM infrastructure, etc) that impacted multiple applications -- and maybe multiple critical applications -- it was easier to pre-plan these weekend outages for the year.  Our experience was that initially these outages were more impactful to systems because we were dealing with a lot of deferred maintenance.  But after the first year (4 weekends) the impacts were much more limited in scope (in general).   Our biggest learning was that it was much easier to negotiate the weekends that we needed a year in advance (and then continually remind people that they were coming up!), and that we always had work that needed to be done.  Also, having these scheduled outages allowed for better coordination of support staff when bigger changes were necessary. 
CTO in Software, 201 - 500 employees
High priority security updates are applied ASAP, other updates and upgrades happen monthly during scheduled maintenance window.
Senior IT Manager in Government, 10,001+ employees
We used to have a fixed day of the month but with modern operating systems we find most patching can now  be done w/out downtime. As others have said, criticals/sev 1 get done ASAP, others can wait, and if downtime is required, scheduled in advance.
CTO in Transportation, 11 - 50 employees
We patch systems as soon as possible. We build new updated images every week. All patches are applied without downtime even db updates
Strategic Banking IT advisor in Banking, 10,001+ employees
I replied with "Others" as we have planned and fix days for system maintenance.  But for a patch, depending of the criticity of the system and the severity of the breach/issue the be fixed, it could be a overnight patch.
CIO, Self-employed
I chose other as we have a maintenance weekend scheduled for each month throughout the year that may entail various system updates, changes or patches but we also have unscheduled updates depending on the severity or criticality of the patch or update required.

Content you might like

Cyber Security36%

Cloud Computing/Cloud Migration49%

Artificial Intelligence (AI) and Machine Learning (ML)71%

IoT (Internet of Things)30%

Digital Transformation:31%

WFH/Remote Work16%

Legacy Systems Modernization11%

Data Management9%