How quickly do you patch severe security vulnerabilities, such as the most recent CVE-2019-0708?

Security & GRCThreat & Vulnerability Management

Day it's announced16%

2-5 days46%

6-14 days14%

Longer than 2 weeks7%

During the regular patch cycle14%

Other (see my answer below)1%

634 PARTICIPANTS
1.3k viewscircle icon7 Upvotescircle icon13 Comments
Sort by:
CIO & Digital Transformation Advisor - Independent Consultant in Software6 years ago

It depends on the critical nature based on the business and service impact. There are patches that we do on the same day as well.

Lightbulb on2
Information Security Managing Consultant in Services (non-Government)6 years ago

Depending on the environment, depends on the patch and the urgency of the patch. PCI specifically has requirements for patching that must be adhered to. I am always a big fan of the 30/60/90 rule for patching. That said, I have gone into PCI environments that complete an SAQ-D that have claim to patch monthly but have servers that have not been patched in over 3 years. Patching, especially for larger organizations, can be a bear to control. 

Chief Security Officer in Software6 years ago

Agree with others here. We set policies based on severity and CVSS score. Critical is immediate if it applies. Lower than critical severities are prioritized within 30 days or less depending on patch cycles.

Lightbulb on1
Founder/CTO in Hardware6 years ago

Depending on the severity but in most cases I would install the patch ASAP. 

Chief Techical Officer in Software6 years ago

Depends on the patch. If it is critical and applies to us same day, if not then sometime in the future and when perform regular maintenance. Eg: the mentioned patch doesn't even apply to our environments so totally ignored, nothing to patch.

Lightbulb on2

Content you might like

Will API security be one of your 2023 initiatives?

Yes41%

API security is a current initiative36%

No13%

Not sure yet9%

Other (please explain in the comments)

View Results

Seeking advice on integrating embedded AI agents into Workday/SAP/etc. How do you handle integration across HRIS, ATS, and LMS? Do you rely on vendor-native tools or build your own in-house registries?

Does your organization currently have unfulfilled cybersecurity positions?

Yes75%

No24%

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

Has anyone drafted an SOW for a cloud-based SIEM with setup, migration, and maintenance? I’m working on a FedRAMP-authorized SIEM SOW, migrating from on-prem Splunk, covering data, searches, alerts, dashboards, and models.  Scope includes Environment Setup:  Cloud provisioning, configuration, testing. Connectors/Parsers: Custom data source integration. Content Development: Rules, use cases, threat feeds. Performance Tuning: Query/index optimization. Runbooks: Operational procedures. Also required: 24x7 support, maintenance, lifecycle and application management, role-based training, and documentation.  Must comply with NIST SP 800-53, CJIS, and FedRAMP Moderate+. Goal: Secure, scalable SIEM for rapid deployment. I may be missing elements, so suggestions are welcome. Please share redacted SOWs or tips if possible.