More bollocks from Gartner. It must be a day of the week ending in "y".

Don't talk about patching, prioritisation or "vulnerability management", get your processes in place to patch test environments, test the app and then roll out to production (with tested backout processes).

Then you can talk about exceptions

By patching sooner and more often, you are also making yourself MORE vulnerable, to supply-chain attacks..

You won't necessarily spot those in your test environment either.

Patch only for vulnerabilities that affect you - don't just patch for patching's sake as soon as a newer version of any software package you use becomes available

Generally, I'd happily say that rushing to patch is a waste of time. Every time you are risking system stability (a known known) for some variant of improved security (an known unknown). Not a great trade.

However, we all know that if you were to be breached. and it turned out that you had not been applying patches (even if that would not have prevented the breach) then it's sueballs at dawn.

If the UK government were serious about growth and attracting investment (spoiler alert: they aren't) then they could do a lot worse than develop an official framework that ignored vendor recommendations (which mysteriously always suggest increasing your spending) and provided a playbook for companies that would be backed in civil disputes.

If the government (either side of the pond) were serious they wouldn't be using MS products anyway.

"system stability (a known known)"

For some value of stability.

I'd suggest patching - for all the rather good reason JimmyPage offers: if you don't patch and you get compromised, your underwriters will almost certainly walk away from any claim. However, as Redmond prove pretty much every time, being an early adopter of patches might put you at significant risk of falling over.

Despite this the greatest threat of compromise appears to come from social engineered attacks so, while patches are required and should be applied in good time (testing on non-live, etc notwithstanding), most companies would see a greater increase in security by better educating their user base.

"most companies would see a greater increase in security by better educating their user base"

And strictly limiting the possible blast radius of any given user.

Broke my PC again -thats 5 times in the row since I installed 24H2 update. Spent several hours yet again this morning fixing it. Windows 11 repair option actually worked this time, after the latest update broke the component store, which DISM and SFC couldn't fix. Sick of 24H2. Just cannot trust MS patch Tuesday's. Pathetic state of affairs MS.

that is your problem right there

Well, if it's broken then nobody's going to be able to compromise it.

Sounds like it's secure to me.

Too much other junk lobbed in under the guise of "updates".

You should be able to select "only security updates" and then all you get is a very minimal set of very small patches that don't add features, remove them, break functions, bundle in Copilot, etc.

But Microsoft are too dumb to do that. That's not what happens at all. What happens is your cluster falls over because it hasn't been tested on a cluster, your DCs collapse because of a known bug in that update that makes DCs fall over, you end up with Edge / Copilot forcibly reinstalled, the downtime is on the order of an hour because there's a .NET Framework update in there too, and before you know it you're trying to back those out which now takes even longer.

And that's JUST me talking from my experience over the last year alone with 3 servers.

Yes, just imagine if IT systems were pervasive throughout the entire planet and critical infrastructure relied on them, often for life and death. Then, just then, we might consider it "serious"!!

It's all very well saying don't patch, or at least don't patch straight away, IF your systems are well controlled and documented with minimal attack surface, and/or run software that requires specific patch levels. Systems like that should also be inaccessible to users and allowed nowhere near the internet.

However, given that most companies that get compromised do so by stupid users visiting websites that they shouldn't or plugging in USB sticks that they found or any of a dozen other behaviours, client systems are getting patched ASAP.

A company I worked at not that long ago sent out a faux-phishing email as a test of user security, even after some bright spark sent out an all staff email TELLING everyone how clever he was for discovering that it was a test, loads of people still visited the link and got caught out.

Did that years ago, but it had issues

Speed to get critical updates out if you really need to test

trying to get a manager approval for a 0-day bug and pushing that vulnerability fix

Relying on local IT to determine what machines to have in test/pilot before production phases - and then hearing them whinge when a patch has hit prod and causes then issues (they either removed all the devices from those groups or didn't bother in the first place)

relying on teams to test

Making sure all patches are actually deployed and rebooted (forced on users with 3 x delay, but never a server as we had no idea who was using or when - down to local IT to resolve... if they bothered)

Only thing with an audit, if you could show you pestered local IT for devices, lists of machines not connected to patching systems and how to resolve (beyond your own processes or GPO), machines that needed a set of reboots and code to do this quickly, they were OK

I would not want to be doing that all these days

And don't change the oil in your car.

You don't see hulks along the side of the road that died from old oil.