How Do you Prioritize Patching Efforts?
I'll list some common answers to the question below for an easy copy/paste response but am very interested to hear if you have an answer that does not fall into the below list of ways you are prioritizing your patching efforts...
- I focus on the most popular vendors
- I focus on the software found on the majority of systems in my organization
- I focus on the most critical (by CVSS score)
- I focus on the most critical (by Criticality rating)
- I focus on the most sensitive systems
- I focus on the ones being exploited in the wild
- I focus on the ones easiest to deploy (if I have a patch, I push it - if I don't, I don't)
There is no "correct" answer, but expect that many focus on multiple criteria so please don't limit your response to any one metric of prioritization.
As a bonus, it would be great to hear why you focus on what you do and how such is of particular interest to your organization's situation.