GOETTL: No one group holds the blame. In many cases the business holds IT back by holding on to legacy systems that cannot run on newer platforms. In some cases, the cost to update the backend system may be significant, forcing the endpoint to remain on a system that is now out of date or -- if it is highly customized or built by a company that no longer exists -- it may be down to staying on the old system or having to migrate a business-critical system to an entirely new platform.
Other critics panned companies that had not deployed the March security updates to still-in-support Windows PCs by the time WannaCry hit. But what is an "average" patch time among Microsoft's commercial customers? Is it legitimate to expect a business to be fully patched 60 days after updates are available? 30 days? 90 days?
BRADLEY: Normally, for good patchers, I see a lag of no more than 30 to 60 days. But this pointed out we still suck at getting updates installed -- even in places where the servers should be managed and maintained.
GOETTL: I have seen stats over the years ranging from 60 to even 120 days. What we recommend at Ivanti is to ensure critical OS updates get rolled out within two to four weeks. Applications that are highly targeted (Chrome, IE, Firefox, Flash, [Adobe] Reader, Office) in two weeks or less. We know it can be done and see companies doing it ... in complex environments across tens of thousands, and in some cases hundreds of thousands, of endpoints.
Will offering patches for products out of support get more complicated once Windows 10 has gone through several additional upgrades? What will Microsoft do if, say, a serious security event occurs early next year that impacts versions 1507 and 1511, after both have been knocked off the support list? By January 2020, when Microsoft retires Windows 7, six versions of Windows 10 will have fallen from support. What happens if a critical threat occurs then?
BRADLEY: The people I've seen struggling the most with getting patches installed aren't even on Windows 10. So, the first thing that Microsoft needs to do is still address what is keeping us off of Windows 10. Once we're [there], then they need to ensure better compatibility and lack of issues between the releases.
[But to answer the question], as many times as Microsoft annoys me with their seemingly heavy-handed actions, remember that people in a conference room make the decision. And every time one of these events [happens] where customers are really getting hurt, Microsoft does the right thing and protects us.
Sign up for CIO Asia eNewsletters.