> Most administrators at large companies are cautious about rolling out new software versions to their employees. They (normally?) test before broad deployment.
In my experience at both a 70,000 company and a 260,000 person company, both of which I can confirm have outages right now, this just isn't the case.
The security vendor says update and sysadmins say "right away", because the institution has learned that "right away" is the only acceptable answer from auditors, both internal and external.
This story is interesting because there's an entire chain of places you can pass the buck and absolve responsibility if you so choose. You could, if you so desired choose to blame:
1. The crowdstrike developer who pushed the change
2. The developer responsible for the kernel bug
3. crowdstrike as a company for not having better change management
4. microsoft for how they handle kernel access
5. system admins for not owning the update process of their entire body of devices
6. security teams / the CISO for operating on checklists that exist to please auditors rather than treating security as a living, breathing problem
7. Auditors for structuring security audits as a checklist rather than treating security as a living, breathing problem
8. Regulators for using one size fits all audits as the preferred method of determining security compliance
In my experience at both a 70,000 company and a 260,000 person company, both of which I can confirm have outages right now, this just isn't the case.
The security vendor says update and sysadmins say "right away", because the institution has learned that "right away" is the only acceptable answer from auditors, both internal and external.
This story is interesting because there's an entire chain of places you can pass the buck and absolve responsibility if you so choose. You could, if you so desired choose to blame:
1. The crowdstrike developer who pushed the change
2. The developer responsible for the kernel bug
3. crowdstrike as a company for not having better change management
4. microsoft for how they handle kernel access
5. system admins for not owning the update process of their entire body of devices
6. security teams / the CISO for operating on checklists that exist to please auditors rather than treating security as a living, breathing problem
7. Auditors for structuring security audits as a checklist rather than treating security as a living, breathing problem
8. Regulators for using one size fits all audits as the preferred method of determining security compliance