...the Cisco security advisories. In fact, some businesses don't have the resources to maintain a staff of Cisco engineers. As a result, many small companies only fix security problems a few times a year, such as on a quarterly basis.
Most companies that run large networks have developed a patching or update strategy that includes testing and delivery. But testing and scheduling for implementation can take months because of the downtime required to implement a new IOS and maintain the service-level agreement with the customer or business.
The solution
None of this fiasco would have been necessary if everyone would implement vendor-supported and distributed security patches in a timely manner. That is the simple solution.
Vendors create and distribute security fixes and patches to counter discovered flaws. Such fixes are not feature enhancements, and companies shouldn't treat them as optional. Instead, they should apply any patches as soon as the vendor releases them.
This leads us to the larger problem that pervades even the largest and smallest of companies. Change management is a persistent problem. If you haven't established procedures to quickly test and deploy security-related patches, then it's only a matter of time before your network falls victim to your inability to respond to emerging security threats.
Final thoughts
Change management and patch implementation for security-related issues are not activities your organization can afford to triage. Too many companies put off security fixes until they "can get to it" — and most eventually pay the price for such procrastination.
Network security is a proactive process. If you're constantly reacting to security problems, you need to look deeper than the problem itself and find the underlying flaw in your business process. If you have devices on your network that are vulnerable, you need to fix them before someone else finds them.
Talkback
The idea of upgrading your Cisco IOS for every security patch is fine if the replacement IOS is guaranteed not to bring in new bugs or to lose functionality but that cannot be guaranteed. Cisco will offer a number of patched IOS releases but unless you are on the train that is patched or even a GD release you can not be sure that the IOS will not cause a number of problems without extensive testing. It is hard to get customers to move to a new release under these conditions.