Rich Mogull (who's stuff I really quite dig) has launched an 'Open Patch Management Survey' via the SecurityMetrics blog. Its an interesting idea, and they plan to release both their analysis *and* the raw data, which might be really insightful for our VMS stuff.
Corporations can take the SurveyMonkey survey at http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d, and there's some nice material already available at http://securosis.com/projectquant.
Here's the rest of Rich's message (pls forgive the cross-post):
Our goal here is to gain an understanding of what people are really doing with regards to patch management, to better align the metrics model with real practices. We're doing something different with this survey. All the results will be made public. We don't mean the summary results, but the raw data (minus any private or identifiable information that could reveal the source person or organization). Once we hit 100 responses we will release the data in spreadsheet formats. Then, either every week or for every 100 additional responses, we will release updated data. We don't plan on closing this for quite some time, but as with most surveys we expect an initial rush of responses and want to get the data out there quickly. As with all our material, the results will be licensed under Creative Commons.
We will, of course, provide our own analysis, but we think it's important for everyone to be able to evaluate the results for themselves. All questions are optional, but the more you complete the more accurate the results will be. In two spots we ask if you are open for a direct interview, which we will start scheduling right away. Please spread the word far and wide, since the more responses we collect, the more useful the results.
If you fill out the survey as a result of reading this email please use SECURITYMETRICS as the registration code (helps us figure out what channels are working best). This won't affect the results, but we think it might be interesting to track how people found the survey, and which social media channels are more effective.