How often should you update Cisco IOS? How important is it?

For the 15-ish years I’ve been in the TPM (third party maintenance) space, one of the primary objections I’ve heard from potential new customers is, “We keep our code current at all layers, so access to Cisco IOS updates via SMARTnet is a necessity”. It’s a tough objection to counter – obviously these CIOs and engineers know their networks better than I do, so it must be true.

But is it, really? I think the answer depends on how those CIOs and engineers define “current”.

What do we mean when we say "current code"?

I asked a couple of our CovrEDGE customers why they decided that access to code updates was not critical and moved their access and distribution layers over to our service. One is a Fortune 100 wholesale distribution company, and the other is a large national healthcare services provider. Each has roughly 10,000 SMARTnet-eligible switches in the field, and they both told the same story, which was some version of “there is no time for me to update all of these devices even once a year, much less at every new release.” Doing so would require 100% of their time, cause immense disruption, and distract them from every other facet of their jobs.

In 2021, Cisco released over four hundred IOS updates to address security  vulnerabilities (you can see the entire Security Advisory list of 4,400 here). Granted, not every customer had the combination of software and feature that these updates were released to address, but if even 10% of those updates were relevant – you get the picture. No one is updating their code forty times a year.

So, where’s the disconnect? How can it be that some Fortune 100 firms can “set it and forget it” while others say they update the code constantly, even without DNA? My guess is that “updating IOS” has become synonymous with “best practices”, therefore “we follow best practices” comes to mean “we constantly update our code” even when that’s not really the case. They believe they are “current” because they are running the most recent version of the code, but they have not updated in accordance with each new vulnerability release.

Does this ring true with you? If so, fill out the form below to schedule some time for a consultation.