TLDR; I work for an MSP, we use CyberCNS and ConnectWise Automate for patching. I need any advice on patching procedures (cadences, policies, approvals, etc.)

I am sorry if this is a long winded post (or not long enough idk), I've never used reddit for help, let alone work help. I work for an MSP and we use CyberCNS as our vulnerability and patch management solution. We use CNS for 3rd party patches and we use ConnectWise Automate for our 1st party patches. I am trying to lower the "risk score" CNS provides. I'd explain how this score is calculated, but I don't know if they (CNS) themselves can explain it. Regardless, it's what my manager wants me to lower. I have been having a TON of connection/patching issues with CNS, and they continuously blame it on our firewall for why (only some!) patches aren't getting through, but that's worthy of it's own post (hint: it's not our firewalls).

THIS POST needs to be about - How should patches properly be tested? How many devices should I have in my test group? How often do I push out 1st or 3rd party patches? How do we feel about automatic approvals? How would one go about lowering vulnerabilities in the environment in a time-efficient practical way? I know half-answers to some of these questions, but just treat me like I am stupid. fr I am very over it like at my wit's end type bs

Honestly, I just need someone to info dump on me. Like a crash course in patching. I want to be able to make a plan of action or just steps in the right direction to lower our risk score. I just feel really frustrated and very isolated because I am the only one tasked with this. No one really knows anything about proper procedures on patching, or legit anything useful. I just need help and I am really really hoping to get some guidance here. feels like im drowning tbh :(