One man's corporate standard--another man's monoculture?

Summary:If you caught one of my recent blogs about zero-day exploits, a day in the life of a real IT manager, and how he's very worried about what he's seeing (in terms of what's getting through the cracks), then you also saw that Doc Searls is recommending that companies consider the idea of polycultures.  There's no question that  monoculture-based IT deployments increase the odds that a simple exploit can devastate an entire company, let alone the Internet.

If you caught one of my recent blogs about zero-day exploits, a day in the life of a real IT manager, and how he's very worried about what he's seeing (in terms of what's getting through the cracks), then you also saw that Doc Searls is recommending that companies consider the idea of polycultures.  There's no question that  monoculture-based IT deployments increase the odds that a simple exploit can devastate an entire company, let alone the Internet.  After all, as the recent Zotob outbreak just demonstrated, whatever it is that brings one computer down can easily bring down the rest if they're all running the same thing (basically, the definition of a monoculture).  For example, more than half of a South Florida-based Memorial Healthcare System's 5,000 workstations were brought to their knees by Zotob before the medical institution's IT staff was able to restrict the worm's movement and protect the rest.   12,000 of San Diego County's computers were impacted as were systems at 13 of Damlier-Chrysler's plants.

So, maybe Searls is right.  Perhaps using the polyculture approach could make for a good hedge for those looking for ways to mitigate their risk.  But, the question I have is, has anybody compared the usage of the terms "monoculture" and "corporate standard?"  If you think about it, the two are sort of the same thing.  We set all sorts of corporate standards to ease the IT department's pain when it comes to training, support, and what has been proven not to wreck the corporate network due to interoperability or compatibility problems.  But then, when we realize how exposed that leaves us -- for example, how one little exploit can bring the entire company down -- it becomes a monoculture that creates a whole new set of problems for us.  This is a real opportunity cost scenario where the better questions are (1) do the benefits of corporate standards outweigh the potential costs of running a monoculture? or (2) On the flip side, do the mitigated risks of a polyculture outweight the benefits of corporate standards?  There's probably no one-size fits all answer.   For some, it's the former.  For others, probably the latter.  What is it for you?

Topics: Malware

About

David Berlind was fomerly the executive editor of ZDNet. David holds a BBA in Computer Information Systems. Prior to becoming a tech journalist in 1991, David was an IT manager.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.