To put an end to constant attacks, do you have to get off the Microsoft train?
Many of you are heads-down in your budget process now, and some of you are perhaps at a juncture where you are choosing a new product to upgrade or replace an existing hardware or software system.
There are many things to consider: price, functionality, how it fits in your current environment, warranty, service, etc. But over the years a new dynamic has been added to the mix – vulnerability due to popularity. By this, I mean the hardware's or software's propensity for being a target of "security attacks" because of its notoriety.
Obviously the king in this arena is Microsoft. Whether Microsoft is doing enough regarding security is up for debate, but there is no arguing that a large number of people love to hate Microsoft. Because of this, Microsoft products are the targets of innumerable attacks and exploits – the result being a new Microsoft vulnerability seemingly in the headlines on a daily basis.
To be fair, Microsoft is not alone. Oracle and Cisco have had their share of headlines and headaches as well. It's not surprising. Most of the "leading" software packages in all the different software categories garner a greater share of attention from hackers and other malcontents. So the question becomes, at what point, if ever, does a product's propensity for attracting attacks figure into your decision-making?
Does the need to be constantly installing security patches and upgrades ever reach a level where it is not worth the trouble? Would it ever make sense to go with a less-heavily targeted competitor just because they can fly beneath the pirates' radar?
Take as an example, Microsoft's Exchange Server. One could argue that Exchange requires a greater amount of support than competitors such as Scalix 10 and Zimbra Collaboration Suite because it resides on a Microsoft operating system and is immensely more popular with both enterprises and hackers.
Assuming you are a Microsoft shop and have no Linux expertise in house, do you ever reach a point where you will make the investment in Linux expertise in order to implement Scalix or Zimbra? Or does sheer inertia keep us doing the same thing from year to year?
What about file and print services? Novell certainly knows what it is doing in this arena (technically speaking; they are still horrible at marketing, in my opinion). When the decision to switch to a new Microsoft server operating system is being presented to you, will Novell ever be considered?
I believe that the type of risk associated with a "popular" product should be part of the decision-making process.
I also believe that the security risks and costs associated with using a particular product have to be greater than the personal risk the decision maker is taking when deciding to switch products before he or she will ever do so. Inertia is that powerful.
So how does one ever convince an organization to truly assess the merits of a "legacy" product vs. a competitor's when they already have a product in place?
Don't make the decision on your own or in a vacuum. That's what governance committees are for, and that is where good executive management comes into play. Both are required in order to make the best decision for the organization. There will be some who will argue that you cannot create a totally secure piece of software or hardware, and that exploits are going to happen – so don't even consider this in your decision-making. I can understand this point of view and to some extent it may be true. But I have to believe that there are IT professionals sitting out there in the wings, using "non-mainstream" software and hardware, providing equivalent services for their users, and they are grinning and stress-free as they read this article!