As of April 8th, 2014, Microsoft will no longer support security patches or any other upgrades for its popular and still widely used Microsoft XP operating system. This isn’t a secret or something that has been brought up at the last minute. Microsoft has been advertising that XP support would be ending since April 10th, 2012. Organizations need to replace the XP operating system because an unsupported operating system immediately becomes vulnerable.
Microsoft has stated that there are hackers, malware attackers and other cyber-terrorists waiting for April 8th. They have found vulnerabilities and back-door access software programs that they have in readiness, waiting for the day that Microsoft is no longer patching against their efforts. Any organization still using XP on zero-day is risking corrupt programs and malware taking advantage of the organization’s inaction.
The obvious solution is to replace XP with another operating system that is still supported and maintained by its manufacturer. There has been plenty of time for a rollout process and internal adoption to occur. While changing operating systems is a large and invasive project, it is better than the alternative. Organizations would be wise to heed Microsoft’s words on the zero-day vulnerabilities.
The underlying concern that this issue brings up is the organization’s vulnerability to their vendor’s choices. Organizations have to follow Microsoft’s advice along with any other vendor that has a product critical to the organization. What is an organization to do if a vendor decides to no longer recognize, support, or offer alternatives to a product that is used in an environment? In the specific example of zero-day, Microsoft has three Windows iterations that are newer then XP, but what if that wasn’t the case? Not only must organizations plan for vendor-driven changes but they must also consider what course of action to take when the choice of corrective action is not clear.
From the vendor’s perspective, vendors are required to produce and innovate while adapting to market changes so that they create products that are viable for some time. Today’s large vendors such as Microsoft, Apple and Google have been successful, but some organizations have been pushed from the market. A prime example of this is Research in Motion (RIM).
It isn’t a secret that RIM’s market share with their Blackberry products continues to shrink. Ten years ago, RIM was the 800-pound gorilla in the room and no one expected them to go anywhere. The transition planning in this case is driven by the organization, not the vendor, although a case can be made for the product vulnerability to replacement coming from the vendor’s choices.
Interesting to think about Microsoft’s XP, which has had an enormous market share for more years than anyone would have expected. Here, the commitment over time by vendor and customers has been extraordinary, which unfortunately also leads to a painful transition for customers. But, the vendor dictates an ending and we must comply.
The take-away from these experiences is that the relationship between vendors and the organization is complicated, with the vendor’s schedule often dictating what investments and projects have to be done in a specific time frame. Vendor Management best practices can help with the planning for these externally-driven changes, limiting their impact as much as possible through excellent communication. With all of the vendor/customer/product scenarios discussed, it is clear that the IT product relationships are symbiotic and that sometimes, the vendor’s wants and needs drive the organization. This circumstance shows that time invested in making the wisest acquisition decisions possible is well-spent.