Who’s responsible for Windows?: IT Managers Unite

So often we hear of security breaches on Windows networks. The Seattle Times reported on a hospital whose computers were hijacked for an adware downloading scheme. No lives were lost, but work was greatly disrupted and the use of good old Luddite manpower was required in the interim. How many billions of dollars - or even lives - are going to be lost before the finger of blame gets pointed where it should?

And I don’t mean Microsoft. No. As one respondent to that article asked, should gun manufacturers be held responsible for shooting deaths? Of course not directly, but they do have a responsiblity to make their product as safe as possible. So although Microsoft has a responsibilty to make its product as safe as possible, when things go wrong the responsibilty lies firmly at the feet of guys like me: IT managers. We are the people making the decisions.

There’s still this shortsighted and narrow minded belief in IT management circles that we can manage security on a Windows networks, provided we do everything to keep up to date with potential threats. The problem with that approach though is it’s reactive. Sure at first glance it may seem proactive: “We’re doing everything possible…” But that’s not enough because the “bad guys” are looking for new ways into the system and when they find them, the IT department has to react. The truly pro-active approach would be to replace the faulty system altogether.

I know about this pseudo pro-activeness. In my previous job as IT Manager I practiced it. And doing so probably cost me my job. Although I was made “redundant” because of “financial cost cutting,” I have little doubt that I lost my job because of my failure to resolve an ongoing problem: one of the offices was suffering daily dropouts of their phone system. Within budget, I did everything possible. But in hindsight, I should have marched into the General Manager’s office and said “If you really want to fix the problem once and for all, this is the only solution. But it’s going to cost you.” Ironically, after I left, they ended up resolving it by doing just that, by throwing money at it, because the pro-active approach was to replace the problem system altogether. I was complacent, I didn’t realise just how real the potential for my unemployment was.

Should IT managers be fired if the system they are responsible for suffers a serious security breach? Even if they’d done everything possible - except switching to a significantly more secure system? Given that they know there are systems that just don’t have the plethora of security issues that Windows does? Even if it is apparently expensive?

What can be done?
Is it viable to consider switching though? In that last job, my annual IT budget was around $300,000 Australian, and we would have had to spend millions to pay developers to replace our Windows only industry specific applications with platform independent ones. So the cost was prohibitive. I like to say, I am just one small fish, yet small fish swim in big schools. In other words, if we IT managers act together, we have leverage. It was we who almost overnight made Windows server, desktop, and Office “standards.” It was we who told our CEOs to ditch Novell, Word Perfect, and Lotus 123 in favor of Microsoft. And it only took about two years for this transformation. So if we work together Windows can also be quickly undone.

IT managers taking the easy option is the problem. These things are around us all the time. The Washington Post wrote an article the other day: New Grant System Excludes Mac Users. To quote:

But the promise of making Grants.gov accessible to everyone remains unfulfilled because of a decision by Grumman and HHS to give a small Canadian company called PureEdge Solutions the job of creating the electronic forms. The PureEdge solution, it turns out, works only with the Windows operating system. And that is especially galling, several scientists said, as at least one major grant-making agency, the National Science Foundation, has for many years been using a “platform-independent” system that works seamlessly with all kinds of computers.

As this quote acknowledges, platform independence is achievable.

But developers love rolling out the tried and true, “We developed for Windows first because it is 90% of the market.” That’s the old fallacy that each platform must be developed independently. And then the developers never seem to get around to the Mac and Linux versions. I see many open source applications that are happily co-developed for Windows, OS X and Linux. (It’s also pointed out in this article, that usage of Macs is anywhere between 30% and 50% in scientific and academic circles, so the 90% argument looks a bit lame.)

The IT manager needs to dictate to the developer, not the other way around.

Can an IT manager say, “I’ve had enough. I’m switching OSes?” Some may be able to. Others whose corporate culture is pickled in Windows shouldn’t wash their hands of alternatives and go back to their complacency.

One thing that was getting off the ground in my previous industry (local governement), was a panel made up of representatives from the councils’ IT managers. One of the roles of the panel, and the one for which I advocated the strongest, was to push application developers to cater more to our needs. If I was still there, platform independence would have been number one on my list.

Other things an IT manager can do is include platform independence as an objective in his or her IT Strategy. Then when he or she calls tenders or replaces software, he or she can start doing things like saying “Preference will be given to platform independent solutions.” Just as 10 years ago IT services folks said “Windows and Office compatibility preferred.”

Are other OSes any more secure?
Are the Mac or Linux largely immune from the troubles that Windows faces? An article, Does Mac Have Potential For Hacker Attacks? on CRN.com is uncertain. But notice the key word? Potential. It hasn’t happened. And as they go on to say of Macs: “Unless a hacker physically has access to the computer, it’s almost impossible to unknowingly infect it with a virus”. The same applies to Linux. These are systems where security is inherent, not tacked on. Of course, some folks like to make the off-handed comment that their apparent security is because of low marketshare, but that’s as flippant as suggesting you can’t determine if BMWs are a safer car, because they have small marketshare.

What if the world changes and OS X and Linux become the dominate OSes? Will all the virus-writing miscreants of the world turn their evil fingers upon them? Of course. But with even the simplest understanding of *nix, it’s clear that it will be hugely more difficult for them to succeed.

Are Macs the answer?
Yes, I like Macs but from an IT manager’s point of view, I’d have been equally happy to replace my fleet with Linux boxes, if they met requirements. And I’d have been equally happy to continue using Windows boxes if they met requirements. But budget restrictions meant that switching was not viable. At that time, I couldn’t switch wholesale to Mac or Linux on the desktop, but I could have put pressure on vendors to develop cross-platform applications.

For those sites using more common or generic applications, as my article last week, The Best Software Selection Is on the Mac, showed, there are plenty of mainstream applications available on Macs, plus some excellent open-source solutions, that can make the switching process quite easy.

So Mr. or Ms. Potentially Unemployed IT Manager, keep using Windows, but I might suggest you put a bit more pressure on developers to think outside the Windows square, as the potential for your unemployment is much higher than the potential for a significant security breach on OS X or Linux.

Footnote: Since writing this article a possible security breach has been revealed in OS X. This though is heavily dependent on user intervention. It depends on the user clicking on a JPG file and then typing in the administrator password when the JPG says it wants access to the system… Two major warning signals there that something’s not right. It doesn’t matter what OS you use, the weakest link in your security will always be human.  As IT managers there’s only so much you can do to control the users, short of looking over their shoulder all day.  It’s the systems you have control over, and the systems where you can make choices that greatly enhance your security.