Upgrade or Uproot · Steven Murawski

/me braces for the onslaught of excuses

TL;DR

If your business has

to care about operating system end-of-life announcements, IT has failed. (unless you are an OS vendor or tools company)
audit/compliance exposure due to old operating systems, IT has failed.

If, as a business (again, unless you are in the business around operating systems or tools), what operating system you run is a point of contention, IT has abdicated its responsiblity.

And until someone with authority in that IT system stands up and forces some change, we’ll keep seeing things like

Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85 percent of successful exploits. - Verizon Data Breach Investigation Report 2016

The Passivity of Enterprise IT

Enterprise IT, in general, has evolved to be order takers and janitors of the software world.

A conversation between Mark Schwartz and a former employer in The Art of Business Value by Mark Schwartz, IT Revolution Press 2016.

“You are missing the point,” Takeshi said. “I have trusted you with an investment in an IT system. Your job is to make sure that I get a good return from my IT investments. I am not getting a good return.” I argued, of course, that he wasn’t being fair, that I had no authority over the business unit’s management, and I couldn’t compel them to change the requirements to something that would be more effective. But ultimately I had to admit that he had a point. Was I just responsible for executing projects, or was I responsible for delivering business value from IT investments?

Business Value?

Is there business value in running your IT infrastructure on modern, supported, patched servers? I think so. And if IT doesn’t make that happen, no one will - until there is a breach.

The most important part of the above exchange was this realization -

Was I just responsible for executing projects, or was I responsible for delivering business value from IT investments?

IT is not just responsible for executing projects. IT is responsible for making sure the project will return business value (and on that topic I greatly suggest you go read Mark’s book). And for purposes of this conversation, IT is responsible for making sure projects are done in a supportable manner.

Supportable Manner?

IT projects should:

(not a comprehensive or exclusive list)

have a patching schedule
a plan for migrating to currently supported operating systems
emergency patching plans (for zero-days)

But This Is Just Temporary!

I have some more thoughts on that matter in an earlier post.

Time to decide

Are you an order taker or are you going to be professional and provide business value?