Many of you are heads-down in your budget process now and
some of you are perhaps at a juncture where you are choosing a new product toupgrade or replace an existing hardware or software system.
When choosing to upgrade or replace, there are many things
to consider: price, functionality, how it fits in your current environment,
warranty, service, etc. But over the years a new dynamic has been added to the
mix vulnerability due to popularity. By this, I mean the hardware's or
software's propensity for being a target of "security attacks"because of its notoriety.
Obviously the king in this arena is Microsoft. Whether you
believe Microsoft is doing enough regarding security is up for debate, but
there is no arguing that a large number of people love to hate Microsoft. Because
of this, Microsoft products are the targets of innumerable attacks and exploits
the result being a new Microsoft vulnerability seemingly in the headlines ona daily basis.
To be fair, Microsoft is not alone and Oracle and Cisco have
had their share of headaches as well, being the targets of malicious software. Not
surprisingly, one might assume that most of the "leading" software
packages in all the different software categories garner a greater share ofattention from hackers and other malcontents. So the question becomes, at what
point, if ever, does a product's propensity for attracting attacks figure intoyour decision-making?
Does the constant need to keep updated regarding security on
a particular product reach a level where it is not worth the trouble and a
decision is made to go with the closest competitor who can give the same ornearly the same functionality?
Let's take as an example, Microsoft's Exchange Server. One
could argue that Exchange requires a greater amount of support than competitors
such as Scalix 10 and Zimbra Collaboration Suite because it resides on a
Microsoft operating system and is immensely more popular and thus is a magnet forattacks.
Assuming you are a Microsoft shop and have no Linux
expertise in house, do you ever reach a point where you will make the
investment in new knowledge such as Linux in order to implement one of the two
aforementioned products that give the same or similar functionality asExchange? Or does sheer inertia keep us doing the same thing from year to year?
What about file and print services? Novell certainly knows
what it is doing in this arena (technically speaking, they are still horrible
at marketing in my opinion). When the decision to switch to a new Microsoft
server operating system is being presented to you, will Novell ever beconsidered?
It is my belief that the security risks and costs associated
with using a particular product have to be greater than the personal risk the
decision maker is taking when deciding to switch products before he or she willever do so. Inertia is that powerful.
It is also my belief that the type of risk associated with a "popular" product should be part of the decision-making process.
So how does one ever place themselves or their organization
in a position to truly assess the merits of a "legacy" product vs. acompetitor's when they already have a product in place?
Don't make the decision on your own or in a vacuum. That's
what governance committees are for and that is where good executive management
comes into play. Both are required in order to make the best decision for theorganization.
Lastly, there will be some who will argue that you
cannot create a totally secure piece of software or hardware, and that exploits
are going to happen so don't even consider this in your decision-making. I
can understand this point of view and to some extent it may be true. But I have
to believe that there are IT professionals sitting out there in the wings,
using "non-mainstream" software and hardware, providing equivalent
services for their users, and they are grinning and stress-free as they read