Many of you are heads-down in your budget process now and

some of you are perhaps at a juncture where you are choosing a new product to

upgrade or replace an existing hardware or software system.

When choosing to upgrade or replace, there are many things

to consider: price, functionality, how it fits in your current environment,

warranty, service, etc. But over the years a new dynamic has been added to the

mix – vulnerability due to popularity. By this, I mean the hardware’s or

software’s propensity for being a target of “security attacks”

because of its notoriety.

Obviously the king in this arena is Microsoft. Whether you

believe Microsoft is doing enough regarding security is up for debate, but

there is no arguing that a large number of people love to hate Microsoft. Because

of this, Microsoft products are the targets of innumerable attacks and exploits

– the result being a new Microsoft vulnerability seemingly in the headlines on

a daily basis.

To be fair, Microsoft is not alone and Oracle and Cisco have

had their share of headaches as well, being the targets of malicious software. Not

surprisingly, one might assume that most of the “leading” software

packages in all the different software categories garner a greater share of

attention from hackers and other malcontents. So the question becomes, at what

point, if ever, does a product’s propensity for attracting attacks figure into

your decision-making?

Does the constant need to keep updated regarding security on

a particular product reach a level where it is not worth the trouble and a

decision is made to go with the closest competitor who can give the same or

nearly the same functionality?

Let’s take as an example, Microsoft’s Exchange Server. One

could argue that Exchange requires a greater amount of support than competitors

such as Scalix 10 and Zimbra Collaboration Suite because it resides on a

Microsoft operating system and is immensely more popular and thus is a magnet for


Assuming you are a Microsoft shop and have no Linux

expertise in house, do you ever reach a point where you will make the

investment in new knowledge such as Linux in order to implement one of the two

aforementioned products that give the same or similar functionality as

Exchange? Or does sheer inertia keep us doing the same thing from year to year?

What about file and print services? Novell certainly knows

what it is doing in this arena (technically speaking, they are still horrible

at marketing in my opinion). When the decision to switch to a new Microsoft

server operating system is being presented to you, will Novell ever be


It is my belief that the security risks and costs associated

with using a particular product have to be greater than the personal risk the

decision maker is taking when deciding to switch products before he or she will

ever do so. Inertia is that powerful.

It is also my belief that the type of risk associated with a
“popular” product should be part of the decision-making process.

So how does one ever place themselves or their organization

in a position to truly assess the merits of a “legacy” product vs. a

competitor’s when they already have a product in place?

Don’t make the decision on your own or in a vacuum. That’s

what governance committees are for and that is where good executive management

comes into play. Both are required in order to make the best decision for the


Lastly, there will be some who will argue that you

cannot create a totally secure piece of software or hardware, and that exploits

are going to happen – so don’t even consider this in your decision-making. I

can understand this point of view and to some extent it may be true. But I have

to believe that there are IT professionals sitting out there in the wings,

using “non-mainstream” software and hardware, providing equivalent

services for their users, and they are grinning and stress-free as they read

this article!