I’ve seen countless articles explaining how the end of Microsoft’s support of Windows XP will make companies non-compliant with numerous regulations and laws, especially HIPAA and various regulations in financial industries.
Apparently, not everyone got the memo that technology alone never makes an organization compliant or non-compliant. Compliance standards almost never state what software or computer hardware is required. Upgrading to a new version of Windows may make the boss feel compliant, but technology alone is never the full problem or solution.
Of course, technology used as the basis for any system needs to meet minimum levels of security capabilities. An operating system that will not be updated as new threats develop is certainly a cause for deep concern. At the same time, running the latest greatest computer software, if not set up and maintained correctly, still won’t provide proper security. More importantly, such software will not solve a problem created when organizations ignore process and procedural issues.
The end of support for Windows XP did not suddenly make XP unsecure. Windows XP has simply reached the point where it is more difficult to keep it secure in a world of ever changing threats. And Microsoft simply made a business decision to no longer work to address future threats in an old program.
There are even instances where Windows XP will remain an acceptable solution in compliant and secure systems. Although increasingly rare, stand-alone computers and isolated networks likely won’t have compliance issues by continuing to run XP, provided processes and procedures are compliant.
The end of XP support does mean that the cost of using XP to remain compliant and secure increased immediately. Other technical and procedural efforts will be required to offset what is expected to be an ever-increasing risk. As a result, it is easier to claim XP is no longer secure and compliant and should be replaced than it is to deal with all the extra effort (and confusing explanations) of the alternatives.
Now for the gift of XP
In 1998, my company worked with a client to replace an ancient customer software program that no longer even met the department’s business needs. The budget for this replacement project was rejected by the large organization’s capital budget committee as too expensive. The business need of the software was apparently not a major factor in the decision.
In 1999, the client modified the budget proposal with only one minor change: The new software would also resolve the Y2K problems present in the old software. This time the project was instantly approved by the budget committee.
Y2K was the key to solving a much bigger business issue for my client. The new software enabled the organization to move ahead in their market, improve their efficiency, better utilize staff, and more easily quote and bill work. The project has paid for itself, but it needed Y2K to get past the short-sighted bean counters.
Flash forward to 2014 and I see a similar situation. Clients with scores of slow, outdated computers have been rushing to not only replace XP, but to replace the computers running XP. The business need for upgrading these computers has been visible for some time, in some cases, years.
Like Y2K, the end of Windows XP support will prove to be a huge benefit for businesses that are finally moved to replace outdated computers. The new computers from these projects will work faster, be easier to maintain, be easier to secure, and provide a bottom-line benefit.
As much as management, including technical management, like to complain about the headaches of problems like Y2K and XP support, without these problems many organizations would fail to properly reinvest in the necessary infrastructure required for compliance, security, and even business success.