14 November 2022
It’s really exciting to make a major purchase. A house, a car, etc. You enjoy your purchase, but over time, you have many maintenance items to plan for such as a new roof, paint, new tires, oil changes and many other activities to maintain them. And at some point, you may get to a point where your house or car requires too much investment to bring it up to current safety and comfort levels. That may be the time to trade it for another one in better condition.
So why is your IT equipment and software any different than owning a home or a car? Why do we purchase or develop an IT solution and not expect to maintain it? Why do we feel comfortable accepting that?
Economics is at least part of the reason. Human nature comes to mind as well. Who has ever heard, “if it isn’t broken, don’t fix it”? That only works for toasters and telephones (with cords) though. That doesn’t make sense for IT Systems, cars, and houses.
Throughout my career I’ve run many times into situations where the solution has been in place for years. The piece of software or hardware is so ingrained in the environment and the woven into the culture of the company, that nobody wants to touch it for fear of interrupting a working solution. Nobody wants to allocate money to maintain it and besides, “It just works.”
Until it doesn’t. Or until it is a risky entry point to your company’s network as is often the case with outdated hardware and software. By the way, outdated is also another way of saying unpatched. That’s because you can’t get patches for it any longer, so it follows that you’re absolutely not patching outdated, end of life/end of support software and hardware by definition.
In every cybersecurity issue brief I’ve seen for years, the recommendations at a minimum always include “patch, upgrade, remove end of life devices, reduce the surface area by removing unused services (daemons) and ports.”
What’s missing in many processes, is that people work extraordinarily hard to plan to deploy a solution to solve a problem but do not plan appropriately for maintenance, upgrades, or exit strategies. It’s time to change the game and include maintenance, upgrades, and exit strategies into the upfront planning and expectations.
You’ll be glad you did.