If you work at a medium size firm in the IT department you’ve probably had an upgrade project which has ended up continually getting kicked to the bottom of the list. It’s a frustrating place to be because you know your productivity will go up with the upgrade, and you know the security will be better, but it’s a tough sell because there’s no immediate business value.
The problem of course is that upgrading software isn’t really an optional project.
This weeks WannaCry infection is a classic case of why you should upgrade your software. The NHS, one of the largest organisations in Europe, it still running Windows XP on many of it’s frontline computer systems. As most people know, Microsoft is no longer supporting Windows XP, so if there’s an identified vulnerability in that OS, it’s not going to get fixed*.
It’s not like this was an unforeseen event. Microsoft spent years letting people know that support for Windows XP was going to end. They finally hit the kill switch on April 8th 2014. That’s over 3 years ago. And still, the NHS use Windows XP on many frontline systems.
Why does an organisation the size of the NHS fail to spot an iceberg the size of Greenland floating into view?
Lets take a look at the board of NHS England and see if we can find out. Take a look down that list of non-executive and executive directors. Who is responsible for IT?
Ian Dodge, National Director for Commissioning Strategy is responsible for the Five Year Forward View. I wonder if that 5 year forward view includes upgrading an unsupported operating system that’s 15 years old?
How about Matthew Swindells, National Director for Operations and Information. This sounds more like it. Lets take a look at his IT pedigree.. Well, he used to be a Senior VP for Population Health and Global Strategy, and he’s a visiting professor, and he started work in a hospital. Sigh…
Jesus Christ. If I was the CEO at the NHS, Simon Stevens, I wouldn’t even know who to fire for this mess.
No doubt there are thousands of people in the NHS who know how retarded it is to continue using Windows XP. The problems begin when a large organisation starts to look at the upgrade process. Seeing as there’s a clear lack of IT knowledge at the top, I’d assume that any decision like this gets passed on to a bunch of management consultants who spend 6 months doing a risk analysis for a mere £20M and then present an upgrade plan with a ticket price just within affordability.
As no-one at the top detects the bad-smell they look at the upgrade bill, compare that to a few million operations, and decide that they prefer to do the operations, the business value. The problem is the upgrade is not optional (and they’re getting ripped off).
If you work in IT at the NHS no doubt you have your head in your hands at all this. You know XP can be upgraded trivially on a PC. You know that 99.9% of systems will work fine on Win7, and for the 0.1% that don’t 50% can be fixed within a couple of months. If you end up with 1 in 2000 machines running Windows XP to support some legacy software, so be it.
What’s the solution? Well Simon Stevens needs to hire a CIO who isn’t a figurehead. Someone who’s worked their way up through IT organisations. Someone that understands cybersecurity and would take this kind of thing personally. The chances of that happening? Probably close to zero.
Oh well, if there’s one good thing that does come out of this Wannacry debacle, perhaps it’ll be that little bit easier to get your upgrade projects prioritised!
* – ironically**, Microsoft did release an XP patch for the vulnerability exploited by Wannacry, but no-one in the NHS installed it…
** – is this ironic?