One of the funniest events I’ve ever been to was a talk given by a Microsoft executive at the company’s Mountain View facility, years ago. About halfway through the talk, his PC, which was showing the PowerPoint presentation, flashed a notice that in one minute it was going to initiate a patch process. There was nothing anyone could do, apparently, to stop this. Right on schedule, sixty seconds later, the huge screen went black and the speaker had to wing most of the rest of his talk while the audience laughed at his expense.
I’m sure Microsoft’s IT department got an ear full when he got back to Redmond. But the reasoning behind such a practice is generally to make sure that a critical patch that addresses some vulnerability is in place quickly. Back then, we had hours, if not days, to respond to an attack. Currently, we have something less than 15 minutes, which means we generally need the strongest defense we can muster in place before the attack takes place, and old operating systems are particularly vulnerable. It is highly likely that a successful national-level attack will be most successful on a down-level version of iOS, Android or especially Windows, because of the combination of high numbers and relatively high vulnerability.
Vendors clearly have a financial reason to get everyone on current versions of operating systems, because it reduces support costs. And there is a very real reason for the users to upgrade aggressively because of the security risk. Eventually, I expect this will be required by law.
Microsoft just moved Windows into this decade by putting in place a more aggressive upgrade process this week for Windows 10. Rather than complaining, like many are, I think it is well past time for this move. I think the griping is likely because Microsoft focused on the “what “and kind of left out the critical parts of the “why.” Let’s talk about why this is actually a good thing.
It’s Not IT’s Fault: More Institutional Insanity
One of the big mistakes that Microsoft made with Windows in the 1990s was to pivot away from users, who drove Microsoft’s success through Windows 95, and toward enterprise IT, which drove much of the firm’s strategy after Windows 95’s launch. What is still fascinating to me is that Microsoft beat IBM’s OS/2 by focusing more on users and then, after winning, not only adopted IBM’s strategy but basically rebuilt OS/2. Can you imagine any race where the winner decides after winning that the loser’s strategy is the one they must adopt? It even put guys out of Digital, a company that failed against IBM, in charge of much of the process. And here is the real kicker: We praised Microsoft for it. It was like we all collectively got stupid.
It should have been no surprise, then, that both Apple and Google, by focusing on the user, were able to carve into Microsoft’s dominance and pretty much take over the market. Though I think it is kind of amazing that Google came up with the enterprise-focused Chrome OS, and Apple’s big new product is an iPad designed for IT.
OS Upgrades: Like Helmets and Seatbelts
Now, if you put aside safety, it is easy to argue that a user-focused company should let users run whatever version of the OS they want to run. But we have to consider security now. Much like we force drivers of cars to wear seatbelts and drivers of motorcycles to wear helmets, we have to force operating system upgrades because current code is now a critical part of being able to both better protect against malware attacks and more rapidly deploy patches to better respond to them. Much like IT wanted the same OS on all products in order to make systems easier to manage, a vendor needs everyone at the same code level if it is going to push out a response to a zero-day exploit quickly. The more fragmented the code, the harder it will be to assure that a patch can be pushed out in a timely manner.
I am kind of surprised that Microsoft isn’t making this argument more forcefully, but I can imagine a time, likely after a cyber attack, when it may be illegal to run a down-level OS, much like it is illegal to drive without a seatbelt or helmet, or to drive while using a personal technology device.
Wrapping Up: A Future of Forced Upgrades
The world has changed a lot since we first saw PCs. Now we are surrounded by smart devices that automatically get updates whether we want them or not, largely because of a combination of bug fixes and constantly changing security exposures. Recently, the GSA began to put in place policies that force all U.S. government suppliers to aggressively assure all parts of their business from the citizenship and background of workers to the source and content of their software. This will quickly trickle down to every company that is in the supply chain of these firms. But it is very likely that in the next decade, we will face a security problem of national if not global proportions and that will force laws, and vendor liability, that will make keeping platforms current not only more acceptable but potentially illegal to avoid.
So two takeaways this week. First, aggressive operating system upgrades will likely eventually be driven by law, and second, adapting a strategy from the firm you just beat is not a policy that results in success.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+