Secure Operation of IT Systems requires Skills, no Short-cuts

The recent vulnerability in the Microsoft® Exchange server application has sparked many discussions. One of the topics is connected to the skills of IT departments responsible for patching systems in time. How can n weeks or months pass until upgrades are rolled out and in place? Well, the answer is easy. Some upgrades do not work flawlessly. In anticipation of problems during the change, IT departments need a copy of the live system and time to test the updates. This takes time, even if you have the budget to run additional copies of your systems. Furthermore, sometimes upgrades go wrong. Theoretically, these changes should just eliminate security problems and enable the application to work as before. IT departments bitten by the “this should not have happened but it did anyway” situation will hesitate to deploy upgrades. Putting more pressure on the IT people won’t speed up the process. Instead, vendors should make sure that security-critical updates do not break anything. It’s simple psychology.

Another discussion is the eternal “you should have moved to the Cloud” proposal. The “Cloud” is not a magical paradise where everything is taken care of. Yes, it is usually better connected, has more bandwidth, scales well, and you pay as you go. However service level agreements cost extra, and basically it’s just shifting the blame to some faceless IT crowd somewhere who might do the job of patching things better or not. “Cloud” can disappear, too. Bugs do exist there. The infrastructure can be disconnected…