A running theme I noticed as of late has been the “it’s not broken, because it’s working, so don’t touch it you’ll break it”. John Strand mentioned it, when talking about Windows XP hitting end of life, on Paul’s Security Weekly 367. Ben Ten and I talked a little about it today in regards to HeartBleed. Lastly I just got off a 4 year project that existed mainly because it wasn’t broke, so don’t fix it.
Here is the problem. IT / IT-Security sees something as “broken”, when it is at end of life / end of service. When we can’t get parts for it anymore, when patches aren’t being made, etc, we say we have to replace it. We say it’s “broken”, or at risk, etc. However that’s not how management sees it. They see it as a system that is still doing what it was purchased to do. It’s not broken, it’s just old but works fine.
IT / IT-Security doesn’t get to say when it’s broken, it’s the “business” that gets to say when it is broken. However it is usually our fault, as IT for not having a new system in place when it finally stops doing what it was purchased for. A good example is a publishing company I worked at. We had Reel to Reel microfilm duplicators, these were devices that the company making them went out of business. They ran NT4. The last I heard, they were still working like a champ, and the company still didn’t see a reason to invest in something new, because those were not broken, they were just old.
To a point it seems a little silly. Company’s get to write off new equipment via deprecation. Investing in what they need to have to do business makes good business sense. But we live in the cut to spending and the bottom line in the name of profit world, so we end up seeing the don’t fix it if it’s not broke attitude come out.
Like I said I just finished a 4 year migration project, I only worked on it the last 9 moths, but every single person I had to interact with, to migrate said the same thing. This solution works, migrating will cost us time and money, we’re not moving because doing so will stop the production lines of the product the company makes. The “business” backed those people, because without justification, they said things would stop. The stance the “business” took was, the old stuff is working today it is old, but not broken. Don’t fix it.
Preventive maintenance is like getting your teeth cleaned. You don’t do it because you like it, or can afford it. You do it because the cost of prevention is cheaper and less painless than the alternative. You don’t fix things when they’re broken, you fix them before they break so they don’t break. We need to learn to tell the business that in better terms than we have now in both IT and Cybersecurity.