The real security lesson Windows XP taught us is to challenge our assumptions

Launched in October 2001, today (really) marks the end of support for the Windows XP operating system. As the 12+ year run of Windows XP comes to an end, it holds some curious lessons.

As the lead discussion on the Down the Rabbithole Newscast this week, we covered the demise of Windows XP from a few different angles.

In the process, I realized the real lesson is hidden in the form of a question we need to ask more often.

Taking a moment to explore how we got here helps put the question is context.

Windows XP is done, What's the big deal?

Windows XP was, and remains popular for individuals and organizations. Estimates range from 18-30% of systems _currently_ accessing the Internet use Windows XP.

That means that despite the notice, extension, and dire warnings of negative consequences, a large number of individuals and organizations simply opted to stick with what they had.

It's a curious finding.

An accepted "good" practice is to diligently review, test, and apply patches and updates to operating systems and applications. The number of people clinging to Windows XP suggests perhaps that this good practice needs a boost.

Or does it?

Contrast that experience with the reports surfacing this week that iOS 7 adoption is at 87%. Without question, this is not a direct comparison - especially given the difference between computers and servers versus mobile devices. And while there are other differences, the outcome is what needs to be studied.

Exploring why the adoption of iOS 7 is taking off even as people cling to Windows XP is important. Understanding the differences in approach holds clues for future efforts at upgrades.

Steps to take if you (or someone you know) is using Windows XP

Trey Ford wrote up a nice piece pointing out the role of service and taking the approach of an ambassador. It seems this may be a theme to revisit; a challenge we can tackle together, as an industry.

If you, or someone you know, is using Windows XP, then it means taking the effort to protect or replace the system(s) using it. That requires a structured conversation about business process, risks, and the steps necessary to upgrade.

Why has Windows XP stuck around?

Initial support ended in April of 2009, moving to a scenario of extended support that offered paid solutions and security updates. After warnings and even an extension, today is the day that all support options and updates end.

While many see today as the day people are finally forced to take action, the reality is some situations preclude that course of action. For example:

Purpose-built devices: some of these devices lack alternatives, are inaccessible or are governed by strict standards that prevent a change

Custom applications: organizations that invested heavily in customized solutions may have (had) a legitimate cost analysis that kept them staying the course. Curious how the actual end of support changes those numbers.

Concerns or struggles over the costs: whether accepted or not, a lot of folks are unable or unwilling to spend money on new hardware, operating systems, and applications. It's a costly change. Chances are the impacts are less understood, too.

Exploring each of these (and other) reasons deeper reveals the real lesson about the assumptions made.

The hidden, single biggest lesson for security

Hidden in plain sight is the single biggest lesson for security:

We need to challenge our assumptions at the beginning of the process.

How long is reasonable to expect hardware and software - especially the underlying OS to be stable and supported? Y2K and the long goodbye to Windows XP is evidence that the timeline for these expectations is short, and getting shorter.

When coming across reasons to keep Windows XP - even now - we have to question why? Instead of shaking our heads in a knowing way, informed by over a decade of experience, it's an opportunity to engage in conversation.

It'll likely be uncomfortable in some cases to probe the assumptions upon which the solutions were built and decisions made. Take the opportunity to learn first, then find the right solution forward.

Want better security? Practice asking this one question

As we reflect on the lessons and experiences afforded by the long run of Windows XP, it reveals a simple question that allows us to improve security:

And what if our assumption(s) are wrong?


Operating systems


The key is to simply ask and guide the discussion across three dimensions:

Question and document the assumptions about how long each of these elements tends to last. Then ask how long it needs to last in order for the project/solution/decision to make sense.

Then follow up, again, by simply asking, "and what if our assumptions are wrong?"

Thinking about assumptions and outcomes earlier in the process is a simple and effective way to improve security today and in the future.

Join the CSO newsletter!

Error: Please check your email address.

Tags windows xpsecuritySecurity Leadership

More about Custom

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Santarcangelo

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts