Computerworld

INSIGHT: Still not worried about Windows Server 2003? Think again…

Anthony Stevens, CIO of KPMG Australia debates why CIOs are delaying the migration from Windows Server 2003.

With less than 100 days until Microsoft ends support for Windows Server 2003, Anthony Stevens, CIO of KPMG Australia gives his personal view on why organisations are failing to migrate from Windows Server 2003, despite the high awareness on the imminent deadline.

There is an estimated 23.8 million instances of Windows Server 2003 running across 11.9 million physical servers worldwide.

The numbers are absolutely astounding, especially when one considers the fact that businesses and CIOs are well aware of the imminent end of support for Windows Server 2003. Due on 15 July 2014; less than 200 days away.

Despite the high awareness of the issue; with trusted national bodies such as the U.S. Department of Homeland Security issuing alerts and reminders on the nearing end of support, organisations are simply not moving off the platform quickly enough.

You would be hard-pressed to find an IT professional who isn’t aware of the risks of failing to migrate before the end of support deadline. Telling a CIO that it is dangerous to run unsupported software is akin to telling someone it is dangerous to cross a busy street with their eyes shut.

But let me reiterate them just in case. Windows Server 2003 is a server system which is already on extended support.

It has been powering the IT infrastructure of companies, providing computing resources for mission critical applications, email and even general business applications.

Let us also not forget that it is a system that was first released when camera phones were considered “new and innovative.”

To put it in context, CIOs would not expect an 11-year-old feature phone to perform all the tasks the latest smartphone can do today. So much has changed from a business applications perspective which the 11-year-old platform was not designed to support.

On top of that, the risks involved with running a server software application that is no longer supported include: increased exposure to software failure – Microsoft will stop supporting new software add-ons making updating applications a potentially dangerous gamble; heightened security risks – new security flaws will no longer be patched; and finally one runs the chance of falling out of the compliance good books.

For example, according to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure.

Additionally, should being compliant with standards such as the PCI Data Security standard and the health industry’s HIPAA not be an issue within the organisation, it may still result in the company being cut off from partners seeking to preserve their own compliant status.

Page Break

Denial delays modernisation

Surely the risks associated with software that’s not supported far outweigh the need for cost savings. It begs the question, why are there so many instances of Windows Server 2003 still being run in Asia Pacific?

According to Spiceworks, a global professional network of more than 5 million IT Professionals, 64.5% of organisations who use its tools in Asia Pacific are still running at least one instance of Windows Server 2003 as of June 2014.

Why not see it as an opportunity to make changes to align to a mobile-first, cloud-first world? I have never met a CIO who was refused funding to modernise infrastructure.

A few factors that I’ve observed from my interactions with my peers. CIOs in the region are not assigning a high enough “risk” level to the Windows Server 2003 end of support issue when they are determining overall risk assessment. IT risk is generally assessed through the equation: “risk= threat x vulnerability x asset.”

Organisations should note that with regard to “assets,” Windows Server 2003 is a server operating system which directly affects a large portion of the IT ecosystem within a business. The impact would be on a greater scale than that of Windows XP’s end of support, which was just a desktop operating system.

Similarly, the stoppage of security updates that comes with end of support will sharply increase “vulnerability.” So when the overall IT risk of Windows Server 2003 end of support is assessed within a company, it is logical to conclude that the risk level associated with failure to migrate is unacceptable.

Another point to note is that IT risk acceptance also analyses the cost of counter measures. Some may not be aware that a Custom Support Agreement for extended support of Windows Server 2003 is at best a stop-gap measure.

Analysts have indicated that the cost of tailored support for the system will vary by customer, but will likely be three times that of Windows XP. Extended support is simply too expensive to be considered a cost-effective counter measure in the long run.

Whilst the above two points are possible reasons for the general malaise when it comes to technology refreshes, the most likely reason is that people are underestimating just how long server migrations take.

The entire migration process can take anywhere between 200 and 300 days to complete. A cause for concern given the end of support deadline is less than 200 days away.

Beyond mitigating risks incurred from failure to migrate, I encourage my fellow CIOs to also consider this event as a golden opportunity to get strategic, modernise their IT and help drive innovation within their companies.

As one chapter ends, another begins. This is your chance to redefine the role of IT to lead business transformation through the use of the cloud, mobility, big data and social. Are you going to let outdated technology like Windows Server 2003 hold you back?

Anthony Steven’s KPMG Australia’s Chief Information Officer, has more than 15 years of experience as a CIO, Executive General Manager and Entrepreneur in the services and technology sector.