Wannacry about cost transparency in IT?
This article is part of a series of articles I'm putting together around the Iasa Ireland IT Architects Conference this year the them of which is "SHOW ME THE MONEY! - Cost Transparency in Complex Systems".
Seriously though. Ben Thompson - my absolute favorite writer on digitally enhanced business models - really nailed the whole Wannacry situation in his latest article - Wannacry about Business Models. I strongly recommend reading the whole article if you want to get a better understanding of the wider story around the Wannacry worm.
What I want to focus specifically on here is how Ben zooms in to the real root cause of the whole thing right here (with my highlights):
The fatal flaw of software, beyond the various technical and strategic considerations I outlined above, is that for the first several decades of the industry software was sold for an up-front price, whether that be for a package or a license.
This resulted in problematic incentives and poor decision-making by all sides:
Microsoft is forced to support multiple distinct code bases, which is expensive and difficult and not tied to any monetary incentives (thus, for example, the end of support for Windows XP).
3rd-party vendors are inclined to view a particular version of an operating system as a fixed object: after all, Windows 7 is distinct from Windows XP, which means it is possible to specify that only XP is supported. This is compounded by the fact that 3rd-party vendors have no ongoing monetary incentive to update their software; after all, they have already been paid.
The most problematic impact is on buyers: computers and their associated software are viewed as capital costs, which are paid for once and then depreciated over time as the value of the purchase is realized. In this view ongoing support and security are an additional cost divorced from ongoing value; the only reason to pay is to avoid a future attack, which is impossible to predict both in terms of timing and potential economic harm.
The truth is that software — and thus security — is never finished; it makes no sense, then, that payment is a one-time event.
Or in other words - software based systems need to properly funded out of operating expenditure (OPEX), rather than capital expenditure (CAPEX). As Ben also says the software world has already realized this as reflected in the unstoppable move to the cloud and Software As A Service (SAAS).
Our challenge in enterprise IT however is that we still have whole enterprise wide processes that are designed around paying for software using CAPEX. I know as well as anyone the technical challenges of maintaining patch levels on systems running the Windows operating system but these are challenges that we have had ways of addressing for years now - SCCM or BigFix anyone? It was always just a pain to get the right funding for them.
Even when my clients owned the software - and to give Microsoft their due they practically gave it away - getting the budget - particularly the OPEX budget - to build and run these systems on a continuous basis was always a battle. And this is where it ends up. Millions of corporate computers at risk because the way that we looked at software investments was all wrong - both in IT and in Finance.
So let's take this lesson from Wannacry - software based systems should always be modeled, financially speaking, using a charge-back or as Ben describes it a subscription based model.
We can still have both CAPEX (aka depreciation charge), and OPEX but in IT the investment models have to be linked to the service levels we commit to. If nobody wants to pay for updating the system on a continuous basis then the availability service level should go down, and keep going down incrementally, until the next update is applied. I know it is expensive to do updates, as a lot of work has to be done in the legacy world to make sure that changes don't break anything, and in certain cases downtime will also be required - but can we afford to expose critical systems to the Wannacry's of the world? I never thought I'd see this headline on my national news station home page in relation to our national health service the HSE:
HSE server reboot may cause some patient disruption
Seriously! Surely we in IT can do a better job? Of course we can.
But IT needs to be correctly funded. And that's why I wanted to run a conference that focuses on this whole issue - how we fund IT properly in our enterprises. Be sure to come to conference on June 15th in Croke Park to find out!
The good thing is that in the future this particular headache will go away. The combination of SAAS (which uses the right financial model), and new OS designs, such as iOS and Android (and whatever replaces Windows in the long run,) which are designed from the ground up to make the whole maintenance process much easier (sandboxes, containers etc.), will mean that we should be able to deliver the highest availability levels of substantially lower costs. I'm sure we'll have other headaches but this one will go away ... eventually. Until then let's make sure we explain the real costs to the business and make sure we avoid the real world disruption we have seen over the last few days.