Memo to CIOs: remember to count cost of security patches and repairing malware damage when computing TCO of Windows-based systems
One plank in the Microsoft hymn-sheet against Open Source software is that the ‘Total Cost of Ownership’ (TCO) is more important than the initial purchase price. The argument is that companies should not be distracted by the low initial cost of free software, but should add in the costs of conversion, support, etc. So indeed they should. But one thing that is consistently ignored in computing the TCO of a Microsoft system is the cost of coping with the security vulnerabilities of the software. All of which makes an item from Good Morning Silicon valley about Gartner Research’s views on Microsoft (in)security very interesting indeed:
“It’s never been cheap to run a Windows shop. Host intrusion detection. Scalable antivirus protection. Patch management. All these things are costly, especially given the amount of malware that finds its way into the wild these days. So it’s entirely likely that administrators around the world will respond to Gartner’s announcement that vulnerabilities in Windows raise the total cost of using the OS with a collective ‘no —-, Sherlock.’ But corporate types, who after all make up much of Gartner’s core audience, may sit up and take notice. And if we’re lucky, they might realize that turning on Windows’ automatic update feature doesn’t make you immune to worms like Sasser and that one can rarely budget too much for additional security technology….”.
The relevant quote from the Gartner source reads…:
“Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday.
Mark Nicolett, research director at Gartner, recommended that enterprises boost spending on patch management and intrusion prevention software to keep ahead of worms, which are appearing ever sooner after vulnerabilities in Windows are disclosed.
‘This is part of the carrying cost of using Windows,’ said Nicolett. ‘The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology.’
Although he placed some caveats on his numbers, Nicolett said that informal surveys with Gartner clients indicate that simply moving from a no rapid patch deployment capability to an ongoing process that can respond quickly to vulnerabilities raises the cost of using business by about 15 percent.
Nicolett’s advice stemmed from the recent outbreak of the Sasser worm, which began striking Windows systems last Friday and has infected a large number of machines world-wide, with estimates ranging from 100,000 to well into the millions.”