• United States



No More XP: CSOs Need to Engage Now

Dec 14, 20135 mins
IT JobsIT Leadership

Migrating off of Windows XP has become a hot issue. Is your enterprise ready?

  Migrating off of Windows XP has become an issue that has jumped to the top of the CIO priority lists all over the world. Is your enterprise ready? Are you engaged with the plan?

As I predicted in a blog for Government Technology Magazine a few weeks back, XP migration will become the top headache for government technology leaders in 2014, when many enterprises are not off of XP in time. Many in the private sector won’t be much better off when XP ends in April, 2014. 

Perhaps you are wondering: How did we get into this mess – again? It seems like just yesterday that we were dealing with Windows 2000 migration, and we pronounced all kinds of “lessons learned” from that experience.  Back in March 2010, when I was the Michigan CTO, we were scrambling around to get ready for a summer end to Microsoft XP’s predecessor.

Here’s what I said three and half years ago:

Yes, this is a big deal for many state and local governments. As anyone who suffered through the migration off of Windows NT will tell you, upgrading operating systems can become quite challenging for a long list of reasons. Applications need to be tested in the new environment, and there never seems to be enough time to get systems migrated. These projects required time, resources and priority.    

So what if you stay put? The cost is very expensive to buy continued support on Windows 2000 after July 13, according to my sources. However, if you do nothing with your Windows 2000 servers, you will open up your enterprise to numerous malware threats and other problems.

After taking way too long and learning plenty in the process, it seems that most of the world hadn’t really learned any lessons at all. (This fact alone should cause enterprises to reflect on what other lessons have we not really learned from past upgrades and cyber battles.) The reality is that Windows NT Migration created the same issues before Windows 2000 reached end of life.

More background

Microsoft Windows XP extended support is ending on April 8, 2014. There are plenty of good guides to assist in migration to other operating systems. One big challenge is that Microsoft has dramatically raised the price to keep getting support for XP after April 8.

Computerworld is predicting that malware infection rates will skyrocket after the end-of-life date. Here’s an excerpt from that article:

Microsoft has been extremely blunt about the danger customers will face next year after Windows XP support vanishes, belittling the creaky OS’s security prowess, even attacking it at times. That’s unusual. Microsoft’s usual tactic is to simply ignore an older operating system, as it does Windows Vista, the flop that now accounts for just 4% of all Windows PCs.

Other bloggers are boldly proclaiming that Windows XP will become a “treasure for hackers” in April.

What’s to be done?

 My advice to CSOs and CISOs and other security leaders is to become engaged now. Don’t head into migration meetings with the traditional “I told you so” motto. On the contrary, become a part of the enterprise solution.

Start with lunch with the CTO on the infrastructure leader in charge of the game-plan and ask: “How can I help?”

Next, get an accurate assessment of how many PCs and servers will not be getting over the line. Examine support options, including third part support that may be cheaper than Microsoft’s option.

Finally, if you organization is not buying XP-support after April 2014, but you still are running XP machines, consider turning them off. This is certainly one time where you will not be able to say “I didn’t know” if bad things happen.


I’d like to end this piece the same way I ended a blog for another magazine regarding this “XP no more” topic.

There are many good migration guides to help technology teams migrate off of Windows XP – such as this one from Microsoft

The issue is not that this technical challenge is too hard. The main issue is that most organizations have not made this a priority soon enough. Too much work is left before the deadline. 

The other issue is that the costs to buy support for XP after April 8 may be too great for some. That means that security issues will almost certainly arise and new headaches will be born if you do nothing. 

Only time will tell whether a surge in breaches will occur after April on XP computers. No doubt, there will be plenty of headlines in 2014 on this topic.  Sadly, this short-term issue will be hot throughout 2014 and take away from other more value-added work for businesses.

My advice is to try to upgrade to other operating systems in such a way as to add business value and security protections at the same time. I realize that this is easier said than done for many readers. I don’t advise staying on XP without proper support. 

 Image: Flickr/Energetic Spirit


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author