• United States



The real security lesson Windows XP taught us is to challenge our assumptions

Apr 10, 20145 mins
IT Leadership

As support for Windows XP comes to an official end, the real security lesson is hidden. Broader than what to do about it today is the consideration of what it means for the future.

Launched in October 2001, today (really) marks the end of support for the Windows XP operating system. As the 12+ year run of Windows XP comes to an end, it holds some curious lessons.

As the lead discussion on the Down the Rabbithole Newscast this week (listen here), we covered the demise of Windows XP from a few different angles.

In the process, I realized the real lesson is hidden in the form of a question we need to ask more often.

Taking a moment to explore how we got here helps put the question is context.  

Windows XP is done, What’s the big deal?

Windows XP was, and remains popular for individuals and organizations. Estimates range from 18-30% of systems _currently_ accessing the Internet use Windows XP.

That means that despite the notice, extension, and dire warnings of negative consequences, a large number of individuals and organizations simply opted to stick with what they had.

It’s a curious finding.

An accepted “good” practice is to diligently review, test, and apply patches and updates to operating systems and applications. The number of people clinging to Windows XP suggests perhaps that this good practice needs a boost.

Or does it?

Contrast that experience with the reports surfacing this week that iOS 7 adoption is at 87%. Without question, this is not a direct comparison – especially given the difference between computers and servers versus mobile devices. And while there are other differences, the outcome is what needs to be studied. 

Exploring why the adoption of iOS 7 is taking off even as people cling to Windows XP is important. Understanding the differences in approach holds clues for future efforts at upgrades.

Steps to take if you (or someone you know) is using Windows XP

Trey Ford wrote up a nice piece pointing out the role of service and taking the approach of an ambassador (read it here). It seems this may be a theme to revisit; a challenge we can tackle together, as an industry.

If you, or someone you know, is using Windows XP, then it means taking the effort to protect or replace the system(s) using it. That requires a structured conversation about business process, risks, and the steps necessary to upgrade.

Why has Windows XP stuck around?

Initial support ended in April of 2009, moving to a scenario of extended support that offered paid solutions and security updates. After warnings and even an extension, today is the day that all support options and updates end.

While many see today as the day people are finally forced to take action, the reality is some situations preclude that course of action. For example:

  • Purpose-built devices: some of these devices lack alternatives, are inaccessible or are governed by strict standards that prevent a change
  • Custom applications: organizations that invested heavily in customized solutions may have (had) a legitimate cost analysis that kept them staying the course. Curious how the actual end of support changes those numbers.
  • Concerns or struggles over the costs: whether accepted or not, a lot of folks are unable or unwilling to spend money on new hardware, operating systems, and applications. It’s a costly change. Chances are the impacts are less understood, too.

Exploring each of these (and other) reasons deeper reveals the real lesson about the assumptions made. 

The hidden, single biggest lesson for security

Hidden in plain sight is the single biggest lesson for security:

We need to challenge our assumptions at the beginning of the process.

How long is reasonable to expect hardware and software – especially the underlying OS to be stable and supported?  Y2K and the long goodbye to Windows XP is evidence that the timeline for these expectations is short, and getting shorter. 

When coming across reasons to keep Windows XP – even now – we have to question why? Instead of shaking our heads in a knowing way, informed by over a decade of experience, it’s an opportunity to engage in conversation.

It’ll likely be uncomfortable in some cases to probe the assumptions upon which the solutions were built and decisions made. Take the opportunity to learn first, then find the right solution forward.

Want better security? Practice asking this one question

As we reflect on the lessons and experiences afforded by the long run of Windows XP, it reveals a simple question that allows us to improve security:

And what if our assumption(s) are wrong?

The key is to simply ask and guide the discussion across three dimensions:

  • Hardware
  • Operating systems
  • Applications

Question and document the assumptions about how long each of these elements tends to last. Then ask how long it needs to last in order for the project/solution/decision to make sense.

Then follow up, again, by simply asking, “and what if our assumptions are wrong?

Thinking about assumptions and outcomes earlier in the process is a simple and effective way to improve security today and in the future.


Michael Santarcangelo develops exceptional leaders and powerful communicators with the security mindset for success. The founder of Security Catalyst, he draws on nearly two decades of experience of success advancing security in variety of operational roles. He guides leaders and teams on the best next step of their journey.

More from this author