Now is as good a time as any to think about switching to Vista, if your organization uses Windows XP or an earlier iteration of Windows. (They might not admit it, but some big enterprises still use a lot of Windows 2000 and NT boxes.) However, what we are now learning about Microsoft's own confusion over the release of the original Vista, as well as the vague SP1 release schedule, is likely to make some C-level execs lukewarm to the migration idea at best.
Obviously, a company may be pushed to upgrade by external factors, such as compatibility with a key supplier or client, or a need to run Vista-only apps, and so on. For many organizations, however, the choice still looks like this: stick with a flawed but patched and well-understood OS, or migrate to a more secure alternative that comes with several drawbacks, like hefty hardware requirements, serious compatibility issues (hardware and software) and nagging availability questions. Enterprises using XP today should think back to when they were contemplating that transition. When did that transition take place, on initial release or following the release of SP1? In fact, a lot of organizations delayed until SP2.
Unfortunately, SP1 also has drawbacks. Microsoft has confirmed that Vista SP1 intentionally prevents some third-party applications from running because they may cause instability after SP1 has been installed (these include products from Trend Micro Inc., Zone Labs Inc., BitDefender, and Novell Inc--see this Microsoft Knowledge Base article for more details.) SP1, however, gives security software vendors a more secure way to communicate with Windows Security Center and APIs, and third-party security and malicious software detection applications can work with kernel patch protection on x64 versions of Vista.
SP1 does promise two things that might make the migration itself more palatable. First, device compatibility should be improved, with better support for a whole range of devices such as graphics cards and high density drives like Blu-ray. Second, reliability, an important aspect of security, is about to be enhanced. Supposedly, SP1 will more than double the mean number of hours between disruptions, from about 17 hours to about 34. (Maybe it's just me, but neither number sounds great, and it would help to know more about how that metric compares to XP. Unfortunately, Microsoft does not provide such a number. I know, however, that my XP laptop often goes longer than 40 hours between "disruptions.")
For most organizations, Vista implementation is not going to be just a security issue. There are serious costs concerning new hardware and software, which means some serious cost-benefit analysis must take place. If you are currently running XP and are on top of patch management and security training for end users, it's likely that your security issues aren't serious enough to justify making the switch right now. A year from now, there will be a lot more data -- and hopefully a lot more inexpensive hardware -- upon which to base your decision.
This was first published in February 2009