Dealing with Corporate FUD About Linux?

Lumpy asks: "After this morning's IT conference call, Linux was once again attacked here in the company by the upper management as 'a threat' to our company security. With articles, like the recent one from Information Week, fueling the Upper management with outdated information and half truths, how does an IT professional defend his position and educate upper managers to take those articles with a tiny grain of salt and trust their experts? Should we as professionals expect to be attacked for our decisions, even though Linux has prooven itself (time and time again), for over 5 years in our company? How do you deal with all of the baseless claims, that your superiors may read in the mainstream media?"

Here's an easy way to sum it up...

[PFI_Optix]

Title from TFA: "A report warns of security vulnerabilities, raising the question of whether the open-source model can provide bullet-proof software"

What you might say: We get reports of security vulnerabilities on Microsoft products on a weekly basis, and there is unfortunately no such thing as bullet-proof software. Just recently Microsoft opted not to release an automatic update related to a virus before the virus went active, which would indicate that, contrary to what comes out of the PR department, Microsoft's commitment to security is not significant.

(I know the last sentence can be somewhat deceptive and there's more to the story, but if they're going to flap their lips when they're clueless, I doubt they'll catch it).

Wrap up with: No, Linux isn't perfect. There is a risk of vulnerability in every product. Microsoft, Apple, Unix, Linux, all of them carry some risk. It's our job to assess the risks and find the safest, most secure software that meets the company's productivity needs. It's what we do every day.

Re:my advice

[Captain+Sarcastic]

That's pretty much what I tried. The down side is when the boss asks, "OK, so if it's free, how do the people who build the distro make money?"

This isn't quite as pointy-haired as it might sound. With some of the monkeyshines that went on during the dot-com craze, with various companies bragging about their respective cash burn rates, many managers want to have an idea that the company who is providing the software will be around in X number of years.

Of course, another approach is to point out that, "Well, you know, MS-DOS worked just fine, and nobody had complained about the 80-by-25 character cell screen... so how come we aren't still using it? Because [at this point you will want to sigh - DON'T!] Windows 3.1 did things well that MS-DOS was only marginally capable of doing."

Of course, depending on the manager, they might look at you funny when you mention "MS-DOS", but bear up...

Believability of the media.

[AJWM]

Ask them if they've ever read a media story about something they knew a lot about. Ask them how much of it the media got right. Ask them why they think it would be any different with respect to IT.

You ARE the linux expert.

[Spy+der+Mann]

The so-called analysts are NOT. Plus, there's the SELinux distribution promoted by the NSA, and it's as secure as Fort Knox. (well that's what you can say. And certainly your boss can't contradict the NSA, can he? ;-) )

Re:my advice

[NoMoreNicksLeft]

It is pretty pointy-haired after all. You don't say "Home Depot" may go out of business in 5 years, and then use it as a reason that you will no longer be able to buy 2x4s.

It's open, anything can be compiled for the version you use, even if there are no versions. Lack of a upgrade treadmill means your apps are safe, even if you have to use 2.6.x linux for the next 20 years. Computers always used we that static, at least until stupid people started using them.

Open source. If push comes to shove, hire a person or two to fix what needs to be fixed, even if Torvalds is gored to death by angry reindeer. Or more likely, as yours wouldn't be the only company that needs this, the costs can be spread out among lots of different companies, probably in the form of a vendor appearing to take over.

It's commodity parts people. Ford might go out of business, but we're always going to be able to buy parts to fix the engine and transmission. Linux is like that too. Microsoft is the one to be worried about, not because they will somehow die next year (I pray every night though), but because if they somehow did, we'd *ALL* be shit out of luck.

That anyone can spin things in such a way contrary to reality is incredible.

Go back to the old days.

[LWATCDR]

Nobody ever got fired for buying from IBM.
Simple as that IBM is pushing it. Linux is so not fringe anymore that anyone with a brain knows that it is a viable alternative for servers.
Companies that sell Linux distributions and offer support.
RedHat
Novell

Companies that sell servers with Linux installed.
IBM
Dell
SGI
Sun

Companies that use Linux
IBM
Google
Oracle

The idea that Linux is some kind of hippie hacker commune is so 90s...

There might be good reasons for your company not to use Linux but security really isn't one of them. If it is you should probably be running OpenVMS or OS/400. I dare someone to hack that :)

Define "free".

[jd]

Local phone calls are free, but AT&T and Bell aren't exactly poor.

Google is "free" to use as a search engine, but any company that can "report revenue of $1.919 billion" for a single quarter can probably afford to pay the staff. I wouldn't advise asking your CEO when he last made almost two billion in a four month timespan, though.

Linux is "free" (as in price) if you get no assurance and minimal support. If, on the other hand, you want EAL4-rated Linux (certified for commercially-sensitive and confidential information for Government use in Europe and the US) with 24-hour support, fine-tuning of hardware and software, etc, then you pay a bit more. Same software, different parameters.

I'd argue that there are examples even the dimmest PHB can understand - some have been around long enough to just be accepted, others are so stinking rich that the arguments self-evidently don't hold.

Re:my advice

[Angostura]

Let's face it, your managers gave you a perfectly correct answer when they said: ""We've got Windows, it's easier to stick with that."

It *is* always going to be easier to stick with what you have already.

It sounds to me as if the management are quite happy with what they've got, it works well enough and they have some annoying techie lobbying to change half their infrastructure software. Naturally they are going to be floundering around to find ways to get them out of their hair.

So, what are your reasons for wanting the company to switch to Linux, really? Are you a groupie, or are there solid reasons that will translate to the company's bottom line that you can put to them.

The security issue can be defused fairly easily - present some research into .mil adoption of Linux, for example.

But the security issue is probably just a smokescreen. You need some damn good reasons that you can set out cooly and rationally, and hopefully with a spreadsheet attached that will convince them of the advantages. "But it's free" probably won't cut it. Factor in third-party support costs, or in-house support for them so that it is NOT free. That'll make them take you more seriously.

Re:my advice

[sparkz]

I'm with you on this one, Saeed.

An interesting and useful thing a headhunter told me recently about looking for jobs - don't tell them what you know and what you're good at, tell them how much money you have saved, and how much income you have generated, in your current/previous jobs.

If you can come up with figures, saying that (eg) "We spend $x per annum on Anti-Virus software for Wintel; we could reduce that to $y by moving to Linux", or "We lose x hours per annum with unscheduled downtime on Wintel servers, costing $XX; we could reduce that to y hours with Linux servers, costing only $YY", you are more likely to get the attention of the beancounters.

A Ferrari is faster than a Volkswagen, but it costs more. It's down to the beancounters to sign-off the outlay. If you can show that you need a Ferrari's speed, and the benefits justify the cost, then they'll get the Ferrari. If you can show that the Volkswagen is quick enough, and is cheaper to buy/run, then they'll get the Volkswagen. Note that I've not gone into any details about the technical differences between the two manufacturers, but I've sold them on whichever option best suits the need.

In some cases, the Ferrari is the best buy; in others, the VW is the best buy.

If I'm in the high-end chauffeur business, then a Ferrari could win on the prestige alone; If I'm in the taxi business, the VW will win on TCO.

I know - I'm using the traditional car analogy, and I am failing to specify which option is Wintel and which is Linux; sorry for going against the mould, but it doesn't work that way in the CEO/CTO/CIO mindset. There is no "best"... we all know that a Ferrari is "bettter" than a VW, but is it better in this situation? If the objective is security, *nix is likely to beat Wintel; If the objective is massive user-acceptance and low training costs, Wintel could beat *nix.

Whether the criteria are right or wrong is a different issue; you could say that it doesn't matter that the users don't need retraining to use the *nix solution, because the Wintel solution is riddled with flaws; again, you can put that into CEO language by costing the (Wintel flaws) vs the (*nix (flaws + training)) to show that training on *nix, whilst an extra expense, is overall lower than the Wintel solution.

If you cannot show that, then you are not actually benefitting the company.

As a simple example, if the proposal is a stand-alone workstation with no external I/O devices, does it really matter (for security) if it runs Windows 95? The security argument doesn't hold up as strong in this case, as compared to a publically-accessible web server.

Think about what it costs, and what it delivers. Don't bother telling non-technical people about technical details - they don't understand, and it's not their place to understand (if they did understand, we'd be out of a job!). We have to translate the technical details into costs.

So if replacing a Wintel server with a Linux server is "better", you have to define "better", even (especially!) when it's obvious. If it's better because the Wintel server was a security issue, then work out the total cost for keeping the Wintel server secure, and the cost to the company if it was breached, along with the likelihood of that occuring. Do the same costings for your proposal, along with any additional costs incurred (new hardware, licenses, training, etc). If it turns out that there's a very low risk if the Wintel server is compromised (eg, it's not connected to the internal network, contains no sensitive data, and is blocked by the firewall from doing anything nasty), and there'd be a large cost in migrating to Linux (eg, retraining, HW changes, etc), then Wintel is the right answer, and all the "but Linux is better than Windows" arguments are ignored, and your credibility is reduced. That reduced credibility will carry on to the next time you propose something, like the boy who cried "Wolf!".

Cost. That's all the business people care about. If they can spend $10k on a