Friday 20 January 2012

Don’t be afraid to upgrade

Upgrading software in the workplace requires caution – but some companies make this far more complicated than it needs to be.

No, you’re not having a strange dream, Microsoft really is celebrating the demise of a flagship product. Continuing the tradition of celebrating milestones in web browser development with cakes, Microsoft’s latest cake marks the “death” of Internet Explorer 6 – or, more accurately, the decline in US IE6 usage to 1%. Microsoft have make a huge effort to get people off Internet Explorer 6 (obviously, they’d rather you went to Internet Explorer 7, 8 or 9 than Firefox, Chrome or Safari, but an effort nonetheless) through hasty development, advertising campaigns, and now even silent updates to upgrade remaining computers. And with Microsoft themselves admitting IE6 has had its day and even the die-hard open sources fans accepting that IE7 onwards is a big improvement, you’d think everyone would be happy.

If, however, you’re reading this blog from a UK government building, you may think you’re accessing news from a parallel universe. The UK public sector is inexplicably at odds with the rest of the world. IE6, like most early browsers, has a sluggish Java engine that runs at snail’s pace on modern Java-Rich pages. Most public web pages have now dropped support for IE6. And yet when the China hacking scandal exposed hugely embarrassing security flaws in IE6, and the French and German governments warned everyone off IE6 (and , for a while, later versions), the Cabinet Office insisted there was nothing to worry about.  To be fair, web browser security isn’t the be-all-and-end-all for government buildings – their strongest defence will always be the safeguards within the Government Secure Internet – but the web browser is the last line of defence in a compromised network, and it’s a reckless to rely on a web browser written before widespread broadband adoption and the security threats it brought along.

The Cabinet Office does, however, make a reasonable point. Upgrading a system in the workplace is not a just a simple matter of waiting for Microsoft / Apple / your Linux vendor to issue an update and click on “Yes, Upgrade”. The effects of the same upgrade can vary from one computer to the next. Many Mac users were caught out last year when the latest OSX upgrade rendered their pre-Intel software unusable. This is not normally a big issue for most domestic users – the worst that can happen is a few computer-free days until someone can put your old software back – but in a business, even a few hours without working IT can cost thousands of pounds. Businesses also have to consider whether the latest upgrade exposes them to new security threats.

The UK Civil Service, however, takes this to the extreme by refusing any upgrade without a thorough acceptance testing process – meaning in practice that almost everything is ruled out on cost grounds. That is not how you are meant to approach software testing. Instead, you should prioritise your testing based on risk, and the risk of upgrading IE6 after 7, 8 and 9 have been used by the public for years without problems is minimal (as is using Firefox or Chrome). You certainly don’t need the extensive testing required for software specially written for your own company.  (And okay, if you’re the Civil Service, you also need to think very carefully about security implications of upgrading – but doing nothing exposes you to the security implications of not upgrading.)

There is also a strange obsession that any change to IT entails expensive training costs. This is sometimes true – I, for instance, would have be hesitant to drop an Ubuntu-based workplace straight into controversial Unity desktop (Ubuntu only got away with this because their user-base tends to be tech-savvy) – but most of this time this mentality assumes workers can’t cope with even the simplest intuitive change. I’ve said before that public knowledge of IT could and should be better, but that doesn’t mean ordinary office workers are all IT-literate idiots. The equally controversial ribbon that came with Microsoft Office 2007 was a big change from earlier versions, but you’ll struggle to find a workplace that rushed into Office 2007 without training and found its workers couldn’t cope.

Then there’s the problem of workplaces locking themselves into outdated software – and this is a particular problem with IE6. Many workplace applications were written to specifically run through Internet Explorer 6, making an upgrade impossible without a fundamental rewrite of all these applications.[1] This was an easy mistake in the early noughties when IE6 looked set to be Grand High Lord of the Internet forever, but one of commonest complaints I’ve heard from software developers is that even when IE6 was on the decline and they warned customers of the dangers of locking yourself into IE6 further, companies were still insisting that applications were written to run through IE6 because that’s what they’ve always used.

Finally, I can’t help thinking that there’s a mindset that slow and unreliable systems are something normal. When I was last in a government building, I was regularly screaming and cursing that something as simple as checking the price of a train ticket took me five times as long as my (relatively low-spec) computer from home, but this didn’t seem to be considered a problem. When managers are downplaying the negative impact that out-of-date software is having in their workplace this much, the change of doing something slips even further out of reach.

In a way, software testing has a lot in common with health and safety. Good health and safety is all about identifying the risks and concentrating your efforts accordingly, so that you can carry on doing you’re doing safely (so frequent accidents such as slips, trips and falls, and serious risks such as road accidents get more attention than the chance of getting a papercut at your desk). Lazy health and safety – the sort which gets gives the business a bad name – involves overblown risk assessments over the most trivial dangers to the point where the only practical solution remaining is to not do it at all, which is why you get schools cancelling school trips for daft reasons. The same principle applies to software testing: good testing helps you achieve what you want safely, bad testing stops you doing it completely. And like silly health and safety decisions preventing children playing outside, the risks of not upgrading can often be far greater than the paranoid risks used as justification not to do it.

It’s perhaps unfair to blame project managers for being risk-averse. There is no shortage of botched IT projects out there, so it’s understandable why people would choose to play it safe and stick with what they know, however inefficient it may be. But the paperwork around upgrading is far more complicated than it needs to be, and if we’d focused more on what really matters and less on hypothetical scenarios that don’t, we could have enjoyed Microsoft’s cake much sooner.

[1] Having said that, you can install a modern version Firefox/Chrome/Opera/Safari alongside IE6 so that you can access the internet on a modern browser whilst still having use of your IE6-specific applications. But given the lack of adoption of this easy solution, I can only assume that companies who mindlessly run everything through IE6 are the same people who obsess over overblown acceptance testing and training costs whenever anyone considers using a new product.

No comments:

Post a Comment