STRATEGY • WEB DESIGN
The Most Dangerous System Is the One That Still Works
When nothing appears to be broken, the people who could authorise the fix rarely know there is one to make.
The most dangerous system in a company is not always the one that has failed. More often, it is the one that still works well enough to avoid suspicion. We are trained to find what is broken and fix it, which is a sound instinct for most of what goes wrong in a business and a useless one for this, because the thing quietly becoming a liability is the thing nobody has any reason to look at.
Microsoft ran into a clean example of this in 2014. Windows XP had become part of the operating fabric of business across the Middle East, and the chief executives of seventy of the region's largest enterprises had no reason to consider it a problem. Their staff's computers turned on every morning. They ran the tools everyone needed. It was resilient: it had survived a global financial crisis. The software was familiar, and it had underpinned a decade of nearly five-fold growth without complaint.
The trouble was that Microsoft was ending support for it. The risk was real and coming very soon. But not only was Windows XP not recognised as a problem, it was seen as a business enabler. A dependable infrastructure where the risk lay in change. Then there was the cost. Upgrading from Windows XP after a decade often meant replacing hardware powerful enough to run the new system, then absorbing the productivity cost of migration and training. To the people signing the cheque, the problem was not the end of support. It was the price of moving. Which is why the initial attempts to phrase the warning more persuasively failed. FOMO was losing to FOMC ('Fear of Making Change'). The CEOs were not wrong about Windows XP, exactly. They were almost right, and almost right is the costliest place a confident person can stand.
The conventional way to raise the alarm on a problem like this is to spend: a bigger campaign, more reach, more impressions. That theory holds up when the audience is large and the obstacle is ignorance. It fails when the audience is small and the obstacle is confidence. The CEOs on the list did not misunderstand Windows XP. They trusted it. And "end of support," to a chief executive, does not sound like a threat. It sounds like a vendor trying to sell something.
What arrived on those desks was, on its face, ridiculous. The package was couriered and disguised as a premium online fashion delivery, the kind of thing a CEO orders for themself, which is precisely how it cleared the executive assistant who screens everything else. Inside was not a sales pitch but an emergency kit of underarm sweat patches designed by a well-known local fashion designer. The patches were designed to be sewn onto the outside of the shirt, worn openly beneath the arm to soak up the sweat, a fix that hid nothing and announced everything, the whole thing pitched in the level, unsmiling tone of a garment-care label.
The joke was doing real work. A software vulnerability is an abstraction, and a security patch is not tangible. But sweat you can see. Everyone can see. Sweat is what happens in front of a board that wants to know why the company was exposed, or when the data is gone and the press is on line one. What this package did was relocate an invisible technical risk to the one place a chief executive is guaranteed to feel it, the surface of his own shirt. If you were prepared to patch the shirt, the kit suggested, you might consider patching the business. The translation worked. Eighty per cent of the seventy targeted CEOs responded. Forty-five per cent upgraded. More than 450,000 licences followed, before the hardware upgrades were even counted. The total spend on upgrades ran to an estimated $400m to $500m.
Six months on, the holdouts received the Pit-Patch Spring 2015 Collection. Delivered as a customised e-commerce shopping experience, it featured new swatches, the humour as dry as the instructions had been. CEOs could add sweat patches to their basket, all orders free, courtesy of Microsoft. That converted another five per cent, and it revealed something about the whole exercise: the campaign had been built as a platform rather than a single stunt, patient enough to treat a CEO's procrastination as the next problem to solve rather than a defeat to absorb.
The mechanism is worth separating from the colourful materials. What Microsoft did, underneath the patches, was make an abstract risk something a CEO could physically feel. That problem is not specific to software, or to 2014, or to that market. The same pattern now runs through artificial intelligence. A company pushes its staff to adopt it, the tool performs, the dashboard stays green, and the cost of running it at scale compounds unwatched until it lands as a single shocking number. The fact that it works is exactly what kept anyone from asking what it cost.
The campaign worked. That is the most misleading thing about it. The lesson is not that every hidden risk needs a clever metaphor to sell it. It is that translating risk into terms the responsible party can act on is a core executive job, and most organisations have quietly assigned it to no one. The chief executives who trusted Windows XP were not foolish. They were almost right, and in a system that still works, almost right is the most dangerous position there is. The danger was never the morning the machine failed to start. It was all the mornings it started just fine.