<< Back to article Print this page Loading page, please wait...

Did IS Spend Too Much on Y2K Bug Fix?

Ed Scannell and Eve Epstein (Computerworld)
07 January, 2000 12:01

ALTHOUGH IS managers are mainly receiving praise for the smooth way in which the year-2000 rollover went, they are also receiving criticism from some quarters that they had overexaggerated the threat of the year-2000 bug.

While criticisms may abound, most IT executives firmly believe that would-be disasters were averted because they had spent enough money.

"There is no question that in the system code we looked at, there would have been failures if we had not taken action. I have no regrets about the money we spent," said Frank Petersmark, vice president of information technology at Amerisure, an insurance company in Southfield, Mich.

But some executives, at levels both below and above those who made the spending decisions, are now questioning why so much was needed given to the toothless bite of the year-2000 bug worldwide.

One IT manager said that 18 months ago senior colleagues were buying heavily into the "Y2K hysteria," influenced by a top consulting company. He advised them then that they had overspent on the project.

"I voiced my opinion and was promptly called on the carpet. I meekly went back to producing the required plans, contingency plans, and double-contingency plans ad nauseam. Now that it is over, I can say to them with great conviction, 'I told you so,' " said the IT manger, who wished to remain anonymous.

Jim Porter, a partner with PricewaterhouseCoopers Operational Systems and Risk Management, whose clients include CIOs and upper-level IT managers, said a client called him in a panic days after the New Year. The client was about to walk into an executive meeting where he knew he was going to be asked if Y2K spending was overkill.

"What's the opposite of overkill? Failure," Porter said, adding that his client was ultimately able to persuade his colleagues of the benefits of spending the money.

Observers also pointed to other benefits of year-2000 remediation projects, including the fact that the image of many IT organizations is shinier in the eyes of senior executives, who are now placing more strategic importance on that group.

Y2K remediation is also said to have helped organizations' competitiveness by forcing them to streamline their IT infrastructures and replace outdated systems that would otherwise have remained in use.

"Many [companies] were able to eliminate and consolidate programs," said Harris Miller, president of the Information Technology Associates of America, in Arlington, Va. "Also, companies learned how to strategically integrate IT into their business models."

Some analysts were harsher about what they saw as overly generous spending, however. International Data Corp. (IDC) last week estimated that IS worldwide overspent by some $70 billion.

"We spent too much on contingency, which takes in staffing and preplanning, as well as on actual remediation which I am calling the 'hype tax,' " said John Gantz, chief research officer and team leader for IDC's Project Magellan Y2K analysis. "Y2K took on a life of its own through politicians, the media, and consultants," Gantz added.

Y2K overspend?

Consultancy IDC last week gave its estimate on how much was overspent on fixing the Y2K bug.

U.S.:

* Salary overspend for extra New Year staff: $2.7 Billion* Contingency planning overspend: $8.6 billion* Remediation overspend: $20 to $30 billion; total overspend: $31 to $41 billionWorldwide:

* Salary overspend for extra New Year staff: $6.5 billion* Contingency planning overspend: $19.9 billion* Y2K remediation overspend: $40 to $50 billion* Total worldwide overspend: $66 to $76 billionALL QUIET ON THE VIRUS FRONTThe virus juggernaut feared to hit the masses during the year-2000 period never materialized. So, what became of the nightmare scenarios warned of by security vendors?

"As far as the big weekend, yeah, it was a nonevent," said Vincent Gullotto, director of AVERT at Network Associates Inc. (NAI).

NAI and other security vendors did have to contend with a few blips on the virus radar screen, such as the Trojan horse "Zelu," a fake year-2000 system check, and "Feliz," a Portuguese "Happy New Year" Trojan.

But for the most part, all was eerily quiet.

Gullotto said a significant cause, and benefit, of the nonactivity was that many users took the threat seriously, and updated their anti-virus systems well in advance.

"We got a lot of people to get good current technology on their machines," Gullotto said.

But, Dr. Gary McGraw, chairman of the Malicious Code Infosec Science and Technology Study Group at the Infosec Research Council, argued that some anti-virus vendors were "jumping on the bandwagon trying to hype [year 2000] to smithereens."

However, McGraw said people should not be too quick to judge or criticize for being overprepared in lieu of a hurricane warning that might pass its initial target untouched.

"Here's the question: If we didn't have all the hype, would we have gotten all the work done that we needed to get done?" McGraw asked. "It's a tricky situation."

Vincent Weafer, director of Symantec's Anti-Virus Research Center, said Symantec has kept busy since Jan. 1 investigating thousands of files sent in by customers that were quarantined from their systems and e-mail servers after year-2000 hit.

Weafer said the fact that customers are now taking the initiative to incorporate and check security on their own ends will pay huge dividends for them in the coming months as new and more complex viruses appear.