Whereas the push for digital transformation has been underway for years, many enterprises nonetheless have legacy know-how deeply ingrained of their tech stacks. In lots of instances, these techniques are years and even many years outdated however stay integral to conserving a enterprise operational. Merely ripping them out and changing them is usually not a believable fast repair.
“It is really fairly arduous to totally demise earlier variations of know-how as we undertake new variations, and so you find yourself with the kind of layering of varied ages of all of the applied sciences,” says Nick Godfrey, senior director and international head, workplace of the CISO at Google Cloud.
Provided that continued use of legacy techniques comes with danger, why are legacy techniques nonetheless so frequent at present? How can enterprise leaders handle that danger and transfer ahead?
A Common Problem
In 2019, the Authorities Accountability Workplace (GAO) recognized 10 vital federal IT legacy techniques. These techniques had been 8 to 51 years outdated and price roughly $337 million to function and keep annually.
Authorities is hardly the one sector that depends on outdated techniques. The banking sector makes use of COBOL, a decades-old coding language, closely. The well being care business is rife with examples of outdated digital well being document (EHR) techniques and legacy {hardware}. One survey discovered that 74% of producing and engineering firms use legacy techniques and spreadsheets to function.
“If we discuss banking, manufacturing, and well being care, you’d discover a huge chunk of legacy techniques are literally parts of the operational know-how that it takes to function that enterprise,” says Joel Burleson-Davis, senior vice chairman of worldwide engineering, cyber at Imprivata, a digital identification safety firm.
The price of changing these techniques isn’t merely the worth tag that comes with the brand new know-how. It’s additionally the downtime that comes with making the change.
“The toughest technique to drive the automobile is while you’re attempting to vary the tire on the identical time,” says Austin Allen, director of options structure at Airlock Digital, an software management firm. “You concentrate on one hour of downtime … you could be speaking about thousands and thousands of {dollars} relying on the corporate.”
A survey carried out by business software program firm SnapLogic discovered that organizations spent a median of $2.7 million to overtake legacy tech in 2023.
As costly as it’s to interchange legacy know-how, conserving it in place may show to be extra pricey. Legacy techniques are susceptible to cyberattacks and information breaches. In 2024, the common value of an information breach is $4.88 million, based on IBM’s Price of a Information Breach Report 2024.
Evaluating the Tech Stack
Step one to assessing the chance that legacy techniques pose to an enterprise is knowing how they’re getting used. It sounds easy sufficient on the floor, however enterprise infrastructure is extremely difficult.
“All people needs that they’d all of their processes. and all of their techniques integrations documented, however they do not,” says Jen Curry Hendrickson, senior vice chairman of managed companies at DataBank, an information heart options firm.
As soon as safety and know-how leaders conduct an intensive stock of techniques and perceive how enterprise information is shifting by these techniques, they’ll assess the dangers.
“This know-how was designed and put in many, a few years in the past when the menace profile was considerably totally different,” says Godfrey. “It’s creating an ever extra complicated floor space.”
What techniques could be up to date or patched? What techniques are now not supported by distributors? How may menace actors leverage entry to a legacy system for lateral motion?
Managing Legacy System Danger
As soon as enterprise leaders have a transparent image of their organizations’ legacy techniques and the chance they pose, they’ve a option to make. Do they substitute these techniques, or do they maintain them in place and handle these dangers?
“Companies are totally entitled — possibly they should not [be] — however they’re totally entitled to say no, ‘I perceive the chance and that is not one thing we will tackle proper now,’” says Burleson-Davis. “Industries that are likely to have decrease margins and be a little bit extra resource-strapped are the likeliest to make a few of these tradeoffs.”
If an enterprise can’t substitute a legacy system, its safety and know-how leaders can nonetheless take steps to cut back the chance of it turning into a doorway for menace actors.
Safety groups can implement compensating controls to search for indicators of compromise. They’ll implement zero-trust entry and isolate legacy techniques from the remainder of the enterprise’s community as a lot as attainable.
“Legacy techniques actually must be hardened from the working system facet. Try to be turning off working system options that should not have any enterprise function in your setting by default,” Allen emphasizes.
Safety leaders could even discover comparatively easy methods to cut back danger publicity associated to legacy techniques.
“Folks will usually discover, ‘Oh, I am operating 18 totally different variations of the identical virtualization package deal Why do not I am going to at least one?’” Burleson-Davis shares. “We discover individuals operating into eventualities like that the place after doing a correct stock [they] discover that there was some low-hanging fruit that basically solved a few of that danger.”
Transitioning Away from Legacy Techniques
Enterprise leaders must clear quite a lot of hurdles so as to substitute legacy techniques efficiently. The fee and the time are apparent challenges. Given the age of those techniques, expertise constraints come to the fore. Does the enterprise have individuals who perceive how the legacy system works and the way it may be changed?
“You find yourself with a really complicated expertise requirement within your group to have the ability to handle very outdated sorts of applied sciences by to cutting-edge applied sciences,” Godfrey factors out.
A change advisory board (CAB) can lead the cost on strategic planning. That group of individuals will help reply very important questions concerning the timeline for the transition, the potential downtime, and the individuals essential to execute the change.
“How does that have an effect on something downstream or upstream? The place is my information flowing? How are these techniques linked? How do I maintain them linked? What am I going to interrupt?” asks Curry Hendrickson.
Allen stresses the significance of planning for a technique to roll again the implementation of recent know-how. “What is the technique for rolling again if it goes flawed? As a result of that is arguably an important piece of this, and plenty of instances it’s going to go flawed,” he says.
To cut back the prospect of the implementation failing, the transition crew wants to think about how the brand new know-how will work together inside the IT or OT environments. How is that totally different in comparison with the legacy system?
“[Understand] what it’s that new system wants, [put] a few of these modifications in place earlier than you implement the brand new system. That method the brand new system has each alternative to achieve success,” says Allen.
After pouring assets into modernizing know-how, some enterprises make a elementary mistake by forgetting to incorporate the tip customers within the course of. If finish customers aren’t ready or prepared to undertake new know-how, that initiative’s possibilities of success drop.
“One good instance [is] introducing virtually something right into a scientific setting and never together with medical doctors and nurses. It’s the assured, primary technique to fail,” says Burleson-Davis.
Curry Hendrickson additionally warns of the potential for vendor lock-in as enterprises study methods to undertake new know-how. “You might get your self right into a state of affairs the place you are so excited and …you will have this nice setting, it’s so versatile after which swiftly you are utilizing method too a lot of this vendor’s instruments, and now it’ll be an actual downside … to maneuver out,” she explains.
This sort of technological transformation is usually a multi-year challenge that requires the board, CISO, CIO, CTO, and different enterprise leaders to agree on a method and constantly work towards it.
“There are going to be inevitably short-term trade-offs that must be made throughout that transformation, through the journey to that north star,” says Godfrey. “The important thing to enabling that or unlocking the chance is … desirous about it as a type of organizational transformation in addition to a technological transformation.”
