Whereas the push for digital transformation has been underway for years, many enterprises nonetheless have legacy expertise deeply ingrained of their tech stacks. In lots of instances, these methods are years and even many years previous however stay integral to retaining a enterprise operational. Merely ripping them out and changing them is usually not a believable fast repair.
“It is truly fairly laborious to totally demise earlier variations of expertise as we undertake new variations, and so you find yourself with the type of layering of assorted ages of all of the applied sciences,” says Nick Godfrey, senior director and international head, workplace of the CISO at Google Cloud.
On condition that continued use of legacy methods comes with threat, why are legacy methods nonetheless so widespread as we speak? How can enterprise leaders handle that threat and transfer ahead?
A Common Problem
In 2019, the Authorities Accountability Workplace (GAO) recognized 10 crucial federal IT legacy methods. These methods had been 8 to 51 years previous and value roughly $337 million to function and keep annually.
Authorities is hardly the one sector that depends on outdated methods. The banking sector makes use of COBOL, a decades-old coding language, closely. The well being care business is rife with examples of outdated digital well being file (EHR) methods and legacy {hardware}. One survey discovered that 74% of producing and engineering firms use legacy methods and spreadsheets to function.
“If we discuss banking, manufacturing, and well being care, you’d discover a massive chunk of legacy methods are literally components of the operational expertise that it takes to function that enterprise,” says Joel Burleson-Davis, senior vp of worldwide engineering, cyber at Imprivata, a digital identification safety firm.
The price of changing these methods isn’t merely the value tag that comes with the brand new expertise. It’s additionally the downtime that comes with making the change.
“The toughest method to drive the automotive is whenever you’re attempting to vary the tire on the identical time,” says Austin Allen, director of options structure at Airlock Digital, an utility management firm. “You consider one hour of downtime … you could be speaking about thousands and thousands of {dollars} relying on the corporate.”
A survey carried out by business software program firm SnapLogic discovered that organizations spent a mean of $2.7 million to overtake legacy tech in 2023.
As costly as it’s to exchange legacy expertise, retaining it in place might show to be extra pricey. Legacy methods are susceptible to cyberattacks and knowledge breaches. In 2024, the common price of an information breach is $4.88 million, in response to IBM’s Price of a Knowledge Breach Report 2024.
Evaluating the Tech Stack
Step one to assessing the danger that legacy methods pose to an enterprise is knowing how they’re getting used. It sounds easy sufficient on the floor, however enterprise infrastructure is extremely sophisticated.
“All people needs that they’d all of their processes. and all of their methods integrations documented, however they do not,” says Jen Curry Hendrickson, senior vp of managed providers at DataBank, an information heart options firm.
As soon as safety and expertise leaders conduct a radical stock of methods and perceive how enterprise knowledge is shifting by way of these methods, they will assess the dangers.
“This expertise was designed and put in many, a few years in the past when the menace profile was considerably completely different,” says Godfrey. “It’s creating an ever extra complicated floor space.”
What methods could be up to date or patched? What methods are not supported by distributors? How might menace actors leverage entry to a legacy system for lateral motion?
Managing Legacy System Danger
As soon as enterprise leaders have a transparent image of their organizations’ legacy methods and the danger they pose, they’ve a option to make. Do they change these methods, or do they preserve them in place and handle these dangers?
“Companies are totally entitled — possibly they should not [be] — however they’re totally entitled to say no, ‘I perceive the danger and that is not one thing we will handle proper now,’” says Burleson-Davis. “Industries that are inclined to have decrease margins and be somewhat extra resource-strapped are the likeliest to make a few of these tradeoffs.”
If an enterprise can not change a legacy system, its safety and expertise leaders can nonetheless take steps to cut back the danger of it changing into a doorway for menace actors.
Safety groups can implement compensating controls to search for indicators of compromise. They will implement zero-trust entry and isolate legacy methods from the remainder of the enterprise’s community as a lot as doable.
“Legacy methods actually needs to be hardened from the working system aspect. You need to be turning off working system options that would not have any enterprise goal in your surroundings by default,” Allen emphasizes.
Safety leaders might even discover comparatively easy methods to cut back threat publicity associated to legacy methods.
“Folks will typically discover, ‘Oh, I am working 18 completely different variations of the identical virtualization package deal Why do not I’m going to 1?’” Burleson-Davis shares. “We discover folks working into eventualities like that the place after doing a correct stock [they] discover that there was some low-hanging fruit that actually solved a few of that threat.”
Transitioning Away from Legacy Techniques
Enterprise leaders should clear a variety of hurdles with a purpose to change legacy methods efficiently. The price and the time are apparent challenges. Given the age of those methods, expertise constraints come to the fore. Does the enterprise have individuals who perceive how the legacy system works and the way it may be changed?
“You find yourself with a really complicated expertise requirement inside your group to have the ability to handle very previous forms of applied sciences by way of to cutting-edge applied sciences,” Godfrey factors out.
A change advisory board (CAB) can lead the cost on strategic planning. That group of individuals may also help reply very important questions in regards to the timeline for the transition, the potential downtime, and the folks essential to execute the change.
“How does that have an effect on something downstream or upstream? The place is my knowledge flowing? How are these methods related? How do I preserve them related? What am I going to interrupt?” asks Curry Hendrickson.
Allen stresses the significance of planning for a method to roll again the implementation of latest expertise. “What is the technique for rolling again if it goes incorrect? As a result of that is arguably an important piece of this, and lots of instances it should go incorrect,” he says.
To scale back the possibility of the implementation failing, the transition group wants to contemplate how the brand new expertise will work together throughout the IT or OT environments. How is that completely different in comparison with the legacy system?
“[Understand] what it’s that new system wants, [put] a few of these adjustments in place earlier than you implement the brand new system. That manner the brand new system has each alternative to achieve success,” says Allen.
After pouring assets into modernizing expertise, some enterprises make a elementary mistake by forgetting to incorporate the tip customers within the course of. If finish customers aren’t ready or prepared to undertake new expertise, that initiative’s probabilities of success drop.
“One good instance [is] introducing nearly something right into a medical setting and never together with medical doctors and nurses. It’s the assured, primary method to fail,” says Burleson-Davis.
Curry Hendrickson additionally warns of the potential for vendor lock-in as enterprises study methods to undertake new expertise. “You might get your self right into a state of affairs the place you are so excited and …you have got this nice surroundings, it’s so versatile after which abruptly you are utilizing manner too lots of this vendor’s instruments, and now it should be an actual drawback … to maneuver out,” she explains.
This sort of technological transformation is usually a multi-year challenge that requires the board, CISO, CIO, CTO, and different enterprise leaders to agree on a technique and constantly work towards it.
“There are going to be inevitably short-term trade-offs that should be made throughout that transformation, throughout the journey to that north star,” says Godfrey. “The important thing to enabling that or unlocking the chance is … eager about it as a sort of organizational transformation in addition to a technological transformation.”
