Whereas the push for digital transformation has been underway for years, many enterprises nonetheless have legacy expertise deeply ingrained of their tech stacks. In lots of instances, these techniques are years and even many years outdated however stay integral to maintaining a enterprise operational. Merely ripping them out and changing them is commonly not a believable fast repair.
“It is truly fairly arduous to completely demise earlier variations of expertise as we undertake new variations, and so you find yourself with the type of layering of varied ages of all of the applied sciences,” says Nick Godfrey, senior director and international head, workplace of the CISO at Google Cloud.
Provided that continued use of legacy techniques comes with danger, why are legacy techniques nonetheless so widespread immediately? How can enterprise leaders handle that danger and transfer ahead?
A Common Problem
In 2019, the Authorities Accountability Workplace (GAO) recognized 10 essential federal IT legacy techniques. These techniques had been 8 to 51 years outdated and value roughly $337 million to function and preserve every year.
Authorities is hardly the one sector that depends on outdated techniques. The banking sector makes use of COBOL, a decades-old coding language, closely. The well being care business is rife with examples of outdated digital well being document (EHR) techniques and legacy {hardware}. One survey discovered that 74% of producing and engineering corporations use legacy techniques and spreadsheets to function.
“If we discuss banking, manufacturing, and well being care, you’ll discover a massive chunk of legacy techniques are literally components of the operational expertise that it takes to function that enterprise,” says Joel Burleson-Davis, senior vice chairman of worldwide engineering, cyber at Imprivata, a digital identification safety firm.
The price of changing these techniques isn’t merely the value tag that comes with the brand new expertise. It’s additionally the downtime that comes with making the change.
“The toughest method to drive the automotive is while you’re attempting to vary the tire on the similar time,” says Austin Allen, director of options structure at Airlock Digital, an software management firm. “You concentrate on one hour of downtime … you could be speaking about tens of millions of {dollars} relying on the corporate.”
A survey performed by business software program firm SnapLogic discovered that organizations spent a mean of $2.7 million to overtake legacy tech in 2023.
As costly as it’s to interchange legacy expertise, maintaining it in place might show to be extra expensive. Legacy techniques are weak to cyberattacks and knowledge breaches. In 2024, the common value of an information breach is $4.88 million, in keeping with IBM’s Value of a Information Breach Report 2024.
Evaluating the Tech Stack
Step one to assessing the chance that legacy techniques pose to an enterprise is knowing how they’re getting used. It sounds easy sufficient on the floor, however enterprise infrastructure is extremely sophisticated.
“Everyone needs that they’d all of their processes. and all of their techniques integrations documented, however they do not,” says Jen Curry Hendrickson, senior vice chairman of managed companies at DataBank, an information middle options firm.
As soon as safety and expertise leaders conduct an intensive stock of techniques and perceive how enterprise knowledge is shifting by way of these techniques, they’ll assess the dangers.
“This expertise was designed and put in many, a few years in the past when the menace profile was considerably totally different,” says Godfrey. “It’s creating an ever extra complicated floor space.”
What techniques could be up to date or patched? What techniques are not supported by distributors? How might menace actors leverage entry to a legacy system for lateral motion?
Managing Legacy System Threat
As soon as enterprise leaders have a transparent image of their organizations’ legacy techniques and the chance they pose, they’ve a option to make. Do they substitute these techniques, or do they hold them in place and handle these dangers?
“Companies are absolutely entitled — possibly they should not [be] — however they’re absolutely entitled to say no, ‘I perceive the chance and that is not one thing we will handle proper now,’” says Burleson-Davis. “Industries that are likely to have decrease margins and be just a little extra resource-strapped are the likeliest to make a few of these tradeoffs.”
If an enterprise can not substitute a legacy system, its safety and expertise leaders can nonetheless take steps to scale back the chance of it turning into a doorway for menace actors.
Safety groups can implement compensating controls to search for indicators of compromise. They’ll implement zero-trust entry and isolate legacy techniques from the remainder of the enterprise’s community as a lot as attainable.
“Legacy techniques actually ought to be hardened from the working system aspect. Try to be turning off working system options that should not have any enterprise goal in your surroundings by default,” Allen emphasizes.
Safety leaders could even discover comparatively easy methods to scale back danger publicity associated to legacy techniques.
“Folks will typically discover, ‘Oh, I am operating 18 totally different variations of the identical virtualization bundle Why do not I’m going to at least one?’” Burleson-Davis shares. “We discover individuals operating into situations like that the place after doing a correct stock [they] discover that there was some low-hanging fruit that basically solved a few of that danger.”
Transitioning Away from Legacy Programs
Enterprise leaders must clear plenty of hurdles in an effort to substitute legacy techniques efficiently. The price and the time are apparent challenges. Given the age of those techniques, expertise constraints come to the fore. Does the enterprise have individuals who perceive how the legacy system works and the way it may be changed?
“You find yourself with a really complicated abilities requirement inside your group to have the ability to handle very outdated forms of applied sciences by way of to cutting-edge applied sciences,” Godfrey factors out.
A change advisory board (CAB) can lead the cost on strategic planning. That group of individuals will help reply important questions concerning the timeline for the transition, the potential downtime, and the individuals essential to execute the change.
“How does that have an effect on something downstream or upstream? The place is my knowledge flowing? How are these techniques related? How do I hold them related? What am I going to interrupt?” asks Curry Hendrickson.
Allen stresses the significance of planning for a method to roll again the implementation of recent expertise. “What is the technique for rolling again if it goes incorrect? As a result of that is arguably a very powerful piece of this, and lots of occasions it would go incorrect,” he says.
To cut back the prospect of the implementation failing, the transition crew wants to think about how the brand new expertise will work together inside the IT or OT environments. How is that totally different in comparison with the legacy system?
“[Understand] what it’s that new system wants, [put] a few of these modifications in place earlier than you implement the brand new system. That means the brand new system has each alternative to achieve success,” says Allen.
After pouring assets into modernizing expertise, some enterprises make a basic mistake by forgetting to incorporate the top customers within the course of. If finish customers aren’t ready or keen to undertake new expertise, that initiative’s possibilities of success drop.
“One good instance [is] introducing virtually something right into a medical setting and never together with medical doctors and nurses. It’s the assured, primary method to fail,” says Burleson-Davis.
Curry Hendrickson additionally warns of the potential for vendor lock-in as enterprises study methods to undertake new expertise. “You possibly can get your self right into a situation the place you are so excited and …you have got this nice surroundings, it’s so versatile after which rapidly you are utilizing means too a lot of this vendor’s instruments, and now it may be an actual downside … to maneuver out,” she explains.
This sort of technological transformation is commonly a multi-year undertaking that requires the board, CISO, CIO, CTO, and different enterprise leaders to agree on a method and constantly work towards it.
“There are going to be inevitably short-term trade-offs that must be made throughout that transformation, through the journey to that north star,” says Godfrey. “The important thing to enabling that or unlocking the chance is … fascinated about it as a sort of organizational transformation in addition to a technological transformation.”
