Whereas the push for digital transformation has been underway for years, many enterprises nonetheless have legacy expertise deeply ingrained of their tech stacks. In lots of instances, these methods are years and even many years previous however stay integral to protecting a enterprise operational. Merely ripping them out and changing them is usually not a believable fast repair.
“It is really fairly laborious to totally demise earlier variations of expertise as we undertake new variations, and so you find yourself with the kind of layering of assorted ages of all of the applied sciences,” says Nick Godfrey, senior director and world head, workplace of the CISO at Google Cloud.
On condition that continued use of legacy methods comes with danger, why are legacy methods nonetheless so frequent at present? How can enterprise leaders handle that danger and transfer ahead?
A Common Problem
In 2019, the Authorities Accountability Workplace (GAO) recognized 10 crucial federal IT legacy methods. These methods had been 8 to 51 years old and cost roughly $337 million to function and preserve every year.
Authorities is hardly the one sector that depends on outdated methods. The banking sector makes use of COBOL, a decades-old coding language, closely. The well being care business is rife with examples of outdated digital well being file (EHR) methods and legacy {hardware}. One survey discovered that 74% of manufacturing and engineering companies use legacy methods and spreadsheets to function.
“If we discuss banking, manufacturing, and well being care, you’ll discover a huge chunk of legacy methods are literally components of the operational expertise that it takes to function that enterprise,” says Joel Burleson-Davis, senior vp of worldwide engineering, cyber at Imprivata, a digital id safety firm.
The price of changing these methods isn’t merely the worth tag that comes with the brand new expertise. It’s additionally the downtime that comes with making the change.
“The toughest approach to drive the automobile is while you’re attempting to vary the tire on the identical time,” says Austin Allen, director of options structure at Airlock Digital, an software management firm. “You consider one hour of downtime … you might be speaking about tens of millions of {dollars} relying on the corporate.”
A survey carried out by business software program firm SnapLogic discovered that organizations spent a mean of $2.7 million to overtake legacy tech in 2023.
As costly as it’s to interchange legacy expertise, protecting it in place may show to be extra pricey. Legacy methods are susceptible to cyberattacks and knowledge breaches. In 2024, the average cost of a data breach is $4.88 million, in accordance with IBM’s Price of a Information Breach Report 2024.
Evaluating the Tech Stack
Step one to assessing the chance that legacy methods pose to an enterprise is knowing how they’re getting used. It sounds easy sufficient on the floor, however enterprise infrastructure is extremely sophisticated.
“All people needs that they’d all of their processes. and all of their methods integrations documented, however they do not,” says Jen Curry Hendrickson, senior vp of managed providers at DataBank, an information middle options firm.
As soon as safety and expertise leaders conduct a radical stock of methods and perceive how enterprise knowledge is transferring via these methods, they will assess the dangers.
“This expertise was designed and put in many, a few years in the past when the risk profile was considerably totally different,” says Godfrey. “It’s creating an ever extra complicated floor space.”
What methods might be up to date or patched? What methods are now not supported by distributors? How may risk actors leverage entry to a legacy system for lateral motion?
Managing Legacy System Threat
As soon as enterprise leaders have a transparent image of their organizations’ legacy methods and the chance they pose, they’ve a option to make. Do they exchange these methods, or do they preserve them in place and handle these dangers?
“Companies are absolutely entitled — possibly they should not [be] — however they’re absolutely entitled to say no, ‘I perceive the chance and that is not one thing we’ll deal with proper now,’” says Burleson-Davis. “Industries that are likely to have decrease margins and be slightly extra resource-strapped are the likeliest to make a few of these tradeoffs.”
If an enterprise can not exchange a legacy system, its safety and expertise leaders can nonetheless take steps to scale back the chance of it changing into a doorway for risk actors.
Safety groups can implement compensating controls to search for indicators of compromise. They will implement zero-trust entry and isolate legacy methods from the remainder of the enterprise’s community as a lot as attainable.
“Legacy methods actually needs to be hardened from the working system aspect. You ought to be turning off working system options that shouldn’t have any enterprise objective in your surroundings by default,” Allen emphasizes.
Safety leaders could even discover comparatively easy methods to scale back danger publicity associated to legacy methods.
“Individuals will usually discover, ‘Oh, I am working 18 totally different variations of the identical virtualization package deal Why do not I’m going to at least one?’” Burleson-Davis shares. “We discover individuals working into situations like that the place after doing a correct stock [they] discover that there was some low-hanging fruit that actually solved a few of that danger.”
Transitioning Away from Legacy Techniques
Enterprise leaders need to clear plenty of hurdles to be able to exchange legacy methods efficiently. The price and the time are apparent challenges. Given the age of those methods, expertise constraints come to the fore. Does the enterprise have individuals who perceive how the legacy system works and the way it may be changed?
“You find yourself with a really complicated expertise requirement inside your group to have the ability to handle very previous sorts of applied sciences via to cutting-edge applied sciences,” Godfrey factors out.
A change advisory board (CAB) can lead the cost on strategic planning. That group of individuals might help reply important questions concerning the timeline for the transition, the potential downtime, and the individuals essential to execute the change.
“How does that have an effect on something downstream or upstream? The place is my knowledge flowing? How are these methods linked? How do I preserve them linked? What am I going to interrupt?” asks Curry Hendrickson.
Allen stresses the significance of planning for a approach to roll again the implementation of recent expertise. “What is the technique for rolling again if it goes incorrect? As a result of that is arguably a very powerful piece of this, and plenty of occasions it’s going to go incorrect,” he says.
To scale back the prospect of the implementation failing, the transition group wants to think about how the brand new expertise will work together throughout the IT or OT environments. How is that totally different in comparison with the legacy system?
“[Understand] what it’s that new system wants, [put] a few of these adjustments in place earlier than you implement the brand new system. That manner the brand new system has each alternative to achieve success,” says Allen.
After pouring assets into modernizing expertise, some enterprises make a basic mistake by forgetting to incorporate the tip customers within the course of. If finish customers aren’t ready or keen to undertake new expertise, that initiative’s probabilities of success drop.
“One good instance [is] introducing virtually something right into a medical setting and never together with medical doctors and nurses. It’s the assured, primary approach to fail,” says Burleson-Davis.
Curry Hendrickson additionally warns of the potential for vendor lock-in as enterprises study methods to undertake new expertise. “You might get your self right into a state of affairs the place you are so excited and …you may have this nice surroundings, it’s so versatile after which unexpectedly you are utilizing manner too lots of this vendor’s instruments, and now it will be an actual drawback … to maneuver out,” she explains.
This sort of technological transformation is usually a multi-year venture that requires the board, CISO, CIO, CTO, and different enterprise leaders to agree on a technique and constantly work towards it.
“There are going to be inevitably short-term trade-offs that need to be made throughout that transformation, in the course of the journey to that north star,” says Godfrey. “The important thing to enabling that or unlocking the chance is … fascinated about it as a type of organizational transformation in addition to a technological transformation.”