Editor’s note: This article draws on insights from an Aug. 12 CIO Dive and Cybersecurity Dive virtual event. You can watch the sessions on-demand.
Aging technology systems represent a proverbial thorn in any CIO’s side. Outdated and posing security risks, cumbersome and difficult to integrate, they persist in the enterprise because replacing them would be too costly or disruptive to business operations.
To steer organizations toward more modern implementations, tech leaders can identify priority areas, rely on partners across the C-suite to accelerate efforts and convey the potential business gains that can make lengthy IT overhaul worthwhile.
CIOs should start by identifying where exactly legacy technology lives and what it’s connected to, said Kris Lovejoy, global practice lead, security and resiliency, at Kyndryl.
“You might have a very modern application infrastructure and an underlying database, you might even be on the cloud, but what you always find is it’s connected into a lot of other systems, many of which may be legacy,” Lovejoy said last month during a CIO Dive-Cybersecurity Dive virtual event. “It might be that everything is fine with production, but then you’ve got a legacy firewall that’s connected to your high availability sites.”
Businesses need to take stock of the cybersecurity risks posed by existing legacy systems when on the path to core system overhauls, according to Christina Powers, cybersecurity partner at West Monroe.
“It’s also important to have that understanding of what potential vulnerabilities may exist on those systems, so that you can have that risk assessment done to understand what you’re working with, from an inventory perspective and a risk perspective,” Powers said.
Ultimately, the ability to bolster security can fuel modernization efforts, as executives contend with a turbulent cyber risk climate.
Starting with core systems
The average enterprise IT stack is rife with applications and systems, particularly in older organizations or companies that have endured mergers and acquisitions.
As CIOs begin to think about migration, lining up key business processes with the legacy tools that fuel them is an ideal starting point, Powers said.
“The first piece is really starting with understanding what are the critical processes that the organization needs to be able to maintain to continue operations, for revenue generation and providing services,” Powers said. “Then figuring out what are the legacy systems and applications supporting each of those.”
Documenting, testing and communicating with stakeholders changes forthcoming can be critical to ensuring success throughout a migration process, Powers said. But modernization is an ongoing affair.
CIOs must continue to evaluate IT tools to identify “where it’s possible to reduce reliance on legacy systems, where it’s possible to retire, to migrate so that you can continue to reduce the risk,” Powers said.
Although simply strengthening the cybersecurity posture is a powerful motivator, tech and security leaders can also keep business goals in mind when approaching modernization.
“Often in the information security business, we don’t consider the business needs,” said Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group. CIOs and CISOs can collaborate closely to sustain a secure IT environment.
This process includes identifying areas where overlapping systems are needed.
“If it’s core, you should have redundancy,” said Jean-Louis.
The modernization process can also help identify the potential business gains of shifting systems to new processes, Lovejoy said.
“It becomes a very interesting dynamic where the security and resiliency people are actually the ones that are writing the business case for modernization nowadays, because of the security and resiliency risk associated with the maintenance of this technology,” Lovejoy said.
