Cyber Security

make a cybersecurity case for modernization

make a cybersecurity case for modernization
Written by ga_dahmani
make a cybersecurity case for modernization

What does the term “Legacy Systems” mean to you? What image does it evoke?

Well, the word “legacy” can mean “something handed down or received from an ancestor or predecessor or from the past”. For example, the “legacy of the ancient philosophers”, or perhaps the “legacy of the ancient IT professionals”. A legacy is something that is passed down from one generation to the next. The next generation may not have asked for this gift, but they must accept it nonetheless.

legacy systems

According to Tecnopedia, and in the context of computing, the definition of a legacy system is “outdated computing systems, programming languages, or application software that are used in place of the updated versions available. The system still meets the needs for which it was initially designed, but it does not allow for growth. Not surprisingly, this definition misses the mark because not only does a legacy system not allow for growth, it can leave organizations exposed to a number of risks.

UK government state that “legacy technology can refer to an organization’s IT infrastructure and systems, hardware, and related business processes.” Technology becomes legacy because some or all of the following become true:

  • The technology is out of vendor support, ie it has reached the end of its useful life.
  • The technology is impossible to upgrade.
  • It is no longer profitable to maintain the technology.
  • The technology exceeds the threshold of acceptable risk.

There are many examples of legacy systems in operation today, and they operate at the highest levels of society and at the heart of some of the most influential and important institutions imaginable. But removing legacy systems could be extremely problematic. They may be an integral part of the safe operation of a critical service, or perhaps even a critical national infrastructure (CNI).

legacy of the beast

In 2019, the US Government Accountability Office (GAO) published a report highlighting the ten most critical legacy systems in need of modernization.

In that report, they identified a number of systems that were over 30 years old and ranked “High” in terms of their criticality. Government agencies included in this report include the Department of Defense, the Department of Education, and Transportation.

Although this report focused on the US, there is no reason to think that UK branches of government are not as exposed as our US cousins. In 2021, the UK launched a review of legacy IT systems and aims to have a framework to identify infrastructure ‘at risk’ by the end of 2022. This will allow them to prioritize spending and ensure a modernization program is in place.

In July 2021, the Report of the Digital Economic Council noted that nearly 50% of UK government IT spending is spent on “keeping the lights on” activity on outdated legacy systems. This equates to an annual spend of £2.3bn (US$3.1bn). The analysis goes on to state that this brings a number of challenges, including very high maintenance costs to “keep the lights on”, data and cybersecurity risks, and the inability to develop new features in technologies and systems that are no longer widely used. compatible. Regarding cybersecurity, the study goes on to say that some departmental services do not meet even minimum cybersecurity standards.

The bottom line is that the UK government must do better. But here we are today, having inherited the systems as a legacy from the previous generation of IT professionals. From a generation that probably didn’t consider the world we now inhabit. A borderless digital universe that has been compared to the Wild West so many times that it has almost become a cliché. But it’s just a cliché because it’s true.

One of the fundamental problems with legacy systems is that they are out of date. In this modern world with ever-increasing threats all around us, obsolete means vulnerable to attacks, outages, and outages. Another key risk surrounding legacy systems is that they have become beasts that are difficult to manage or contain, and where they can be managed effectively, those who have the knowledge to support these systems are similarly aging and leaving the workforce.

Arguments in favor of modernization

Using legacy systems can also lead to inefficiencies within the organization. For example, they may perform more slowly than more advanced systems, and their ability to integrate with other systems (such as APIs) is diminished.

Legacy systems don’t lend themselves to the more “agile” way of working that many organizations now operate with. This means slower production and productivity, which increases costs.

It is also important to remember that organizations implementing security standards such as Cyber ​​Essentials and ISO 27001 will need to demonstrate that they have patch management processes in place. If legacy systems exist, how does an organization demonstrate compliance if these systems remain unpatched?

Of course, before you make the case for modernization, you must learn to tame the beast!

tame the beast

It is essential to understand what is on your network and to understand where the greatest risks are. That’s why it’s critical to conduct system performance and security audits so you can see what devices, systems, and software reside on your infrastructure. Having an accurate asset record of your systems and services is therefore a critical step in taming this beast. But while this is something that can be done using a variety of tools and systems, it must go further.

Carrying out a business impact assessment or analysis (BIA) to establish the criticality of the system will give you an idea of ​​the criticality of that system. From there, you can develop a modernization program, or at least develop a plan to reduce the impact on your organization in the event of an outage. For example, you may decide to increase security and controls around the legacy system, thereby protecting its fragility and reducing the likelihood of direct system impact.

While this may seem like an effective approach, it will not completely eradicate legacy system risks as human resources age and leave the organization. The key question to ask is, “Who understands this system if all else fails?” Therefore, a greater investment in training and succession planning is required. The “old guard” must learn to trust their younger counterparts and pass on the knowledge they have gained over the years.


There’s no denying that legacy systems continue to function in abundance across multiple public and private sector organizations. But this is not sustainable, and there are things we can do to improve the situation. Continuing to ignore this puts us all at risk, which is why we should consider a modernization program based on criticality and impact on our organizations. The time has come to tame the beast. Let’s work to update the systems so that the only legacy you leave in any organization you touch throughout your career is that of “The one who tamed the beasts”.

Gary-HibberdAbout the Author: Gary Hibberd is ‘The Professor of Cyber ​​Communication’ at Cyberfort and is a specialist in Cyber ​​Security and Data Protection with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the dark web to cybercrime to cyber psychology.

You can follow Gary on Twitter here: @GaryAgency

Publisher’s note: The views expressed in this guest post are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.

About the author


Leave a Comment