“Complex problems cannot be solved with simple solutions.” These were the words of Bobby Ford, VP & Global CISO at Unilever, speaking at Infosecurity Europe 2019.
Ford said that the complex challenge of the security risks posed by legacy systems exists in all industries.
He added that a big part of the problem is that we cannot simply decommission legacy IT systems because they support “some critical business processes, and because of that, we can’t just get rid of them.
“Our systems are ageing and our ability to replace them is slowing down. As these systems age, the threat increases for them. We can’t update the systems fast enough to stay in front of the threat.”
If you look back at some of the biggest recent cyber-attacks, Ford continued, you will see that legacy systems were at the heart of most of them.
“It’s a complex problem and it’s not going away anytime soon,” he said. “These legacy IT systems equate to business risk, and it’s important that we understand that when we are talking about patching we are talking about business risk. Business risk isn’t a system going down; business risk is an inability to ship a product, business risk is saying ‘I can’t manufacture goods,’ business risk is being unable to invoice a customer.”
So when we talk about dealing with the risk of legacy IT systems, it’s important we do so in business risk language, Ford said, and solving the problem comes down to having “engaging conversations with our business partners to understand our most critical business systems.
“We can’t define what’s most critical, only the business can define what’s most critical.”
To conclude, Ford explained that the key to succeeding in dealing with the risks surrounding legacy systems is prioritization. “I’ve said this my entire career; if we are going to be successful as professional security risk managers, we have to be able to prioritize. We cannot do everything and we can’t secure all systems. We have to work with the business to identity the most critical systems, and then try to secure them.”