Legacy technology is not always as bad as it is commonly believed to be, according to a panel of CISO speakers.
Speaking during the Think Cybersecurity for Government conference, Bill McCluggage, managing director of Laganview Associates, said that legacy technology “is not all bad” and while all organizations have some sort of legacy technology and accrue not only tech debt but legacy issues, the positive side is that “it is stable and we understand it.”
He said that as well as being reasonably well understood and protected behind layers, the challenges can be in getting provider support and not being able to adapt to the modern threat landscape, as well as facing database issues. “What we create today will be legacy tomorrow; we have got it and have to live with it.”
Paul Jackson, head of public sector at Tanium, said the challenge across government is there is “no shortage of programs looking at digital transformation” and it is common for them to struggle with legacy technology. “I speak to hospitals and universities, and they tell you what [the network is] made up of, and they have not got a hand on what they have got. It is hard to protect and hard to transform.” He recommended “getting the basics right, as the sooner you get a handle on it, the better it is for your environment.”
Greg van der Gaast, CISO of Salford University, said legacy technology “tends to be a known quantity” as most environments have thousands of endpoints, but with legacy technology it is known about and behind layers of protection. “It is like the family jewels; you keep them safe and not hanging out of the window,” he said. “It was said that systems are legacy the minute they hit production, but that should not be the case.”
McCluggage agreed, saying with legacy technology we know that it is stable, and you know the ports of entry, but keeping it managed, with the right people, is a challenge. “Over the next year to 18 months we will have import duties run off backend legacy systems, and they will be the engines of the state,” he said.
Jackson made the point that a lot of attackers target vulnerabilities in the legacy estate, so users would be recommended to take a “holistic view.” Also, van der Gaast said if you do not have awareness of your environment around legacy systems you cannot be sure it is isolated: “if you create layers it requires awareness of these layers.”