Every company has some level of tech debt. Unless you're a brand new start-up, you most likely have a patchwork of solutions that have been implemented throughout the years, often under various leadership teams with different priorities and goals. As those technologies age, they can leave your organization vulnerable to cyber threats.
While replacing legacy technologies can be costly, those costs may pale in comparison to a breach – both in terms of immediate financial impact and reputational damage.
Here are three ways you can communicate risk to your leadership team as you work to replace legacy infrastructure.
1: Make the Risk Real
Leadership teams are driven by quantifiable business implications. The best way to get support for updating or replacing legacy technology is to make the risk to the business real - and measurable - in a language they understand.
One way to do this is to look at the list of critical vulnerabilities that you've identified, then evaluate the impact that each CVE could have on the business. Citing real-world examples from companies in the same industry or market as yours adds additional credibility. This way, you can create a compelling story that resonates with the leadership team as to how the company could be impacted by a breach. This also creates a sense of urgency to get leadership on board with replacing or updating that tech.
When creating your story, think through all the potential implications; don't skimp on the details. Are there specific business initiatives that may be delayed, especially those that are high priorities for the business? Will there be potential legal or compliance-related issues, such as SOX implications resulting from a DDOS on an ERP system or potential privacy fines for GDPR violations? When it comes time to engage your insurance provider on an upcoming renewal, what implications would that breach have on your insurance rates? Are there remediation costs to project as well?
Get specific here. To make an even stronger business case, estimate the cost associated with each potential breach associated with the CVE, then compare these costs with the costs of replacing your legacy technologies.
2: Partner with Leaders Across Other Departments
Earning buy-in from other departments can help you further your case. You may be surprised at how easily you find allies - even in places you might not suspect. Depending on the technology at hand, you may find supporters across your legal team, warehouse team, distribution team, marketing team, or even your finance partners.
Once you've identified champions across other departments, find out how replacing outdated technology would benefit their operations. Perhaps accounting could close their books 3-4 days faster each month with a more current accounting system. Or, the business could fulfill twice as many orders each week with an upgraded logistics platform.
These conversations can also center around support needs. If departments are using legacy technologies that are no longer supported by the vendor, they may be using cumbersome workarounds or holding off on meaningful improvements because they simply can't be accommodated by their existing systems. In these situations, build a business case around the operational improvements that could be achieved with an investment in newer technology.
3: Reframe the Conversation
When you bring these insights to the leadership team, be conscientious about how you frame the conversation. Use your "big picture" plan to communicate the risk along with the benefits of upgrading.
Prepare for objections in advance. Many leaders hear comments like the following:
"We want to do this, but we don't have the money right now."
"If it's not broke, don't fix it."
"Attackers won't even go after that technology; it's not worth their time."
Those are normal reactions, but this means more anchoring and business context is needed. Here's where you can use continuous security validation cycles to prove your case. There is no need to base plans on assumptions, you can prove what could actually happen in your specific environment. Framing the conversation in that way is hard to ignore.
When You Don't Get Immediate Buy-In: Still, Continuous Security Validation
Changing the minds of leadership to acknowledge security as a business enabler isn't an easy task. If the job wasn't completed on your first go, it doesn't mean you have to simply accept the security risks that come with legacy technologies. By leveraging continuous and automated security validation practices, you can control the risk and mitigate where critical. You can also benchmark your environment's risk over time and strengthen your case with leadership about the needed changes to technology.
To do this, look for security validation technologies that don't just simulate attacks, but use safe, real exploits to test how your existing defenses stand up to real-world threats. And consider automating routine tests to validate controls on an ongoing basis to always ensure security readiness.
For more information, check out the on-demand recording of our recent webinar with Lee Bailey, Group CISO at Unilever Prestige. If you're ready to learn more about Automated Security Validation, contact a member of the Pentera team at pentera.io.