Legacy Risk Corollary

Risk management encompasses risks to privacy, network, process, brand, etc.  I’m interested in a juncture of two threat vectors in this post.

Legacy, in this context, refers to things that have been in-place for a long time.  Often they are heavily depended upon so that they cannot easily be replaced without significant cost and concurrent risk.  Legacy systems usually have the characteristic of being fragile due to lack of knowledge or expertise in maintaining, upgrading or replacing those systems.  A corollary of this is the development principle that anytime you touch code you run the risk of introducing new bugs.  That’s why we perform regression and load/stress testing along with user acceptance, string or end-to-end functional testing with each new release or update.

The lifecycle of Line of Business (LoB) applications often run around 10+ years to get a good Return on Investment (RoI).  This carries the risk that unless you invest in updating systems or get new ones and then transform the current transactional data (“in flight” data) from the first system into the newer one you’ll be dependent on the “legacy” system.  As your workforce ages and shrinks you have an increase in risk unless you invest in scaling knowledge, administration and operational capability of the system out to “new” employees (they need not be new hires but people who’ve previously not shared in the administrative/operational burden of the system in question).

In other words, if a system takes 2 people to administrate it and 5 people to operate it on day 1 then even with increased efficiency from people you shouldn’t expect the Full Time Employee (FTE) requirements to shrink from 7 to 4; it’s unrealistic to maintain operational effectiveness without increasing risk.

Legacy Risk Diagram - ADubiousDude

The increase in risk should be informed by:

  • changes in technology that make the system in question require more specialized knowledge
  • the risk of impact to the business due to the value of the aggregate of the transactions/data within this system
  • greater time demands upon the remaining administration/operations personnel to support/use this system
  • increased demand on these personnel for other systems as well due to their increased cost to the company from multiple factors such as
    • specialized knowledge
    • proven experience supporting valuable systems
    • increased level of ownership/responsibility for systems
    • decreased need for oversight and direction


I see these types of constructions within enterprise information security (#entinfosec).

The junction to which I alluded earlier isn’t just from these legacy systems but is abstracted within the bullet points above.  As we place greater demands upon specialized, high-cost personnel and we entrust increasingly fragile systems to them we begin to bring into light the fact that technology, whether purchased and configured or written in-house is based on several assumptions.  These assumptions include vulnerabilities that are inherent in our current networked business models.  The internet depends on technologies that have weaknesses such as BGP, BIND, SSL, etc.  Our enterprise systems, likewise, include within them assumptions about how connections are formed, trusted and managed.  These personnel carry within their experience the keys to enterprise vulnerabilities, sometimes without realizing it and almost entirely without any motivation for malice.

As I see more layoffs and job eliminations on social media it dawns on me that even if these personnel don’t want to take action on their knowledge they may become prey for next-gen hackers who want to gain insight into enterprise processes.  People can give away a ton of valuable data because it may never dawn on them how very much they known from their years of experience.

Legacy Risk Corollary:

Unlike passwords and IDs that can be revoked or changed to mitigate threats from personnel who are no longer trusted employees; systems, network and process knowledge has a long tail for high impact risk.

Consider that next time you hear that Billy Joe Bob just got “eliminated” after 20 years administrating your company’s relatively flat network.