Threatonomics

Killing legacy systems might be your smartest financial move 

by David Meese , Director, Security and Risk Services
Published

The switching cost might be lower than the cost of an attack

Every CISO has that one system. Maybe it’s running on Windows Server 2008. Maybe it’s the manufacturing control system that predates your current CEO. Maybe it’s the ancient database that three different business-critical applications depend on, maintained by one person who’s been threatening to retire for five years.

You know these systems are problems. Your security team knows they’re problems. But when you bring up decommissioning to the CFO, you hear the same response: “If it ain’t broke, why spend money fixing it?”

Here’s what that mindset misses: These systems aren’t just sitting there doing their jobs. You’re paying premium vendor support fees (if you can get support at all), specialized contractors who still know COBOL or maintain ancient hardware, and workarounds every time a new system needs to integrate. Your team spends hours creating custom patches and manual processes. Every new project requires extra time building APIs for systems that were never meant to connect to anything, creating data transformation layers, testing integration points that break unexpectedly. Your talented engineers are doing archaeological IT instead of building competitive advantages.

And that’s before we even talk about the risk.

Old technology multiplies your risk exposure

Unpatched vulnerabilities are the most obvious problem. When vendors stop supporting software, security updates stop too. Every published vulnerability represents a persistent attack vector that should be addressed within an incident response plan designed to function without disrupting critical business processes.

Insurance providers pay close attention. In our analysis of the current market, cyber insurers often trigger higher premiums, coverage exclusions for incidents originating from unsupported technology, or lengthy underwriting questions that delay policies. Some now explicitly ask about Windows Server versions, database ages, and end-of-life software. Property insurers worry about fire hazards, excessive cooling needs, and equipment failures causing water damage or electrical issues.

Compliance frameworks increasingly assume modern capabilities. When auditors ask about encryption standards, logging, or identity management, outdated systems often struggle to meet  what regulations require.

But the most insidious problem is the ripple effect. These systems rarely exist in isolation. That old server connects to your network. The ancient application shares data with modern systems. When attackers compromise outdated technology, they use it as a foothold to move laterally. One vulnerable system can expose everything connected to it.

Building the financial case CFOs care about

CFOs make decisions based on numbers, not anxiety. To make your case, you need to quantify total cost of ownership and translate security concerns into business language.

Start with a comprehensive cost inventory: vendor support contracts, contractor fees, specialized maintenance staff, power and cooling for inefficient hardware, incident response exercises for specific scenarios, and team time spent on maintenance versus strategic work. This is your baseline—what you’re already spending.

Next, quantify cyber risk in financial terms using reasonable estimates based on industry benchmarks. Calculate expected annual loss: breach probability multiplied by potential impact. A system with known, unpatched vulnerabilities facing the internet has dramatically different risk than an air-gapped system with compensating controls. For impact, consider regulatory fines, customer notification, incident response expenses, business interruption, and reputation damage.

Create three scenarios: maintain the current system (including expected incident losses), implement controls while planning transition, or fully replace. Spread these over a realistic timeline—usually three to five years—and calculate net present value for each.

Now frame this analysis in terms CFOs understand. Talk about operational efficiency using your organization’s specific data points. For example,”This system requires manual data entry that the replacement automates, saving 2,000 work hours annually at $75 per hour—that’s $150,000 eliminated.” Talk about business velocity: “Current provisioning takes three days. Replacement does it in hours, increasing our capacity to onboard clients by 40% without adding staff.”

Show how modernization enables revenue growth, not just prevents losses. Yes, avoiding breaches matters, but so does the new product line you can launch when systems actually talk to each other, the self-service portal that reduces support costs while improving satisfaction, and the partner integration that opens new distribution channels.

Frame this as a business investment that reduces risk as a side benefit, not a security project asking for budget.

When you can’t decommission what you still need

Here’s the reality most blog posts ignore: You can’t always just turn things off. Maybe the system runs your core business process with no drop-in replacement. Maybe it’s embedded in manufacturing equipment that would cost millions to upgrade. Maybe it’s so deeply integrated that untangling it would take years.

You’re not helpless—you need a different strategy. Here’s how to enhance your security posture while you plan for eventual replacement:

1. Isolate the system. Network segmentation is your first line of defense. Separate problematic systems from your general network with strict access controls—only specific users and systems can reach the legacy environment, and only through controlled pathways. Use microsegmentation to help limit the impact of potential breaches, or air-gapping for extreme cases.

2. Enhance monitoring. Deploy sensors specifically for legacy system traffic. Watch for lateral movement attempts, unusual access patterns, or communication to unexpected destinations. Your SOC needs dedicated playbooks for compromise scenarios that account for systems you can’t quickly patch or restart.

3. Build parallel systems for gradual migration. Stand up the replacement while maintaining the old system. Migrate workloads incrementally to spread costs and reduce cutover risk. This approach gives your team time to discover hidden dependencies before you’re fully committed and allows you to validate the new system works before decommissioning the old one.

4. Transfer risk where possible. Some insurers offer specialized coverage for known legacy system risks if you demonstrate appropriate controls. Vendor contracts can include specific SLAs and financial penalties for security failures in third-party systems you can’t directly control. This doesn’t eliminate risk, but it makes the financial impact more predictable.

5. Document everything. Track your compensating controls, monitoring coverage, and mitigation costs. This documentation serves two purposes: it demonstrates due diligence to auditors and insurers, and it builds the ongoing business case for eventual replacement by showing exactly how much you’re spending to work around the problem.

Making the transition manageable

Identify your highest-risk, highest-cost problems and prioritize those. Create a three-year roadmap that tackles one or two major systems per year.

Look for quick wins. Maybe there’s a clear cloud alternative that can be migrated in three months. Maybe there’s a simple API replacement that eliminates a major integration headache. Early successes create momentum and justify continued investment.

Use a risk-cost matrix to prioritize. Map each system on two axes: risk to the organization and cost to maintain. High-risk, high-cost problems are obvious priorities. Low-risk, low-cost situations can wait. The interesting decisions are high-risk but inexpensive to maintain (where additional controls might be enough) versus low-risk but expensive (where replacement offers operational benefits even without major risk reduction).

Be honest about which situations call for mitigation versus replacement. Planning to sell a business unit in 18 months? Additional controls might make more sense than expensive migration. But if the system is core to your business for the next decade, recognize that mitigation is temporary and budget accordingly.

The cost of waiting keeps compounding

The longer outdated systems age, the harder transitions become. Specialized knowledge becomes rarer and more expensive. Technical debt accumulates. The business becomes more dependent on fragile infrastructure.

Whether you’re planning full decommissioning or implementing controls during transition, doing nothing often carries the highest long-term risk profile. Inaction isn’t free—it’s just harder to see on the balance sheet until something breaks.

Document what you have, calculate true costs, quantify risk exposure, and model realistic scenarios. Even if full migration is months away, having the analysis ready positions you to move quickly when budget becomes available or an incident makes the case impossible to ignore.

The best time to address this was five years ago. The second-best time is now.

About the Author
David Meese , Director, Security and Risk Services

You might also like

What your CFO actually cares about (and how to speak their language)

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift. The issue isn’t that your CFO […]

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]

Why your enterprise risk framework needs threat intelligence

Here’s a question that should make any enterprise risk management (ERM) professional uncomfortable: How can you manage a risk you don’t even know exists? In my role leading threat intelligence at Resilience, I work at the intersection of cybersecurity and business risk. And I’ve noticed a persistent gap: many ERM professionals know cyber risk belongs […]

Your 90-day roadmap to sustainable vendor risk management

We’ve covered why vendor discovery matters, how to mine data streams for comprehensive vendor identification, which vendor categories are commonly overlooked, and how to implement risk-based tiering. Now comes the critical question: how do you actually implement this in your organization and make it sustainable over time? Chuck Norton from Resilience emphasizes the resource reality: […]

How our 2025 cybersecurity predictions held up

At the start of 2025, we made some bold predictions about the cyber landscape. Now, as we look back at the year that was, it’s time to see how accurate our crystal ball really was. Dr. Ann Irvine, Chief Data and Analytics Officer at Resilience, sat down with us to evaluate what happened—and what surprised […]