Disrupt Your Legacy Application Portfolio to Improve Security And Resiliency
CIOREVIEW >> Homeland Security >>

Disrupt Your Legacy Application Portfolio to Improve Security And Resiliency

Jonathan Behnke, Chief Information Officer, City of San Diego
Jonathan Behnke, Chief Information Officer, City of San Diego

Jonathan Behnke, Chief Information Officer, City of San Diego

Government legacy systemspose security challenges, lack agility to respond to new security threats and vulnerabilities, and can fall short ofthe efficiencies and user experience that modern solutions provide.During the COVID-19 pandemic many state unemployment benefit systems were overwhelmed with huge volumes of traffic that the underlying technology could not support. Aging IRS systems have caused operational challenges and have been a barrier to modernized services, improved efficiencies and providing an improved user experience.


 Some of the most common reasons for public sector legacy applications include lack of modernization funding, staffing constraints, complacency with legacy solutions, and resistance to change. As legacy applications age they can be more costly to support, increase an organization’s risk exposure, and present challenges for hiring and retaining technical staff to support the technology.

In 2020, the State of New Jersey made a plea for volunteers who knew the COBOL programming language to assist them in resolving issues with their aging mainframe applications. The demand for available technical skills to support legacy applications can far exceed the supply as IT workers continue to shift their skillsets to support modern technologies.


A common misconceptionis that age is the biggest factor in defining legacy applications.Whilethe age of an application can play a significant role in driving applications into a legacy state, multiple criteria should be considered in evaluating an application portfolio to prioritize modernization.

 Some of the most common characteristics of legacy applications include: Unsupported technologies –The foundational technologies of an application including the database, operating system, development language, and availability of vendor support and patches. If any of these technologies enter an unsupported state, the application should be considered legacy and prioritized for modernization.

Security risk – Any unsupported technologies or lack of new security patches raises the risk exposure for an organization. Operational changes may be required to mitigate the risk but ultimately security risk has been one of the main drivers to accelerate replacement of legacy solutions.

 Business or technical entropy –An application that was implemented in 2014 may have had the best available technology and functionality at that time, but entropy takes place over time and it may not be serving its purpose well in the current timeframe. Emerging technology improvements, new business requirements, and evolving customer expectations may be good reasons to replace a solution, even if the underlying technology is still supported.

“A common misconception is that age is the biggest factor in defining legacy applications”

Increased maintenance costs and scarcity of technical skills for support –Legacy applications can increase costs with additional security mitigations and the scarcity of available technical skills to maintain support.


Annual reviews of an application portfolio are needed to identify legacy applications for replacement but more importantly to develop a roadmap to prevent current applications from entering a legacy state. A detailed application inventory is an essential starting point to managing an application portfolio and minimizing the impact of legacy technologies.

 Simple steps can be taken to ensure that updates to operating systems, databases, and applications are completed regularly and planned with the business stakeholder. The expected lifespan of technologies can be tracked annually so end of life technologies don’t creep up and become a problem. Regular conversations about changing business needs should occur to ensure existing applications are providing business efficiencies and meeting customer expectations.


Limited budget and resources will likely require the need to prioritize the modernization of legacy applications to make sure technology investments are providing the maximum benefit. A risk assessment of legacy applications can help identify the highest risk systems that have the greatest potential for business disruption. Penetration testing can help reveal vulnerabilities, but a more comprehensive assessment is needed to understand the full level of risk exposure. NIST Special Publication 800-30 provides an excellent framework for evaluating the existing threats, vulnerabilities, likelihood of occurrence, and magnitude of impact to determine an overall risk exposure score. The applications with the highest risk score should be given a high priority in legacy system replacement.


Business stakeholders may be complacent with legacy applications and not have any sense of urgency to modernize their applications. While risk exposure may be viewed as important it may not provide a strong enough business case to modernize an application. Business stakeholders need to see other benefits including opportunities for business process reengineering, new efficiencies, regulatory compliance, robotic process automation, faster realization of revenues, increased self-services, datadriven decision making, improved user experience, and increased customer satisfaction.


In the past, solutions for public sector use-cases have traditionally lagged behind the private sector. Over the past few years there has been a healthy expansion of available solutions for the public sector. Cloud and XaaS solutions have shortened implementation times and reduced upfront costs. Many solution providers have an excellent understanding of the public sector and multiple solutions are now available for many use-cases. Legacy system modernization can be a huge endeavor but can deliver improvedsecurity, resiliency, efficiencies, and improved user experience. With the growth of cloud and XaaS solutions that include automatic updates, organizations that adopt aggressive modernization strategies will make legacy systems a thing of the past.

Read Also

Why a Credentialing Strategy Must be Part of Your Digital Strategy

Jack Suess, CIO, Collin Mood, Senior Computer Engineering, University of Maryland Baltimore County

The Convergence of IT with the Internet of Things Innovation

Andy Shang, Vice President of Engineering, Gold Medal Products

It’s On People: The Undeniable Cultural Impact in a Digital...

Nuno Pedras, Chief Information & Digital Officer, Galp

A Promising Road Ahead for Insurtech

Chris Purcell, CIO, PEMCO

Bolloré Logistics Australia becomes a global leader in the use of...

Stuart Darby, Commercial Director - Pacific Region, Bolloré Logistics

The Juxtaposition Of Smart Cities And Values

Dan Ault, Assistant Town Manager, Chief Innovation Officer, Town of Cary