When IT leaders think about “rip and replace” efforts, the first thoughts that probably come to mind are about the potentially huge cost and the inevitable disruption to the business. But these massive system replacement efforts also create different security worries for the organization.
The irony is that either the older system or the new system might be the better one from a basic security standpoint, determined in large part by how seriously the organization takes security from the outset. It can be a Catch-22 scenario that the CSO can do a lot to resolve.
A lot also depends on how complex each system is, what the business needs to do with each, and who will access each. That changes a lot according to how business processes evolve as a result of the effort. It can be an apples-to-oranges comparison.
“I don’t think there’s an obvious or clear cut answer, and the reason is this: when you talk about security as a result of a change, what you are actually asking is, ‘how secure is the new system as compared to the old system’, and ‘what kind of risks are being introduced as a result of a change to the system’?,” explains Michael Krigsman, an industry analyst and founder of CxOTalk.com.
“Typically, an older system may not be written as securely as a new system because in the ‘olden days’ we didn’t take security as seriously as we do today,” Krigsman notes. “On the other hand, that older system may be simpler than the new system and the footprint may be smaller, which means that there is less there to go wrong.”
“If it’s a modern system, the newer system should be architected from the ground up with security as a major concern,” Krigsman continues. “On the other hand, that new system is probably going to have interfaces to external partners and vendors, which is definitely an added layer of complexity and risk.”
Is there better safety in numbers?
How secure a replacement system is depends in part on whether organizations go it alone with rip and replace efforts; or, if a solutions provider is involved, which parts of the project they manage. Chances are that the organization doesn’t have many staff trained on the new system, and internal IT will have all it can do just to keep up with the implementation.
This makes the organization dependent on the vendor’s team to build security measures in properly, and that means from a user need perspective as well as technology one.
Security concerns also extend to the data itself and what will happen as the organization sunsets the old system, and goes live on the new one.
Sign up for CIO Asia eNewsletters.