Federal agencies face mounting pressure to modernize legacy IT systems, but experts warn that success requires more than new technology – it demands cultural change, user input, and a sharper focus on securing overlooked infrastructure.
Speaking at the Billington CyberSecurity Summit on Sept. 10, officials from the public and private sectors shared their advice on how to navigate a legacy system transformation.
Ryan McArthur, the federal chief technology officer (CTO) at Zscaler, said that the first step for any organization is to “admit they have a problem.”
“Really, it’s a first step of getting everyone to understand that you have a problem and understand that there’s an issue,” McArthur said.
The CTO explained that in the operational technology (OT) and critical infrastructure space, devices will have a wide range of security postures.
“You have to get everyone to understand within the organization that they need to change the posture of those devices,” McArthur said. “Because, right now, what you look at is the average meantime for an organization to understand if they have a threat actor inside their environment today is about 270 days from a threat actor being recognized inside that environment.”
“What they’re doing is they’re just poking and prodding little by little, where they actually get recognized from an IP perspective,” he explained.
While agencies have been focused on moving towards zero trust in the user and workspace domains, McArthur warned that critical infrastructure, Internet of Things (IoT), and OT systems have been largely ignored.
“That’s one of the last things that’s kind of moving [towards zero trust] because we’re really focused on the user and in the workspace place,” he said. “So, we have to start to look at the IoT, OT space, and see how we can move that more easily.”
Similarly, George Lamb, the director of cloud and software modernization in the Pentagon’s Office of the Chief Information Officer (CIO), said that addressing legacy systems first comes down to “culture.”
Lamb explained that the Department of Defense – which the Trump administration has rebranded to Department of War – issued a report this year titled, “The State of DevSecOps.”
In conducting the report, Lamb said the department realized that “the technology is amazing … but we’re still getting programs that don’t modernize.”
“The thing when we peel back is, at the end of the day, it’s the culture around it, it’s the business operations, it’s the program managers that don’t understand what their customers are,” Lamb explained. “It’s the testing community that doesn’t realize that they have to test before the system is done, and not after the system is done. So, the cultural challenges, I think, are the biggest lessons.”
Josh Reiter, the CTO of the Pentagon’s All-domain Anomaly Resolution Office (AARO), also underscored the importance of user input when modernizing legacy systems.
He pointed to scenarios where agencies invest millions of dollars to upgrade IT systems “so that you can more efficiently print things out and put them in blue folders” – instead of taking the opportunity to “modernize your process.”
“The red flag there is when your CIO or your CISO talks about digital modernization as opposed to modernization,” Reiter said. “It’s just modernization … you have an opportunity to transform the process and make everyone’s life better, or at least less bad.”
“The biggest thing, I think, is the opportunity, and in some cases, the necessity, for user input and process improvement in tandem with upgrading your legacy service,” he said.