New research in the EY 2024 Global Cybersecurity Leadership Insights Study suggests that cyber teams can dramatically improve both accuracy and speed in detecting and responding to all three types of incident by deploying AI and automation; however, the problem for agency CISOs is that they preside over a ‘spaghetti mess’ of legacy technologies, which is incompatible with advanced cybersecurity tools – not to mention significantly increasing vulnerability to cyberattacks. In fact, the ASD found 71 per cent of government entities are reporting that legacy technologies are impacting their ability to implement the Essential Eight – an increase from 52 per cent in 2023.
Solve for legacy first
It is no longer reasonable to expect cyber teams can defend legacy systems against AI-powered attacks.
Outdated systems often rely on obsolete software and hardware, which no longer receive critical security updates, leaving them exposed. Fragmented older systems can also provide AI-enabled attackers with easier entry points and a broader attack surface. Meanwhile, cyber teams have limited visibility of the attack surface, making it impossible to defend.
If government departments are to defend their operations, modernisation needs to happen urgently. The fact that this is not a top agency priority comes down to several factors that CISOs can work to address this year.
Build a holistic business case
Last year, almost a quarter (24 percent) of agencies told the ASD that a lack of dedicated funding was the biggest hurdle to modernising legacy systems. Modernisation programs don’t get funding because the business case is only centred on removing technical debt and therefore fails to demonstrate sufficient value to justify the investment.
This narrow framing overlooks the broader benefits of modern digital platforms, including dramatically better cyber defences, the reduced costs to operate and sustain the new system, data-driven decision-making and AI-powered capabilities. When departments consider the full spectrum of value, especially the ability to mitigate substantial cyber risk, the case for modernisation becomes far more compelling.
Quantify cyber risk mitigation
Building a credible business case requires moving away from qualitative risk measures - like high, medium and low risk ratings - and instead using cyber risk quantification approaches (for example, Open FAIR) to calculate scenario-based annualised event loss values. These values take into account the frequency of attempted attacks, the likelihood of successful compromise and the costs of losses, remediation, business continuity failures, and citizen and national impacts.
In delivering essential services, agencies gather sensitive information that, if exposed, could have a catastrophic effect on citizens or the defence of the nation. As a case in point, when war fighters depend on telemetry data, what value does defence put on the ability to protect that data from corruption or prevent denial of service? It’s hard to imagine that business case failing to stand up.
Overcome inertia
The hard part of transforming legacy architecture is not buying a new tool, but teaching people to adopt radically new ways of working. Given that most humans are risk averse, this is a really big task – probably the most underestimated in a transformation program. It’s vital to be clear about what people can stop doing, and invest in training and gaining buy-in. Otherwise, the new technology will not be adopted quickly enough – or people will find workarounds.
Given CISOs don’t own the people lever, they need to work with HR and other leaders who must stand behind any change and make sure processes, change management and incentives are in place to bring new ways of working to life.
Modernise first. Then future-proof
In 2023, EY research identified a cohort of government organisations – Secure Creators – that consistently get better security outcomes than others, differentiated by three critical factors:
- They are further along with automation, AI and passwordless authentication.
- They have better visibility of the attack surface and greater coverage of cyber controls.
- They have clear whole-of-agency ownership of cyber risks.
The first two findings underscore that, from a cyber security perspective, modernisation cannot come soon enough. Without it, government cyber security teams will struggle to future-proof defence strategies against the emerging threat landscape.
Getting rid of the legacy problem will create a far more secure attack surface and open the door for AI-driven cyber tools. But modernisation programs will only be given a green light when cyber risk is quantified and department leaders understand how much money and how much harm they could take off the risk table.
