While the push for digital transformation has been underway for years, many enterprises still have legacy technology deeply ingrained in their tech stacks. In many cases, these systems are years or even decades old but remainintegral to keeping a business operational. Simply ripping them out and replacing them is often not a plausible quick fix.It's actually quite hard to fully demise previous versions of technology as we adopt new versions, and so you end up with the sort of layering of various ages of all the technologies, says Nick Godfrey, senior director and global head, office of the CISO at Google Cloud.Given that continued use of legacy systems comes with risk, why are legacy systems still so common today? How can enterprise leaders manage that risk and move forward?A Universal ChallengeIn 2019, the Government Accountability Office (GAO) identified 10 critical federal IT legacy systems. These systems were 8 to 51 years old and cost roughly $337 million to operate and maintain each year.Government is hardly the only sector that relies on outdated systems. The banking sector uses COBOL, a decades-old coding language, heavily. The health care industry is rife with examples of outdated electronic health record (EHR) systems and legacy hardware. One survey found that 74% of manufacturing and engineering companies use legacy systems and spreadsheets to operate.Related:If we talk about banking, manufacturing, and health care, you would find a big chunk of legacy systems are actually elements of the operational technology that it takes to operate that business, says Joel Burleson-Davis, senior vice president of worldwide engineering, cyber at Imprivata, a digital identity security company.The cost of replacing these systems isnt simply the price tag that comes with the new technology. Its also the downtime that comes with making the change.The hardest way to drive the car is when you're trying to change the tire at the same time, says Austin Allen,director of solutions architecture at Airlock Digital, an application control company. You think about one hour of downtime you can be talking about millions of dollars depending on the company.A survey conducted by commercial software company SnapLogic found that organizations spent an average of $2.7 million to overhaul legacy tech in 2023.As expensive as it is to replace legacy technology, keeping it in place could prove to be more costly. Legacy systems are vulnerable to cyberattacks and data breaches. In 2024, the average cost of a data breach is $4.88 million, according to IBMs Cost of a Data Breach Report 2024.Related:Evaluating the Tech StackThe first step to assessing the risk that legacy systems pose to an enterprise is understanding how they are being used. It sounds simple enough on the surface, but enterprise infrastructure is incredibly complicated.Everybody wishes that they had all of their processes. and all of their systems integrations documented, but they don't, says Jen Curry Hendrickson, senior vice president of managed services at DataBank, a data center solutions company.Once security and technology leaders conduct a thorough inventory of systems and understand how enterprise data is moving through those systems, they can assess the risks.This technology was designed and installed many, many years ago when the threat profile was significantly different, says Godfrey. It is creating an ever more complex surface area.What systems can be updated or patched? What systems are no longer supported by vendors? How could threat actors leverage access to a legacy system for lateral movement?Managing Legacy System RiskOnce enterprise leaders have a clear picture of their organizations legacy systems and the risk they pose, they have a choice to make. Do they replace those systems, or do they keep them in place and manage those risks?Businesses are fully entitled -- maybe they shouldn't [be] -- but they're fully entitled to say no, I understand the risk and that's not something we're going to address right now, says Burleson-Davis. Industries that tend to have lower margins and be a little more resource-strapped are the likeliest to make some of those tradeoffs.Related:If an enterprise cannot replace a legacy system, its security and technology leaders can still take steps to reduce the risk of it becoming a doorway for threat actors.Security teams can implement compensating controls to look for signs of compromise. They can implement zero-trust access and isolate legacy systems from the rest of the enterprises network as much as possible.Legacy systems really should be hardened from the operating system side. You should be turning off operating system features that do not have any business purpose in your environment by default, Allen emphasizes.Security leaders may even find relatively simple ways to reduce risk exposure related to legacy systems.People will often find, Oh, I'm running 18 different versions of the same virtualization package Why don't I go to one? Burleson-Davis shares. We find people running into scenarios like that where after doing a proper inventory [they] find that there was some low-hanging fruit that really solved some of that risk.Transitioning Away from Legacy SystemsEnterprise leaders have to clear a number of hurdles in order to replace legacy systems successfully. The cost and the time are obvious challenges. Given the age of these systems, talent constraints come to the fore. Does the enterprise have people who understand how the legacy system works and how it can be replaced?You end up with a very complex skills requirement inside of your organization to be able to manage very old types of technologies through to cutting-edge technologies, Godfrey points out.A change advisory board (CAB) can lead the charge on strategic planning. That group of people can help answer vital questions about the timeline for the transition, the potential downtime, and the people necessary to execute the change.How does that affect anything downstream or upstream? Where is my data flowing? How are these systems connected? How do Ikeep them connected? What am I going to break? asks Curry Hendrickson.Allen stresses the importance of planning for a way to roll back the implementation of new technology. What's the strategy for rolling back if it goes wrong? Because that's arguably the most important piece of this, and many times it will go wrong, he says.To reduce the chance of the implementation failing, the transition team needs to consider how the new technology will interact within the IT or OT environments. How is that different compared to the legacy system?[Understand] what it is that new system needs, [put] some of those changes in place before you implement the new system. That way the new system has every opportunity to be successful, says Allen.After pouring resources into modernizing technology, some enterprises make a fundamental mistake by forgetting to include the end users in the process. If end users arent prepared or willing to adopt new technology, that initiatives chances of success drop.One good example [is] introducing almost anything into a clinical setting and not including doctors and nurses. It is the guaranteed, number one way to fail, says Burleson-Davis.Curry Hendrickson also warns of the potential for vendor lock-in as enterprises examine ways to adopt new technology. You could get yourself into a scenario where you're so excited and you have this great environment, it is so flexible and then all of a sudden you're using way too many of this vendors tools, and now it's going to be a real problem to move out, she explains.This kind of technological transformation is often a multi-year project that requires the board, CISO, CIO, CTO, and other business leaders to agree on a strategy and consistently work toward it.There are going to be inevitably short-term trade-offs that have to be made during that transformation, during the journey to that north star, says Godfrey. The key to enabling that or unlocking the opportunity is thinking about it as a kind of organizational transformation as well as a technological transformation.