The Legacy Cyber Threat: Why We Must Prioritize Modernization

Most governments struggle with replacing legacy systems for a variety of reasons. But some people claim legacy mainframes can be just as secure as modern ones. So how big is the legacy cyber threat?

May 11, 2025 •

An important but often overshadowed technology issue for government CIOs and CISOs is legacy system modernization. Indeed, the topic comes in at No. 5 on the National Association of State Chief Information Officers (NASCIO) priority list for 2025.

No doubt, cyber and AI (along with budgets for everything) are clearly near the top of current priorities for CIOs and other tech leaders. Nevertheless, this ranking can be deceiving because cyber protections must be applied to all systems, and new AI-powered solutions often replace legacy systems.

The conventional wisdom amongst IT and cyber pros is that legacy systems are a serious cyber threat that must be addressed with urgency. Many government IT modernization efforts even use cybersecurity as a top reason to get off aging platforms that can’t be properly supported, patched for vulnerabilities or protected in other ways from hackers.

There are, of course, many reasons (besides cyber threats) for upgrading, modernizing, replacing or just removing “old” technology — and you can decide how to define “legacy.” Some of these reasons include inefficient data management, lack of innovation, strategy and governance, performance, software integration, scalability and more.

Here’s a brief excerpt: “By January 2025, 319 legacy systems had been identified as in use across government, ‘red’-rating around 25% as having a high likelihood and impact of risks occurring. But, the Government does not know how many legacy systems there are altogether.

“Some Government IT systems are still running on Windows 3.1 — a program developed by Microsoft in 1992 which it stopped supporting in 2001 — 24 years ago. …”

WHAT’S CLEAR AND WHAT’S NOT WHEN IT COMES TO LEGACY SYSTEMS

To start, there is minimal argument among professional tech experts regarding the need to replace or upgrade old tech that is no longer supported. So if you’re still running Windows 3.1, let’s just move on … .

“Mainframes often appear to cybercriminals to be less lucrative targets.

“Whether that is a fair assessment or not is up for debate; after all, mainframes process loads of highly valuable data, like credit card transaction information.

“Still, the fact that mainframes have a relatively small profile in the public eye as compared to the cloud or commodity servers means that they are smaller targets for people who are up to no good.

“At the same time, mainframes also have the advantage of being very different, technologically speaking, from other types of computing platforms. If you’re a cybercriminal, and you have spent your career breaching x86 servers, you’d have to invest a lot of time learning new tricks if you want to try to attack mainframes. Mainframe hardware is different, mainframe software is different, mainframe programming languages are different and mainframe data formats are different.

“All of the above means that any reasonable cyberattacker is likely to focus on attacking commodity servers and leave the mainframes alone.”

The piece goes on to recommend a mainframe security assessment to determine your level of risk.

“As organizations consider the future of their mainframe systems, they must think strategically. Their computing platforms must support their business needs. Further, as IT and business leaders plan for the future, they must be able to map a course from their current IT systems to their future goals.

“Brent Ellis, senior analyst at Forrester, says the pendulum has swung away from the idea that organizations should move their mainframe resources completely to the public cloud. Instead, he says, IT leaders must carefully decide which applications to rewrite, which to re-platform and which to leave as they are. ‘People are realizing that they have to have a more nuanced approach to mainframe modernization,’ he says.

“While the modernization process is complex, and upfront costs are high, it holds promise for long-term savings and improved business agility.

“The following analysis breaks down the key factors influencing costs and the potential for ROI. The typical cost trends seen in mainframe modernization are summarized below.

The 3 Most Common Cost Patterns for Mainframe Modernization

“Before diving into the specifics around cost analysis, we’ll review the three most common mainframe modernization approach cost patterns based on our experience, which are as follows:

Rehosting (‘Lift and Shift’) — Move the mainframe applications to a lower-cost processor or to a cloud-hosted environment without modifying the architecture, code or data model.
Replatforming — Migrate mainframe applications to a new and modern runtime platform. Maintain the core application architecture and data model while making necessary code changes for the new OS, database and compiler(s).
Refactoring/Rearchitecting — Optimize the existing codebase, potentially the data model, and storage for the target on-prem or cloud environment without changing external behavior. Use modern languages and efficient cloud-native services.”

“Mainframes have long been the backbone of enterprise computing, delivering unmatched reliability, security and scalability for mission-critical workloads. Even with the rise of new technologies, these systems continue to power essential industries, including healthcare, finance and manufacturing.

“However, as businesses leverage the scale and flexibility of cloud environments, the need for mainframe modernization becomes clear. The rush to explore and adopt generative AI has only accelerated the case for modernization.

“Kyndryl’s 2024 State of Mainframe Modernization research found that 86% of respondents are deploying or planning to deploy generative AI tools and solutions to their mainframe environments. Less discussed, however, is the potential for generative AI to help unblock challenges that have, to date, held back mainframe modernization ambitions. While much attention has been given to the promise of generative AI at the application level, it also has potential to play an important role in the modernization process itself.”

“At the heart of virtually every large organization is a massive anchor slowing a business down: the tech debt found in legacy IT systems. Often built decades ago, these large systems form the technical backbone of companies and functions across almost every sector. As much as 70 percent of the software used by Fortune 500 companies was developed 20 or more years ago. …

“New developments in AI, particularly in gen AI, are radically recalibrating the costs and benefits of modernizing legacy tech and reducing tech debt as part of a larger set of changes in how IT operates. Consider a transaction processing system for a leading financial institution, which three years ago would have cost much more than $100 million to modernize and today is well less than half of that when using gen AI. This shift makes many modernization efforts that were once too expensive or time-consuming suddenly viable. And with the ability to measure and track the direct cost of technology debt and its effect on P&L outcomes (in many cases up to 40 to 50 percent of total investment spend), companies can track the value they’re generating.”

FINAL THOUGHTS

Every government organization that I know has some level of legacy systems program (or “tech debt project” as many call it). These systems are often seen as hindrances to AI and new innovation, as well as a major security challenge.

Nevertheless, addressing system modernization is, in many cases, where good cybersecurity and GenAI tools can help the most.

Perhaps we need to start merging government priority categories?

Cybersecurity