Rip and replace can create security issues

When IT leaders think about “rip and replace” efforts, the first thoughts that probably come to mind are about the potentially huge cost and the inevitable disruption to the business. But these massive system replacement efforts also create different security worries for the organization.

When IT leaders think about “rip and replace” efforts, the first thoughts that probably come to mind are about the potentially huge cost and the inevitable disruption to the business. But these massive system replacement efforts also create different security worries for the organization.

The irony is that either the older system or the new system might be the better one from a basic security standpoint, determined in large part by how seriously the organization takes security from the outset. It can be a Catch-22 scenario that the CSO can do a lot to resolve.

A lot also depends on how complex each system is, what the business needs to do with each, and who will access each. That changes a lot according to how business processes evolve as a result of the effort. It can be an apples-to-oranges comparison.

“I don’t think there’s an obvious or clear cut answer, and the reason is this: when you talk about security as a result of a change, what you are actually asking is, ‘how secure is the new system as compared to the old system’, and ‘what kind of risks are being introduced as a result of a change to the system’?,” explains Michael Krigsman, an industry analyst and founder of

“Typically, an older system may not be written as securely as a new system because in the ‘olden days’ we didn’t take security as seriously as we do today,” Krigsman notes. “On the other hand, that older system may be simpler than the new system and the footprint may be smaller, which means that there is less there to go wrong.”

“If it’s a modern system, the newer system should be architected from the ground up with security as a major concern,” Krigsman continues. “On the other hand, that new system is probably going to have interfaces to external partners and vendors, which is definitely an added layer of complexity and risk.”

Is there better safety in numbers?

How secure a replacement system is depends in part on whether organizations go it alone with rip and replace efforts; or, if a solutions provider is involved, which parts of the project they manage. Chances are that the organization doesn’t have many staff trained on the new system, and internal IT will have all it can do just to keep up with the implementation.

This makes the organization dependent on the vendor’s team to build security measures in properly, and that means from a user need perspective as well as technology one.

Security concerns also extend to the data itself and what will happen as the organization sunsets the old system, and goes live on the new one.

From the “rip” perspective, the organization needs to worry about where applications are housed; what data is stored with them; whether individual data will be migrated or destroyed during the transfer; what the destruction policies are for the old system; and whether targeted data will indeed be destroyed, explains Jody Albright, interim CIO at Providence Health Plan in Seattle, who managed a rip and replace effort in her previous job at Overlake Medical Center.

From a staff perspective, “It is much easier to handle data internally,” Albright notes.

From the “replacement” perspective, Albright advises CSOs to pay attention to how applications will be accessed; what data integration requirements they pose; if there is ‘special’ data within it (such as SOX or PHI); and what regulations are required around that data.

“Does the application security house, transfer, access, and display data appropriately,” Albright poses. “How does the application play within the firewall?”

Other security concerns with the new system and a vendor managing it include issues around authentification; password requirements; whether the system supports SSO; encryption of data transmission; disaster recovery capabilities; and the ability to work with security software and tools.

“The best way to address them is to ask the questions up front, identify the must-dos and the can-dos, and include them in the planning,” Albright says.

Asking the right questions at the right time

Asking those right questions up front and mapping out security from the outset is probably the most important role the CSO can play here. The development team probably has too much on their plate already to make security a top priority.

“Developers don’t have a very high awareness of security,” says Jim Duggan, research vice president in the Applications Strategy and Governance practice at Gartner. “They are pressed for time and if anything, they expect the business sponsor to set requirements explicitly enough that they can build to them. Given that the risk environment has gotten dramatically worse, if you’re going to rebuild something you’re probably going to want to build in security at the architecture stage as a fundamental process.”

Duggan also cautions that a vendor team doesn’t have the benefit of “tribal knowledge” about the client, as Duggan terms it. Security measures recommended by the vendor may not address important aspects of how the business actually works and employees go about their jobs.

“You’ve got to build a process that is going to get those concerns at least examined early, and then create a governance process that is going to have an advocate for security at least at the level that the requirements are set,” Duggan stresses.

“Whether it’s a waterfall or agile processes, someone has got to prioritize spending on security,” Duggan concludes. “If you leave it to the good intentions of the development team, they’re going to do something -- but probably not consistently, and probably not thoroughly.”

ALSO: Rip and replace: When it pays to make a total systems change

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGartnerindeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Weldon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place