Obsolete systems that are critical to your business. They’re abandoned, unpatchable and unmanaged. We’ve all got them, and often upgrading is not an option. What do you do?



Check out this post and discussion for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Mitch Parker (@mitchparkerCISO), executive director, InfoSec and compliance, Indiana University Health.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, SecurityBridge

Advanced cybersecurity for SAP, from codebase to production. Powered by anomaly detection, detect threats in real-time so that they can be remediated before any harm is done. Eliminate false-positives and focus on actionable intelligence. Ensure compliance with direction to actual vulnerabilities, with amazing intelligence dashboards guiding remediation.

On this episode of Defense in Depth, you’ll learn:

  • This issue appears to affect every security and IT person. At one time they’ve all had to deal with it.
  • Obsolete technology should not be treated like any new technology. It needs to be isolated.
  • Lots of great advice from the community regarding containing the outdated technology through firewalls, air gapping, segmenting, virtual machines, and a jump box.
  • Constantly measure the risk of not just intrusion of the outdated technology, but the cost of keeping the thing running as you can’t rely on outside support or updates.
  • As you’re reporting the risk, constantly push for solutions to end reliance on this outdated technology.
  • The obsolete technology is often an expensive and critical piece of hardware that’s difficult if not impossible to replace.
  • The UK National Cyber Security Center has some great guidance on what to do with obsolete platforms.

Creative Commons photo attribution to Wolfgang Stief.