Sunsetting legacy Cybersecurity Process for Better Optimization and Security Modernization

John P. Gormally, SR
5 min readSep 19, 2022


Sunset in Carlsbad California

The idea of “if it isn’t broken, don’t fix it” should not apply to cybersecurity. Most organizations develop three to five-year phasing plans for most IT and cyber products to align with the manufacturer’s end-of-development, end-of-support, and end-of-life product life cycles and keep up with the latest security risks.

What if the process or product is not up to date or aligned with the current threat landscape and security breaches? Are most three to five-year products able to connect to emerging platforms, including Zero-trust, SASE, and enterprise identity management?

When should organizations consider sunsetting processes?

The cost of sunsetting security products, legacy applications, and legacy technology imposes a financial strain on every organization. Security professionals take one year or more just to deploy the newly acquired adaptive control capability. Once these security features become production ready, the organization may need to consider starting the sunsetting process if the new capabilities do not protect the organization from emerging threats or fail to align with business requirements.

Separating Product Sunsetting from Process

Before considering sunsetting technology products, most SecOps and DevOps teams focus on evaluating and updating, if possible, legacy processes, including developing a legacy-system modernization workflow.

Organizations should consider before”rip and replacement,” a painful and very traditional IT way of thinking, evaluate the various SecOps processes, including:

  • Incident response capabilities for obsolete technologies
  • Interfacing with outside agencies, including federal and non-federal entities
  • Live patching systems outdated technologies
  • Container Security from the cloud service provider
  • Threat modeling (Risk management, vulnerability, and penetration testing)

By evaluating these processes, could an organization get more life out of the existing security and IT operations capabilities, or should they consider a rapid deployment of newer solutions to align with changing cybersecurity risks?

What are economic security and technical debt?

What is the cost of the organization to maintain its application security, network, cloud, identity, and risk management posture? How does the security posture with the overall financial implications to the organization’s bottom line?

Security costs will change if the organization hires more employees or enters business markets. These business objective decisions require different security processes and adaptive control.

Some organizations are impacted by snap decisions to deploy a quick fix answer to new security requirements or develop new software. This action often is referred to as “technical debt.” Is the organization accumulating technical debt by making quick decisions?

Risk-based budget modeling alignment with cybersecurity

Does the organization align with a risk-based or general risk-based cyber budget model? A critical component of economic security is the operational cost of security.

Organizations susceptible to an increased volume of cybersecurity attacks are challenged with developing an adequate economic model while coping with technical debt. Often organizations will leverage cybersecurity insurance and managed services to respond to the negative impact of current and future incidents.

A critical part of achieving balanced security is for the organization to execute an architecture optimization. By breaking out the various architecture domains of the organization relating to risk and cybersecurity, including:

  • SecOps Processes aligning to current adaptive control capabilities
  • Reportability into the GRC platform for risk matrix scoring
  • The risk of products going early end of life
  • MSSPs failing to meet SLAs’
  • Staying compliant with all the regulations required by the business groups
  • Ensure SecOps, DevOps, and NetSecOps are trained along with maintaining their certification

By performing architecture solutions reviews by hardware or software vendors, systems, and process reviews, organizations can capture the economics of these systems while determining the cost business models and operational impact of sunsetting these capabilities in the manageable work cycle.

The importance of developing a modernization strategy

Architecture-driven modernization around cybersecurity along with developing an ongoing modernization strategy helps organizations manage and prepare for emerging threats. Organizations continuously evaluate their risk, vulnerability, and threats by leveraging threat modeling. Once a vulnerability becomes a threat or exploited, using a continuous modernization strategy, sunsetting processes should be considered even if the function hasn’t been around for a long time.

Compelling reasons for flexible sunsetting of cybersecurity processes

Do the current SecOps and DevOps processes provide relevant and sustainable support for emerging threats, including ransomware, email phishing attacks, and social engineering? Are the current strategies aligned with a specific application architecture like an Oracle Fusion ERP or more broad-based to cover the entire organization?

Many SecOps processes are categorized into specific components within the organization. If the organization has several compliance frameworks, including NIST-800–53, PCI, and FEDRAMP, does the organization have one set of procedures or individual processes?

Sunsetting of processes could be done on a per domain or framework basis. If the organization in next year’s business plans to enter the Federal marketplace, adopting FEDRAMP for all cloud-based systems is a requirement.

Would the organization use an architecture optimization to embed FEDRAMP processes into the existing legacy structure or consider whether they would look into approaches to legacy modernization to accommodate the new framework?

Organizations weighing in on this decision also need the economic cost of keeping legacy and new security processes. Moving to FEDRAMP while maintaining a commercial presence, how would an organization maintain control cost while ensuring the highest degree of compliance governance and operational efficiency?

Ensuring Situational awareness when considering the sunsetting process and capability

The decision to live in the Federal and commercial marketplace is financially impactful. Both markets require separate infrastructure along with particular operations models. National security systems have a different methods for handling data, opening support tickets, and executing patches and updates. Commercial systems also comply with privacy mandates and cybersecurity and infrastructure operating costs.

Both environments also handle major incidents differently. In the federal space, if a contractor over vendor suffers a security breach with national security implications, the timeline of escalation and response is much faster and requires interfacing with several third parties. In the commercial space, these entities also interface with cybersecurity insurance carriers and law enforcement at different levels of escalation.

Choice of when and why to sunset processes?

Support a legacy Federal system? Need to comply with legal obligations to keep current systems operational longer than expected? New and emerging threats impacting the organization’s ability to obtain cybersecurity insurance?

These challenges warrant an organization’s frequent evaluations of their SecOps, DevOps, and NetSecOps adaptive control and process. Any existing management or strategy that does not align with these business and security objectives should be considered for sunsetting.

“Don’t fix it unless it is broken?” How do you know when your cybersecurity controls and process are broken?

Only after a breach do you realize the importance of proactive sunsetting processes to align with emerging threats while maintaining strong governance around security economics.

All the best,




John P. Gormally, SR

John P. Gormally is a fictional and non-fictional cybersecurity blogger and writer based in Lake Forest California.