In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
How do you protect an enterprise built on yesterday’s code while preparing for tomorrow’s threats? In a conversation with Tech Talks Daily, Paul Savill, Global Practice Leader of Networking and Edge Compute at Kyndryl, revealed the realities of securing legacy systems.
Despite being distracted by the shiny allure of generative AI and quantum breakthroughs, many companies are still running on aging infrastructure, which is sometimes unsupported and exposed.
Techopedia discusses the importance of paying back technical debt and securing legacy technology in 2025.
Key Takeaways
- Aging systems pose critical risks that few enterprises are prepared to manage.
- IoT growth is outpacing most organizations’ ability to secure expanding attack surfaces.
- AI is making social engineering threats harder to detect and easier to scale.
- Annual security training fails. But continuous education strengthens real-world risk awareness.
- Misalignment between IT and OT weakens defenses in manufacturing and critical sectors.
- Modern infrastructure is required to use the full benefits of AI and automation.
When Legacy Becomes Liability
44% of enterprise technology is officially “out of life,” according to Kyndryl’s data. These are systems no longer serviced by vendors but still in production.
Paul Savill said during the interview:
“That percentage… It’s such a huge exposure for companies. Bad people out there continually figure new things out, and with the advances of things like AI, that’s just going to make things even worse.”
The legacy code problem isn’t abstract. Think of network devices that haven’t had a firmware update in years, or mission-critical applications built on code no one wants to touch.
In reality, many enterprises don’t treat infrastructure with the same urgency they apply to end-user security. In part, that’s because upgrades are rarely seamless. Business leaders weigh the risk of downtime, disruption, and compatibility issues.
Meanwhile, the risk of doing nothing continues to climb. Savill admitted:
“This is maybe the number one problem we see. Helping customers understand what they should do with their networks and how to evolve them over time.”
This is echoed in the Readiness Report, which notes that nearly two-thirds of CEOs are concerned their IT is outdated or nearing end-of-life. Legacy systems are no longer a side issue. They’re central to enterprise risk.
More IoT Devices, More Doors
The explosion of IoT devices is the digital equivalent of pouring petrol on the fire. With projections estimating that IoT devices will double from 15.9 billion in 2023 to 32 billion by 2030, the attack surface is widening faster than many security teams can monitor.
Savill explained:
“IoT is one of those areas that expands the threat landscape. There are just so many devices. Some of the most costly cyberattacks have resulted from penetration through IoT devices.”
IoT isn’t just about smart thermostats or warehouse sensors. It now extends into healthcare, finance, and industrial environments where uptime is non-negotiable.
But many organizations aren’t prepared for the sheer scale of what’s coming. According to the same report, only 30% of leaders feel prepared to manage cyber threats, despite it being their top concern.
You can’t talk cybersecurity today without acknowledging the social layer. The human element is often the weakest point, and AI makes that weakness easier to exploit.
Paul Savill said:
“I believe some studies say that roughly 90% of all penetrations begin with social engineering engagement.”
And in a hybrid world where coworkers might be spread across cities or continents, impersonation becomes even easier. He added:
“I’ve had funny instances where outside actors try to phish us by claiming they’re our CEO with an urgent request. Now, with AI and the ability to create these deepfakes of voice and image, that’s just raising it to another level.”
The Kyndryl report backs this up: AI-enhanced attacks, particularly phishing and deepfakes, pose a risk for businesses struggling with talent gaps and fragmented training.
And while 86% of leaders feel confident in their AI implementation, 29% believe their AI tools are ready to handle real-world disruption.
🚨 The human element is still the weakest link.
In 2025, an overwhelming 98% of cyberattacks involved social engineering — phishing, baiting, impersonation, and more.
This isn’t just a stat. It’s a call to rethink how we train, detect, and defend.
Cybersecurity isn’t just… pic.twitter.com/vIGkC8IYIT
— Analyst1 (@Analyst1) May 19, 2025
From Compliance to Culture: Fixing the Human Firewall
Too often, security awareness is reduced to a checkbox, annual training, or a multiple-choice quiz. The problem? Real threats don’t follow a schedule.
“One of the worst hacks we’ve seen came from a contractor who hadn’t been through the same training as full-time employees,” Paul recalled. It’s a blind spot many businesses overlook: education stops at the employee level, ignoring third-party access points.
Kyndryl tackled this with a proactive approach.
“We launch our internal phishing tests,” Paul Savill said. “If employees fall for it, it’s a training opportunity.” The result? A fourfold increase in employee-reported phishing incidents compared to industry benchmarks.
“The training walks you through different scenarios… some are threats, some are not,” Paul explained. “It helps you identify the difference. That contrast is effective.”
This lines up with broader findings that continuous education is a key differentiator in businesses that say they’re ready for future risks.
OT & IT: A Tale of Two Teams
In industries like manufacturing, the divide between IT and OT (operational technology) creates a real vulnerability. “Traditionally, managers of OT run it on their own, without much interaction with centralized IT,” Paul said.
That siloed approach weakens coordination. He noted that the companies that fare better are those where “operational leaders can coordinate with the CIO office much more closely.”
Integration isn’t just about tech stacks. It’s about people, protocols, and communication. The Readiness Report underscores this too: organizations that report seamless collaboration between business and tech leadership are 43% more likely to feel ready for disruption.
Kyndryl’s Own Journey: Cloud-First, Zero Trust
Of course, it’s easy to advise others on transformation. But Kyndryl has walked this path itself.
“A few years back, we were in a similar situation as many of our customers,” Savill admitted.
Their solution? A full pivot toward cloud-first, zero trust, and SASE (Secure Access Service Edge). Savill explained:
“The AI ops tooling behind these technologies is incredibly effective in managing and mitigating security threats.”
Interestingly, the benefits extended far beyond security. He added:
“We reduced networking expenses, improved employee experience, and dramatically made it easier to turn services up and down. It was a win on all three fronts: security, cost, and experience.”
This aligns with the broader data: enterprises in their tech modernization journey are 16% more ready to handle risks and 22% more likely to have IT teams aligned to business strategy.
Our Kyndryl Readiness Report revealed that tech modernization is a top priority for leaders, yet most are somewhere in the early stages of the journey. As businesses modernize, they say their biggest challenge is complexity.
Share your thoughts below and dive into our report…
— Kyndryl (@Kyndryl) January 13, 2025
Continuous training, cross-functional coordination – all of which starts with admitting that legacy systems might be holding more than just old data; they might be holding your business back.
Paul Savill concluded:
“You need to get that next-level foundational infrastructure in place. For you to even take advantage of what’s coming.”
The deeper story of legacy software is not just the limitations, but its hold on progress. Until they’re addressed, actual readiness remains out of reach.
The Bottom Line
The message is clear. Prepare now, or risk falling behind. The problem is that most enterprises have not advanced their networks and infrastructure to take advantage of newer technologies, Savill warned. “These technologies are not going to be replaced by AI, they’re going to be enhanced by it,” he said.
There is no hiding from the fact that enhancement requires groundwork. Reliable infrastructure. The big question is whether your organization can modernize while managing legacy risk.
If you are still crossing your fingers every time a decade-old server reboots, you are already running out of road and will be forced to ask what readiness means in your world.
