Research: Legacy systems - time to bite the bullet?

Upgrading legacy systems is a difficult and risky business. John Leonard takes a look at what organisations are running and why

When does an organisation's trusty IT backbone become a legacy system? Vendors will try to convince you that it is as soon as a new version of their solution has been released, but for most organisations keeping everything bang up to date is impractical and pointless. However, nothing lasts for ever, and at the other end of the obsolescence scale the maxim "If it ain't broke, don't fix it" is often pushed to the nth degree, with systems not becoming "legacy" until they are actually at death's door.

So legacy is partly in the eye of the beholder. That aside, when a system costs more to maintain than it saves in enabling efficiencies, when it becomes an impediment to rather than a facilitator of change, or when it turns into a security risk because of discontinued support - then perhaps then it can legitimately be tagged "legacy". By such definitions many - perhaps most - organisations are dependent on legacy systems of one kind or another.

Take banks. While they may have an outer shell of shiny customer-friendly apps and interfaces that give the impression of efficiency and modernity, beneath the surface most retail banks run on core systems that are decades old.

As another example, the servers that control the UK's energy infrastructure date back decades.
"In the nuclear industry, the control systems are designed to work for the life of the plant. We therefore have in place technology that is 20-plus years old still being operated and maintained," Hugh Boyes, cyber security lead at the Institute of Engineering and Technology, told Computing last year.

Sometimes, then, "legacy" systems are all part of the plan. More commonly, though, their existence is the result of organic growth, mergers and acquisitions, ongoing contracts and personnel changes.

Don't bank on it

But back to banks. High street banks have been subjected to huge changes over the last two decades, with massive acquisitions, break-ups and the imposition of new regulatory regimes all occurring at the same time as online and mobile banking have taken off.

Operating internationally across multiple branches, they run ATM machines, online banking and CRM on the back of pre-millennial mainframes, proprietary operating systems and Cobol code, all glued together with hard-coded middleware.

Modernising such a system is not easy. No wonder then that banks are often only spurred into action when a crisis occurs.

One such crisis occurred in 2012 with the RBS Group IT failure that locked millions of users out of their accounts for days. Over the weeks that followed a picture emerged of a fractured landscape, with key support services having been outsourced leaving insufficient knowledge about the group's archaic core in-house systems. When a patch failed on one server it started a chain reaction that took out large parts of the infrastructure.

It took a many days to locate and fix this problem, but to unravel, rationalise and upgrade the spaghetti-like systems on which RBS depends will take many years - 2018 is just the latest estimate.

Research: Legacy systems - time to bite the bullet?

Upgrading legacy systems is a difficult and risky business. John Leonard takes a look at what organisations are running and why

Upgrading legacy systems can be difficult, risky, disruptive and very expensive. For the CIO, tinkering with the status quo represents a huge gamble.

Get it wrong and you could be out on your ear before you are able to take the credit for any improvements. The process may take years to see through to completion, in all likelihood longer than the typical tenure of a CIO, making the temptation to put it off for another day all the greater.

But the longer the evil day is put off, the more unsatisfactory the status quo becomes, and those carrying serious legacy baggage will find it much harder to keep up with new technologies such as virtualisation, cloud computing and enterprise mobility.

Can't get the staff

Of course, not every organisation is a retail bank, and neither are all legacy systems mission-critical.

Computing asked 160 IT leaders in medium to large organisations about their legacy systems, with particular reference to the software they are running.

Seventy per cent said they have bitten the bullet in the last three years and have undertaken a modernisation project. Asked about what drove them to do it, the cost of maintaining legacy systems came top, followed by a move towards virtualisation and/or cloud (figure 1).

A host of inter-related problems were also reported. For example, 26 per cent said a lack of skills to maintain and support their legacy environment was the impetus behind efforts to modernise. A further nine per cent cited a change in senior staff. In total then, 35 per cent of organisations found that legacy problems were directly related to internal staffing issues.

When experts move on or retire, or fewer people acquire specific programming skills, the expertise needed to maintain and update legacy systems bleeds out of the organisation.

The survey found that a large number of organisations are running older versions of enterprise software that is likely to require the sort of expertise that only experience brings. Among these are Oracle 10g or earlier (30 per cent); Business Objects (20 per cent); Crystal Reports (also 20 per cent); IBM DB2 9.1 or earlier (13 per cent) and Ingres 9.1 or earlier (5 per cent).

As many as a quarter of respondents said that they were running a broad range of other applications on legacy systems, too. These include bespoke and/or industry-specific software, in-house builds, and also a significant number of COBOL and mainframe applications.

Indeed, the COBOL programming language is still in use at 13 per cent of firms surveyed with other venerable languages such as Delphi (eight per cent) and PowerBuilder (three per cent) also maintained.

Among the operating systems these old applications are running on, perhaps the biggest surprise is the 61 per cent that say Windows 95 or XP is still in use (figure 2). Windows XP is used in many bank ATMs and continues to feature on many desktops, despite the imminent withdrawal of support.

These organisations face a choice between upgrading desktops to Windows 7 or 8, changing to another system entirely or running a severe security risk - the latter hopefully is not an option for a bank ATM.

Proprietary systems such as OS/400 and HP-UX and Solaris are still in evidence in up to one in five firms polled and older mobile platforms such as Pocket PC.

Is there anything intrinsically wrong with running these operating systems?

Of course not; indeed, some like Solaris are still maintained, patched and upgraded. So long as there is someone there to oversee the process, they are perfectly satisfactory. But their presence may be indicative of an organisation that is based on older, inefficient, insecure infrastructure and will find it hard to change.

Certainly there is an acceptance among the IT leaders polled that legacy systems can be a millstone. Asked whether they see their legacy systems as a growing burden, 61 per cent agreed versus 35 per cent that thought they pose no threat.

But among those worried about their legacy systems (the 61 per cent), there was uncertainty about what to do about it. Only 45 per cent of these respondents said they have an escape plan.

The escape plans being considered by respondents included replacing hardware so that systems can be virtualised; removing and replacing legacy systems on a priority basis; moving legacy data into new environments; rewriting systems in newer languages; and a range of similar responses.

In an age when security, governance and compliance top the table of business concerns, the atmosphere has changed for those thinking about how IT systems should best support the organisation. Rather than sweating assets, proactive IT leaders are more likely to want to be seen to be future-proofing their organisation, however difficult this might be.

It could be a good time for those with expertise to be sharing their knowledge.

@_JohnLeonard