Thursday, August 22, 2013

The Startup with a Legacy Problem

I don't know about you readers, but I used to absolutely love the show House on FOX. I loved the character of Dr. House for many reasons - but primarily because he loved to solve puzzles others either gave up on, or saw as 'solved'. I feel a little like Dr. Greg House when I get to tackle a new puzzle, and a recent engagement made gave me pause. I've never run into an organization that had all the complexities and challenges of a start-up company coupled with the pain of a legacy brick-and-mortar organization so naturally I'm hooked.

Imagine a fictitious organization called the ACME Widget Company, which for the last 50 years has been a business unit within a global widget manufacturer - and last year became the result of a successful spin-off into their specific niche - the widget power unit. The power unit they developed was so good that other manufacturers started coming to them to power their widgets - so a spin-off was only natural because the new organization was going to be able to build its own market and generate revenue more readily if it wasn't part of the parent widget maker.

Over the past year the Widget Power Unit Company has been busy creating its own infrastructure, hiring entire new departments which never existed before (they were services provided by the parent until a year ago!) generating sales and manufacturing and shipping those power units all over the world. Business is good and now they're expanding globally to new markets, and scaling up their business.

Now I'm sitting around the table with Bill the CIO, Amy the "security manager", and a few other select people who run operations, architecture, and other critical components. Oh, one more thing is critical to think of here - the Widget Power Unit Company is nearly fully outsourced... each department within IT has a manager but behind them are small armies of contractors. Servers, desktops, networking, applications and other critical pieces including security operations (I use this term loosely here, bear with me) are all contractors. Making this matter even more complex, they're different outsourcing organizations. It's the usual list of IT outsourcing suspects, including a small, local boutique company. Ordinarily you'd take a hard look at this type of arrangement and question how this company gets anything done - but I assure you the arrangement, while not optimal, works.

Over the course of 2 days I had the opportunity to do in-depth discovery with all the leadership of the organization's Information Technology group. What struck me is hearing things like "We've never had to think about that before, that's always been provided by the mothership!" from Bill the CIO. This included things like risk management and legal functions!

As we were talking about strategy and trying to determine what his org structure would look like, services they would offer, and their insource/outsource strategy going forward it occurred to me just how difficult of a job Bill had ahead of him. This is a puzzle Dr. House would find worthy of his time, and I'm certainly thrilled to be engaged here.

The big challenge with this type of organizational profile is the presence of what we commonly refer to as legacy systems (systems and applications) that fall into the outdated bucket. Ordinarily start-ups don't face these issues since they're starting with a clean slate - but organizations that are spin-offs often face the worst of both worlds. They struggle with supporting outdated systems and applications which are vital to their mission, but at the same time are often strained to find the people necessary to keep these dinosaurs running.

  • People - Organizations that fit in this profile have a major issue. You're hiring people who can tend to the dinosaurs, while trying to hire people who can make sure you're technologically competitive and able to innovate in today's market. Now consider that you are a start-up and hiring is a priority but your pool of cash isn't endless. Good luck finding an employee that has the skills to maintain your Cobol systems, while trying to help your organization be cloud-ready. Now if you find one of these folks - good luck affording them.
  • Process - Business processes that were largely supported (at scale, as a shared service) by the parent company now have to be replicated, and you need to hopefully replicate ancient processes using modern technology - this is a lot more difficult than it sounds if you haven't tried it.
  • Technology - You may carry some of the legacy systems and platforms with you from your old situation into the new independent business - but you'll likely not have all the resources since you didn't manage them yourself. Things like machine management tech (HMI, ICS systems) may come with the plant or factory or office - but other things like that SAP platform you depend on or the materials ordering system probably will need to be developed ... and your workforce knows that old system not some new replacement you put in place. Choosing your technology is a delicate dance of death on a high-wire. You also have to get things to inter-operate. You will likely have some dinosaurs talking to some new systems that are just shedding their shrink-wrap.
The challenges are many. The purse is likely small.

This is no time for a weak stomach, and desire to sleep, but it sounds like fun to me.

If you have survived this type of situation, and have any tips or advice - by all means - share it! On Twitter you can find me as @Wh1t3Rabbit, and if you want to discuss this post, or other similar security - business topics hit the hashtag #SecBiz.



Cat Assassin Akademy said...

This is a problem that faces many,, sustaining legacy systems while trying to advance. Like most public infrastructure issues, most have not even addressed "migration" or upgrade replacement plans.

HMI-ICS-ACS systems, products and architectures never were meant to address "lock down" ops/secure ops issues. Retrofit is happening, but the legacy issues of process instrumentation and data and systems access is almost overwhelming to many companies.

Outsourcing is here to stay, the competitive reasons for doing so are engrained, but outsourcing does imply risk and exposure that risk management needs to address.

We see this all the time, insufficient resources to address systemic potential vulnerabilities. A paradigm shift may be necessary.

Cat Assassin Akademy said...

Good share.