Forbes Newsletters

Plus: Legacy Systems Are Crowding Out Innovation

Forbes
As new AI systems and platforms come online, companies are looking for tools and functionality that transforms their business processes. But there’s one thing that can get in the way: Legacy computer systems. 

A new study from managed service and consulting firm Ensono found that only a quarter of company leaders said their IT teams spend most of their time on innovation. The rest said their teams spend most of their time maintaining day-to-day operations (57%) and reducing technical debt (18%). Nearly half of company leaders spent more than was budgeted to maintain their legacy systems in the last year, and of those whose IT teams had to spend the most time on maintenance and tech debt, 86% said that budget constraints frequently delay innovation.

Companies said that they understand the importance of modernization. Nearly half said risk from legacy systems—including security vulnerabilities, loss of support and application downtime—are pushing them toward modernization. Almost two in five also said they struggle to release new features and products at the speed business demands. And more than a third said the tech debt and complexity of legacy systems make them want to update the entire stack. 

But it can be difficult. There are budgetary concerns at play, but there’s also the need to keep critical systems functioning. Close to half of organizations said they would like to adopt a hybrid approach: Moving some applications and data from legacy systems, but keeping core legacy systems intact. Another 29% said they want to modernize what’s on the legacy systems. But 47% say they’ve been challenged by trying to integrate legacy systems with modern tools and platforms. More than four in 10 are frustrated by the limited ability to adopt automation and AI through modernization. And 37% say that updating legacy applications provides a lower ROI than a modern alternative. Adding to that, nearly nine in 10 have in-house talent gaps to do the work.

Modernization is a pervasive problem that is catching up to many companies, and the gaps in cost and productivity from legacy systems will not get any narrower. It’s time for companies to get serious about it, working on a detailed strategy for execution, aligning that strategy with the company’s overall business goals and coming up with a way to measure how it’s performing. By prioritizing this effort, a company can get itself ahead of the rest—and the time spent steeped in legacy data, workflow minutiae and overall strategy can make you even more ready to apply AI and other new technology in a way that can truly help reinvent your operations.

October is Cybersecurity Awareness Month, and I’m kicking it off with a conversation about how AI is impacting cybersecurity, both in terms of preparedness and companywide perception. I talked to two leaders from cybersecurity and incident response platform CYPFER: CEO Daniel Tobok and Executive Chairman Jason Hogg. An excerpt from our conversation is later in this newsletter.

If you like what you read here, you can easily share it online and on your social media pages. This newsletter, and all previous editions of Forbes CIO, can be found on our website here.

Megan Poinski Staff Writer, C-Suite Newsletters

Follow me on Forbes.com

In today’s CIO newsletter:
  • Bits + Bytes: How to optimize cybersecurity around “time to recover”
POLICY + REGULATIONS
California Governor Gavin Newsom signed a package of comprehensive AI regulations into law this week. With its broad set of standards, and Silicon Valley’s outsized presence in the AI business, the new law could become a template for national regulations, writes Forbes contributor Paulo Carvão.

“California has proven that we can establish regulations to protect our communities while also ensuring that the growing AI industry continues to thrive. This legislation strikes that balance,” Newsom said in a press release. “AI is the new frontier in innovation, and California is not only here for it—but stands strong as a national leader.”

The law targets frontier AI models, which are large systems whose outputs could cause significant economic or security harms. Companies behind these systems must create and publish a framework document showing their complete risk assessment: How they use cybersecurity, implement governance and incident response processes, assess catastrophic risks, and adopt national and international standards. Critical safety incidents must be reported to California’s Office of Emergency Services within 24 hours if they pose imminent harm, or within 15 days otherwise. It also creates a way for companies and the public to report safety incidents, and includes whistleblower protections.

The new law is a redrafted version of one passed by the California General Assembly and vetoed by Newsom last year. At the time, Newsom wrote that he supported the goal of state regulation, but did not feel that the first bill evaluated risk in the best way. State Sen. Scott Wiener, a Democrat, was author of both versions of the law, and spent the last year getting input from companies that would be impacted. Politico reported that Anthropic backed the bill during the General Assembly session, and representatives from Meta, OpenAI and Anthropic told Politico that they were pleased with California’s approach to AI regulation so far.

BIG DEALS
AI cloud computing provider CoreWeave has another big deal. Meta signed a $14 billion deal with CoreWeave for AI computing infrastructure through 2031, and the Facebook owner has the option to expand its capacity through 2032. CoreWeave will give Meta access to Nvidia’s new GB300 systems, which will decrease the time it takes to train new AI models.

CoreWeave, whose stock jumped about 15% when the deal was announced, has been diversifying its business beyond Microsoft, which has been its largest partner. Last week, CoreWeave also announced a $6.5 billion expansion to its deal with OpenAI to power the training of its newest models.

FROM THE HEADLINES
Meta and other tech companies have been showing technology’s power to impact everyday life by adding high tech capabilities to wearable devices. As more of these become available, it’s time to craft workplace policies about them, writes Forbes senior contributor Janice Gassam Asare. Meta’s Ray-Ban smart glasses, which CEO Mark Zuckerberg has said are a platform for “personal superintelligence,” can capture video and audio, and it’s not necessarily clear when they are recording. The issue came to the fore after a viral TikTok video made by a woman who got a Brazilian wax by an esthetician who wore a pair of Meta glasses throughout the procedure. 

Gassam Asare writes that the waxing situation is a question of improper and illegal client surveillance, but there are other issues that could be at play. If video from a pair of smart glasses is hooked up to facial recognition software, it could be used for workers to get a wealth of information about people they are doing business with—such as demographic and income information, education level or home address. This could lead to unethical sales practices, like increasing prices based on a customer’s income. They could also be used for secretive office and employee surveillance, going several steps beyond tracking keystrokes or websites visited.

CYPFER Executive Chairman Jason Hogg and CEO Daniel Tobok.   CYPFER
BITS + BYTES
Why Cybersecurity Should Not Be Considered A Tech Problem
AI is making big waves in cybersecurity—both for bad actors perpetrating attacks and good actors stopping them. This means companies need to retool their approaches to cybersecurity, with a big focus on preparedness, said cybersecurity and incident response platform CYPFER’s CEO Daniel Tobok and Executive Chairman Jason Hogg. This conversation was edited for length, clarity and continuity.

You’ve both said the use of AI to fight cyber attacks is progressing more slowly than the criminals using AI to perpetrate them. Why is using AI for good behind, and what will it take to catch up?

Hogg: Bad actors work in an unrestricted manner. They are not regulated, they don’t have ethical boundaries, and so if you have unrestricted work with no rule sets, boundaries or ethics, you’re able to take technology and deploy it very rapidly and maliciously. How do we counteract those activities that have proliferated very quickly, and do so ethically and in a compliant manner, where we’re adhering towards policies? 

I think the way that you can turn that and start to catch up or get ahead is to begin thinking about looking at the regulatory environment and saying, ‘How do we better prepare organizations and enterprises, analyze them, and anticipate where new attack vectors are going to come from so that we can better prepare them?’ 

Tobok: It’s unfortunately a lot easier to weaponize technology versus all the ethical things that we have to look at as the good guys. So it does take a little longer, and this is where the cycles of cyber over the past 25 years are kind of flowing. We always start from a little bit of a second position. We move into first, and then the threat actors are trying to pivot and find ways to find compromises and really weaponize whatever new technology is in their hands. 

I’ll just say this: The key is to be prepared, and not to sound cheesy, but we all know it’s not a matter of if, it’s a matter of when. That’s the only way we’ve been able to tackle cyber properly in the past 20 years, [when] it became really popular with lots of incidents and taking advantage of organizations. You have to be proactive. You have to be thinking ahead of the game on how you’re going to combat the situation and be better prepared. This is where AI can play a major beneficial role in being prepared for that, and having the right strategy and solution in place.

Let’s say you are well prepared, you are doing what you can to get ready for an attack, and you still get attacked. What happens next in terms of rebuilding both your cybersecurity and your company’s reputation?

Tobok: Preparation is key. Educate people, [do] consistent assessments and most important, have a plan. I know it sounds very simple, but today, small, medium and large organizations get breached. They don’t actually know who’s going to do what. They kind of know, ‘Okay, we’re going to call a number and hopefully they will have a solution for us.’ 

[What Jay and] I always say when we are both doing board meetings and trying to educate executives is you’ve got to have a plan that you can execute on, because everything comes to TTR: time to recover. A day, a week, a month is a major difference in different industries and different businesses. Some businesses could be losing $50 million a day by being non-operational. Some businesses can lose the production line and they cannot fulfill their orders, and they [could] go into a bankruptcy or a big financial strain.

Hogg: We need to change the way that we are conducting proactive services and testing: penetration testing, red teaming, dark web monitoring, threat intelligence. The way that we need to test it is we need to move in a much less restricted manner. There’s these currently orchestrated kabuki dances that take place between the security apparatus of an enterprise and the testing services, and it really does a disservice. If you tee up the ball, you can swing and hit it. It’s more a matter of when curve balls are coming at you.

A change that needs to be made there is that the testing should be overseen not just by either the CIO or the CISO’s organization, but someone else, like the general counsel’s office or the chief financial officer’s. Those are the places, to Daniel’s point, that are heavily impacted. You’ve got not only the financial losses Daniel was talking about, but you have legal obligations to your consumers and your partners. Having another party can also judge to make sure that it is a valuable test that’s taken place.

Tobok: We always say in the industry when there’s an incident, when there’s a breach, it’s not an IT problem. It’s legal, it’s compliance, it’s operational, it’s executive. Just because the items that were used to perpetrate the crimes are computers, it doesn’t mean this is an IT problem. This is the kind of shift that is required. The CFOs, the executives, legal, the GCs all have to be involved in this. This is a full company responsibility.

What advice would you give to a CIO, CTO or CISO on how to deal with what’s going on today?

Tobok: Cybersecurity does not have to be extremely expensive. It really starts with strategy. Before we start having all the servers and all the flashing lights and looking at technology as our shield, you’ve really got to look at strategy.

I think a lot of people in the industry today have been overtrained on tools and technology versus looking at strategy. I look at military and law enforcement, where it’s strategy first, tools later. We have to adapt that in the corporate world: really being prepared, understanding that it’s going to occur. How do we prepare best? 

Look at organizations that might not tell you what you like, but are really good for you. It’s like you’re sometimes afraid to go to the dentist, but he is going to tell you how it is, versus going to your friendly gardener who took a couple Google classes on how to deal with your teeth. 

In the end of the day, you’ve really got to understand what you‘re dealing with. You might not like the info, but it is going to help you to prepare.

Hogg: I think that it’s going to take a mind shift. The average CISO’s tenure is somewhere between 18 and 24 months. To Daniel’s point earlier, we really need to have a different thought process than we’ll put all the risk on one human in our organization, and all the blame on that human, and they’re responsible for it. It’s a collective effort, and that really does require a significant shift in how everyone thinks about stuff. I believe that there is some practical regulation that could go into place with regard to what boards are required to support and what type of activities they are reporting, particularly public companies. 

The last thing I would say is private equity and venture capital firms should wake up and pay much more attention. I have an expression: Nothing vaporizes enterprise value like a breach. Forcing the discipline, in order to make sure that their portfolio companies are reviewed [is a good idea]. They’re a huge portion of the fabric of our society and the financial underpinning of our economy. Making sure that there’s a requirement that these organizations end up having requirements is going to be critical because it’s a force multiplier. If they’re not running it right, there could be 40 companies that aren’t being properly assessed.

COMINGS + GOINGS
  • Insurance provider New York Life appointed Deepa Soni as its executive vice president and chief information officer. Soni most recently worked as chief information and operations officer at The Hartford, and she has also worked in leadership at BMO Financial Group and M&T Bank.
  • Technology services and solutions provider Presidio promoted Paula Cipollone to a new role as chief transformation officer. Prior to joining the firm, Cipollone held senior leadership roles at Dell Technologies and Varian Medical.
  • Cybersecurity company CrowdStrike selected Amjad Hussain to be its first chief resilience officer. Hussain was most recently chief technology officer at Vanilla, and has also worked for Amazon Web Services and Microsoft.
Send us C-suite transition news at forbescsuite@forbes.com.
STRATEGIES + ADVICE
Passkeys are seen as an ideal way to provide stronger, password-free authentication—but those advantages don’t exist for AI agents doing work on an employee’s behalf. There are some ways to get around this problem, but they mean an entirely different way of looking at agent authentication.

Like any new technology, to be successful with AI, an enterprise’s tech leaders need to think about it somewhat differently than the prevailing sentiments and orthodoxies. Here are reasons why that’s so important, and ways to look at the tech and its possibilities in a realistic way.

Quiz
Tech CEO Elon Musk is still the world’s richest person, and his net worth passed a new milestone. This week, he was the first person to individually be worth how much?
A.$700 billion
B.$500 billion
C.$350 billion
D.$300 billion
Check if you got it