The first network message was sent over ARPANET in 1969. A few years later, Vint Cerf and Bob Kahn introduced the Internet Protocol — the foundation for modern network communication. In 1983, NetBIOS was created. In 1985, DNS. In 1991, the World Wide Web. These protocols are still running in enterprise networks today.
The enterprise network was never designed for what it has become. It was designed for a world where applications lived in data centres, users sat at desks, and the perimeter was a physical boundary you could draw on a map. That world no longer exists.
The weight of technical debt
Technical debt is the accumulated cost of short-term decisions made under pressure. Every time an organisation chose to patch rather than replace, to work around rather than fix, to defer rather than invest — it added to the debt. The interest on that debt compounds.
For enterprise networks, the debt is enormous. Routing protocols designed in the 1980s. Firewall rule sets with thousands of entries that nobody fully understands. VPN concentrators held together with hope and maintenance contracts. MPLS circuits that cost ten times more than their cloud equivalents and deliver a fraction of the performance.
The true cost of this legacy is not the licensing and support fees — though those are significant. The true cost is what it prevents you from doing. Legacy infrastructure is the anchor that holds digital transformation in place.
Security debt is the most dangerous kind
Network technical debt has a direct security consequence. Old protocols have known vulnerabilities. Unpatched systems are attack surfaces. Complex firewall rules hide misconfigurations. Flat networks enable lateral movement. VPNs expose the entire network to anyone who compromises a credential.
Ransomware operators understand this better than most CISOs. They have detailed knowledge of the vulnerabilities in legacy infrastructure. They know which VPN products have unpatched CVEs. They know how to move laterally through flat networks. They know that most organisations have not fully segmented their environments.
The Colonial Pipeline attack. The SolarWinds compromise. The Microsoft Exchange vulnerabilities. In each case, legacy architecture — infrastructure that was never designed to withstand modern threats — was a critical enabling factor.
The transformation imperative
The answer is not incremental improvement. Patching a 30-year-old protocol does not make it secure — it just delays the reckoning. The answer is architectural transformation: replacing legacy infrastructure with cloud-native, Zero Trust architecture designed for the world we actually live in.
This is hard. It requires budget, commitment, and the willingness to accept short-term disruption for long-term security. It requires organisations to make peace with the fact that the infrastructure they spent decades building is now a liability.
But the alternative is worse. Every year of delay is another year of compounding debt. Another year of attack surface that adversaries can exploit. Another year of architecture that constrains the business rather than enabling it.
Where to start
The transformation does not have to happen overnight. But it does have to start. The most effective approach is to identify the highest-risk legacy components — typically VPN infrastructure and flat network segments — and begin replacing them with Zero Trust Network Access and microsegmentation.
Start with the applications that matter most. Prove the model. Then expand. The goal is not to rip out everything at once, but to establish a new architectural direction and move consistently toward it.
The organisations that do this successfully share a common characteristic: leadership that understands that security transformation is not an IT project, it is a business imperative. When the CISO and CIO have the mandate and the budget to transform — not just maintain — the results follow.
← All writing