Gartner analysts explain how infrastructure and operations teams can address the accumulation of outdated systems and make a compelling business case for upgrades
Infrastructure technical debt is the accumulation of work required to keep systems operating reliably and securely, and it happens because infrastructure deteriorates, according to Tony Harvey, vice-president analyst at Gartner.
For example, five-year-old servers can start causing problems, leading most organisations to replace them. If not, after seven years, availability of spare parts can become an issue. If they last 10 years, “you’re either hoping they don’t fail, or that they do so you can finally replace them”, he suggested.
Infrastructure and operations teams have two natural allies, he said: the CIO, their link to the board which controls the purse strings; and the chief information security officer (CISO). The CISO, he added, often hates technical debt even more because it’s their “neck on the chopping block when the ransomware attack comes in through that old stuff that you keep running”.
The challenge is that leaders outside IT often take the view that if something is working, there’s no need to replace it. “So, you need to make it their problem, and different audiences have different languages,” said Harvey. These audiences might be driven by innovation, cost savings, or risk reduction. Whatever their motivation, technical debt management should be presented as a business value enabler.
The chief financial officer (CFO), for example, may not care that a system is nearing end of support. “What you need to explain to them is that it will increase the risk of them losing money because we could have a failure, and failure in this particular system will cost us X dollars per hour. That’s the language that CFOs understand,” Harvey explained.
However, to reduce technical debt, infrastructure and operations teams must first know what debt they have, which requires a complete and accurate inventory of their environment. Fortunately, tools are available to assist with this, he said.
Once inventoried, the technical debt can be revealed to stakeholders, priorities can be determined, and remediation plans can be made.
In some cases, companies are stuck with obsolete operating systems. “Nine times out of 10, it will be something like, ‘Well, it’s attached to a CNC milling machine, and if we replace this, we have to replace the CNC milling machine’,” Harvey noted. In such scenarios, “the security team is just going to have to deal with it”.
Showing progress creates momentum, and momentum drives you forward. Over the next 12 months, establish a process to evaluate your progress and keep celebrating your wins
Tony Harvey, Gartner
For everything else, looking for quick wins will demonstrate progress. The quickest win, he suggested, is the removal of “zombie servers” – those that no one dares to turn off because their purpose is unknown. Network tools can reveal what these servers are doing and who is using them, “and frequently, the answer is nothing and nobody”. The same applies to zombie virtual machines (VMs).
Another relatively quick win involves replacing obsolete on-premise applications with a software-as-a-service (SaaS) equivalent. One of Harvey’s clients was using an unsupported version of Hyperion on an outdated operating system and hardware. “[They] can’t get rid of it because this is used by people who report directly to the board for the financials.” A simple solution, Harvey suggested, was to “go to Oracle Financials in the cloud...and it’s not your problem anymore”.
Infrastructure and operations teams should also lead by example and upgrade their own systems. “You should be able to get the CIO to approve the budget for this because it’s in your control,” said Harvey. This includes upgrading core infrastructure servers to the latest version of their respective operating systems, making it much easier to mandate that other parts of the organisation also upgrade and hold them accountable.
A crucial first step is to stop installing old products. This requires backing from the CIO and other executives, Harvey said, but rules should be established, such as: We will not install any new copies of Windows Server 2016…because it’s going to reach end of support in 2026.
“If you make it easy for people to do the right thing, nine times out of 10, they’ll do the right thing,” he continued. For example, if offering self-service VM deployment, only provide choices like Windows Server 2019 and 2022, and perhaps an upcoming version.
“Believe me, this actually works,” said Harvey.
Anyone requiring an older version should be mandated to get approval from the CEO, the CIO, and the head of their business unit, and acknowledge that their system will be added to the risk register as a security threat. Furthermore, with the CFO’s blessing, the cost of extended support for outdated software should come from the business unit’s budget, not the IT budget.
When technical debt is remediated, celebrate the win. Ensure leadership is aware that a good job was done in retiring out-of-support software, highlighting the financial and security benefits that accrue.
“Showing progress creates momentum, and momentum drives you forward,” he said. “Over the next 12 months, establish a process to evaluate your progress and always, always, always keep celebrating your wins.”
Patching won’t clear threat debt
Threat debt is a subset of technical debt – specifically, the part that threat actors are likely to exploit, explained Craig Lawson, vice-president analyst at Gartner.
“Patching is one of the most complicated, difficult, frustrating processes in all of IT. It touches everything. You can’t escape it,” he said.
However, it’s a fallacy to think that faster patching alone will fix the problem: “I’ve never seen anyone ever outpatch threat actors, not one.”
Patching is one of the most complicated, difficult, frustrating processes in all of IT. It touches everything. You can't escape it
Craig Lawson, Gartner
Lawson pointed out that over at least 15 years, only about 8% to 9% of vulnerabilities have been exploited in the wild. Of those, around 95% were exploited on or before the day of disclosure.
Traditional timescales for patching are typically 14 days for critical vulnerabilities, 30 for high, and 60 for medium. Yet most vulnerabilities, regardless of severity, are exploited within one or two days. “So, you can meet your SLA [service level agreement] and waste a lot of time applying patches without actually improving your security posture,” Lawson warned.
“We’re not saying don’t patch,” he clarified. But sometimes patches break things, and “if you lose 1,000 hours from a patch or a breach, it’s kind of the same thing to your clients”.
Therefore, organisations should think in terms of exposure management rather than pure patch management, as the real issue is whether a vulnerability can be exploited in their specific environment.
“There are a limited number of hours each week, so what can you do that makes the biggest difference?” Lawson said. For instance, an organisation might have 27 systems with a critical Java vulnerability that is 63 days old, but patching Java is complex due to multiple subcomponents needing prerequisite patches.
However, these systems are likely protected by other measures. “You do have app control, DNS filtering, zero-trust network segmentation, firewalls and so on protecting your systems,” said Lawson. “You’ve probably got at least 10 compensating controls, and patching is another one.”
Notably, he added, the Microsoft Active Protections Program provides dozens of security suppliers with copies of exploits ahead of Patch Tuesday. This allows their products, such as web application firewalls and intrusion prevention systems, to offer virtual patching on the same day updates are released.
At Gitex Asia 2025, industry leaders discuss how the computational demands of advanced AI models are forcing a rethink of datacentre power, cooling and networking infrastructure.
Telcos from Singapore, Malaysia and Indonesia are moving beyond the 5G hype as they focus on driving enterprise 5G and AI adoption to drive value for customers.
