Beware cybersecurity tech that’s past its prime — 5 areas to check or retire – Source: www.csoonline.com

Cybersecurity leaders can choose from an ever-expanding list of digital tools to help them ward off attacks and, based on market projections, they’re implementing plenty of those options.

Gartner predicts a 15% increase in cybersecurity spending for 2025, with global expenditures expected to reach $212 billion in the upcoming year. The research and consulting firm says spending on security software alone will jump 15.1% from 2024 to 2025, rising to nearly $100.7 billion from $87.5 billion.

Although the purchase of new-to-market capabilities — such as those enabled by generative AI — drives a good part of that spending, CISOs say their need to upgrade from outdated tech also fuels a chunk of their planned tech purchases.

In fact, interviews with multiple CISOs reveal that they see some longstanding cybersecurity tech as ready for replacement.

For example, David Ulloa, CISO with US drayage firm IMC Companies, keeps a list of tech that CISOs should retire, citing signature-based antivirus, basic intrusion detection systems, outdated encryption protocols, legacy VPNs, basic endpoint protection, password-based authentication, and some firewalls.

Here, he and other security leaders identify some major security tools (and related practices) they see as being past their prime:

1. Password-based security controls

“I think passwords are out. I think passwords are done, especially [using them] with third parties,” says Richard Marcus, CISO at software maker AuditBoard. “You don’t want to give a credential to a third party that can be breached and then used against you; so, unless you’re really disciplined about rotating those credentials, the risk is too high.”

Marcus isn’t the only one to call out passwords as problematic: The Ponemon Institute, in its 2023 Cost of a Data Breach Report, found that 50% of all breaches could be attributed to stolen or weak passwords.

Marcus says in 2024 he started moving his company away from the use of password-enabled security controls and toward greater use of dynamic authentication.

“When we select vendors, we tell them we’re not going to issue a password or even a token or a key, those are all examples of static authenticators,” he says. “But we’re also realistic, so if there is a product we need that requires passwords, then we require passwords to be rotated frequently. For us, the use of static credentials has become the exception, not the rule.”

2. Mandatory scheduled penetration testing

Although not a specific security tool, nevertheless mandatory scheduled pen testing is cited by some as an outdated strategy.

Attila Torok, CISO at tech company GoTo, for one, believes those once- or twice-a-year penetration tests done to satisfy regulatory or vendor requirements don’t effectively evaluate an organization’s true security posture. Rather, he says they capture only a snapshot of the environment’s security at one date in time.

“Our environment is changing all the time. We change our code multiple times a day, so having [pen testing] once a year is nothing [much of value], and it’s really expensive,” he says.

Torok doesn’t completely discount pen testing overall, though. In fact, he says his security department has an offensive team that regularly tests the environment for vulnerabilities, explaining that he believes that kind of dynamic approach to pen testing is more effective for ever-changing environments.

He also has a bug bounty program, which he also believes is more effective than semi-annual or even quarterly scheduled pen tests. “With pen tests, the company gets paid no matter what they find but for a bug bounty program, they have to find something meaningful to be paid, so they’re more incentivized [to find vulnerabilities],” Torok adds.

3. VPNs

Virtual private networks are another security tool that some CISOs say has limited value today.

“VPNs are valuable, but they are valuable only in certain contexts,” says Pablo Ballarin, who as co-founder of BALUSIAN, S.L. works as a CISO, cybersecurity adviser and ethical AI consultant. “They’re valuable if you have many workers in your organization who have their own laptops and have no other means to securely access internal services. But there are other solutions that make more sense.”

Research has found that VPNs can be a conduit of attacks. For instance, the “Cybersecurity Insiders 2024 VPN Risk Report” found that 56% of enterprises had experienced over the course of the previous year at least one cyberattack that targeted unpatched VPN vulnerabilities. The report also found that 91% of the 647 IT and security experts it surveyed “expressed concerns about VPNs compromising their IT security environment, with recent breaches illustrating the risks of maintaining outdated or unpatched VPN infrastructures.”

Ballarin says it’s not so much that the VPN is worthless but that the days when security could rely on it to a significant degree are over. “It’s more that you have to implement complementary solutions to the existing ones,” he adds.

Ballarin and others recommend defense in depth, saying organizations must have multifactor authentication, certificate-based authentication and a zero-trust strategy in place of or in addition to VPNs (which some still need for accessing legacy apps).

4. On-prem SIEMs

A security information and event management (SIEM) system, which is tasked with recognizing and addressing potential security threats and vulnerabilities before they cause problems, is a foundational security tech.

But George Gerchow, faculty at IANS Research as well as interim CISO and Head of Trust at MongoDB, said on-prem SIEMs have got to go.

He says they have too many alerts — driving up alert fatigue instead of helping to alleviate it. And they’re not cloud aware, he says, which forces organizations to either move and store vast amounts of data (at an expense) or forgo using all of the data needed to ensure security of cloud deployments.

“If I have to pay an exorbitant amount of money for logs, then I’m picking and choosing which ones mean the most and taking a big gamble with security,” he explains. “I might not have the right logs when an incident hits, and I might not have those logs because of the costs.”

Gerchow acknowledges that many companies keep on-prem SIEMs because they don’t want to put sensitive log data in the cloud, but he says he still thinks the time for on-prem SIEMs has passed.

5. Conventional firewalls

The firewall is one of the earliest cybersecurity technologies out there, dating back to the 1980s. The first versions were packet filters embedded in routers meant to stop traffic based on predefined rules typically centered around source and destination IP addresses, port numbers and the protocols used.

The firewall, of course, has evolved since then. While some versions are equipped for today’s complex digital environment, CISOs say simple firewalls and outdated web application firewalls, (WAFs) aren’t up to the task anymore.

“Firewalls aren’t going away, but it’s the end of the traditional hardware asset. You still need a firewall but there’s a movement away from a heavy-duty hardware asset to digital,” says Stephanie Hagopian, who, as vice president of physical and cybersecurity solutions at tech sales and advisory firm CDW, leads a team of consultants advising CISOs.

Hagopian says CISOs typically upgrade to more modern firewalls as part of their refresh cycles when they shed legacy and on-prem hardware for cloud and other modern digital tech. “It’s not just flip-the-switch,” she adds. “You have to configure the new firewall and get out the old hardware, and the team has to learn to manage the new technology. It’s an effort for an organization, but as hardware is refreshed, it’s forcing them to make that change.”