What’s Application Decommissioning Got to Do with InfoSec?

Every organization has them: a number of applications that are no longer needed, but which have been left in place to provide access to historical content. The problem is that the existence of unneeded applications presents a clear and present security risk to an organization.

Chief Information Security Officers must concern themselves with sunsetting unneeded applications.

While the decommissioning, or “sunsetting,” of unneeded applications has to date generally been strictly within the purview of architects and application portfolio managers, I would argue that addressing these expensive and increasingly risky content repositories is something that Chief Information Security Officers (CISOs) now need to be concerned with.

We know of organizations where the number of unneeded applications runs in to the hundreds. These are applications which are no longer in active use, or in use at minimal capacity, but which continue to be maintained as part of an organization's technology portfolio.

Mergers and acquisitions or shadow IT create the environment for unneeded applications.

There are two reasons we often see this phenomena: 1) as a result of merger and acquisition activity and 2)  when business units have acquired applications outside an organization’s standard procurement process (shadow IT.)

Whatever the reason, leaving in place applications that are no longer needed represents a waste of budget dollars. And increasingly, organizations are finding they’ve lost the knowledge to even support these applications going forward.

But the biggest risk is in the sheer volume of content. That’s because dormant applications now are likely to contain terabytes and potentially petabytes of inactive content, the maintenance of which not only wastes budget dollars, but also constitutes a security risk.

Unneeded applications may contain data chock full of vulnerable, sensitive data.

Not only is the inactive content in these applications no longer needed to run the business, but much of it contains information that would be damaging if it were stolen. This information may contain  sensitive data in the form of personal identifying information (PII), private health information (PHI), payment card industry (PCI) data, or transaction details. It also may contain corporate information in the form of intellectual property.

It seems obvious that if an application is no longer needed, it should be decommissioned to eliminate the risks and costs associated with licenses, maintenance, and storage. So why are so many applications often left dormant but in place, serving as expensive—and very risky—content repositories?

To turn off unneeded applications, get consensus from stakeholders.

The single biggest reason applications do not get turned off is the difficulty of getting consensus from the key stakeholders. These are the folks who work in information security, the business, legal, records management, compliance, finance, and IT.

You have to get all these constituencies to agree to fully retire and decommission systems that are no longer actively used. It turns out that without agreement from all stakeholders, which is too often the easiest path forward, organizations just leave applications in place.

The CISO is now in the best position to advocate for retiring unneeded applications.

But with the growing threat of data breaches and recent press coverage of ever-larger thefts of customer data, the CISO is now the stakeholder in the best position to make—and close—the case to retire unneeded applications.

Doculabs has been working with some forward-thinking organizations to address precisely these issues, and we’ve outlined a clear process that CISOs can use to move through the analysis, decisions, and actions required to successfully complete an application decommissioning initiative. Download the white paper Using Application Portfolio Management for Information Governance to learn more.

Download the Using Application Portfolio Management for Information Governance White Paper


Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.