Legacy Tech Is Blocking Zero Trust-66% Agree as Ransomware and AI Phishing Surge

Zero Trust Meets Reality: Legacy Systems, Tight Budgets, Faster Adversaries

Let's be honest: the gap between strategy decks and what teams can ship is wide. Recent findings put numbers to it-66% of organisations say legacy systems block Zero Trust, and public sector agencies spend up to 80% of tech budgets just keeping the lights on. Meanwhile, ransomware against operational technology is up 60% year over year, and AI-driven phishing jumped 76% in a single month. Attackers are iterating faster; defenders need to move with intent.

Why Zero Trust Stalls

• Legacy lock-in: Old platforms struggle with modern identity, segmentation, and telemetry. You can't verify what you can't see.
• Budget gravity: With most funds tied up in maintenance, transformation feels optional-even when it isn't.
• Identity sprawl: Mixed user, device, and service identities across cloud, data center, and OT environments create blind spots.

What's Changing on the Threat Side

Ransomware crews now target OT because downtime pays. AI makes phishing more convincing, more frequent, and harder to filter. Waiting for the "perfect" architecture is a risk by itself.

A Practical Path Forward for Government, IT, and Development

• Start with identity and access: Enforce phishing-resistant MFA (FIDO2 for admins), enable conditional access, and apply just-in-time admin privileges.
• Segment with purpose: Ring-fence OT and critical apps. Use microsegmentation or identity-aware gateways to reduce lateral movement.
• Continuous verification: Check device health at access time, deploy EDR everywhere, and monitor east-west traffic.
• Modernise without big-bang rewrites: Front legacy apps with Zero Trust proxies, add identity brokering, and apply the strangler pattern to retire debt over time.
• Rebalance spend: Consolidate overlapping tools, decommission unused licenses, and standardise platforms to free 10-20% of O&M for security upgrades.
• Automate the boring, fast-track the critical: Use SOAR, detection-as-code, and reusable playbooks. Test them with regular exercises.
• Email and identity hygiene: Enforce DMARC, SPF, DKIM. Add user-reporting and rapid takedown workflows for spoofed domains.
• Measure what matters: Track MTTR, policy exceptions, admin account usage, and segmentation coverage. Publish progress quarterly.
• Procure for Zero Trust: Bake identity, logging, and API-level controls into contracts. Require SBOMs, signed builds, and clear shared-responsibility models.

Public Sector Moves That Pay Off

• Adopt reference architectures aligned to NIST SP 800-207 and the CISA Zero Trust Maturity Model.
• Prioritise high-value services and mission systems for early controls (admin MFA, segmentation, continuous monitoring).
• Use shared services to standardise identity, logging, and endpoint controls across agencies.

Six-Month Action Plan

• Days 0-30: Inventory users, devices, apps, and data flows. Identify "crown jewels." Enforce MFA for admins. Disable legacy auth where feasible.
• Days 31-60: Segment a critical app or OT zone. Pilot an identity-aware access proxy. Roll out phishing-resistant MFA to high-risk roles.
• Days 61-90: Enable conditional access with device posture checks. Deploy EDR to servers and endpoints. Tighten email security and reporting loops.
• Days 91-120: Migrate a high-risk legacy app behind the proxy. Implement least-privilege roles and break-glass controls.
• Days 121-180: Expand segmentation. Run a ransomware tabletop. Present a budget shift plan tying spend to reduced risk and measurable KPIs.

Developer Checklist

• Use OIDC/OAuth2 with short-lived tokens and mTLS for service-to-service calls. Consider SPIFFE/SPIRE for workload identity.
• Centralise secrets in a vault and automate rotation.
• Generate SBOMs, sign artifacts, and verify in CI/CD. Target SLSA-aligned practices.
• Prefer feature flags and progressive delivery to reduce blast radius.

Leadership Focus

• Treat Zero Trust as an operating model, not a product. Fund decommissioning alongside deployment.
• Set outcome-based KPIs and publish progress. Reward teams for retiring legacy and reducing access scope.
• Mandate shared controls across departments to avoid tool sprawl.

Upskill Your Team

AI is now table stakes for both attackers and defenders. Build literacy across roles-security, IT ops, and developers-so they can ship safer systems faster.

• Explore role-based learning paths to close skill gaps: Courses by job
• Stay current with hands-on programs: Latest AI courses

The Bottom Line

Legacy systems and budget lock-in explain why Zero Trust lags, but the threat tempo won't slow down. Start with identity, segment what matters, automate response, and fund decommissioning. Small, visible wins each quarter will compound into real risk reduction.