IT leaders turn to third-party providers to manage tech debt

As tech debt threatens to cripple many IT organizations, a huge number of CIOs have turned to third-party service providers to maintain or upgrade legacy software and systems, according to a new survey.

A full 95% of IT leaders are now using outside service providers to modernize legacy IT and reduce tech debt, according to a survey by MSP Ensono.

The push is in part due to the cost of legacy IT, with nearly half of those surveyed saying they paid more in the past year to maintain older IT systems than they had budgeted. More importantly, dealing with legacy applications and infrastructure is holding IT organizations back, as nearly nine in 10 IT leaders say legacy maintenance has hampered their AI modernization plans.

“Maintaining legacy systems is really slowing down modernization efforts,” says Tim Beerman, Ensono’s CTO. “It’s the typical innovator’s dilemma — they’re focusing on outdated systems and how to address them.”

In some cases, CIOs have turned to service providers to manage legacy systems, but in other cases, they have looked to outside IT teams to retire tech debt and modernize software and systems, Beerman says. One reason they’re turning to outside service providers is an aging employee base, with internal experts in legacy systems retiring and taking their knowledge with them, he adds.

“Not very many people are able to do it themselves,” Beerman says. “You have maturing workforces and people moving out of the workforce, and you need to go find expertise in areas where you can’t hire that talent.”

While the MSP model has been around for decades, the move to using it to manage tech debt appears to be a growing trend as organizations look to clear up budget and find time to deploy AI, he adds.

“If you look at the advent of lot of new technology, especially AI, that’s moving much faster, and clients are looking for help,” Beerman says. “On one side, you have this legacy problem that they need to manage and maintain, and then you have technology moving at a pace that it hasn’t moved in years.”

Outsourcing risk

Ryan Leirvik, CEO at cybersecurity services firm Neuvik, also sees a trend toward using service providers to manage legacy IT. He sees several advantages, including matching the right experts to legacy systems, but CIOs may also use MSPs to manage their risk, he says.

“Of the many advantages, one primary advantage often not mentioned is shifting the exploitation or service interruption risk to the vendor,” he adds. “In an environment where vulnerability discovery, patching, and overall maintenance is an ongoing and expensive effort, the risk of getting it wrong typically sits with the vendor in charge.”

The number of IT leaders in the survey who overspent their legacy IT maintenance budgets also doesn’t surprise Leirvik, a former chief of staff and associate director of cyber at the US Department of Defense.

Many organizations have a talent mismatch between the IT infrastructure they have and the one they need to move to, he says. In addition, the ongoing maintenance of legacy software and systems often costs more than anticipated, he adds.

“There’s this huge maintenance tail that we weren’t expecting because the initial price point was one cost and the maintenance is 1X,” Leirvik says.

To get out of the legacy maintenance trap, IT leaders need foresight and discipline to choose the right third-party provider, he adds. “Take the long-term view — make sure the five-year plan lines up with this particular vendor,” he says. “Do your goals as an organization match up with where they’re going to help you out?”

Paying twice

While some IT leaders have turned to third-party vendors to update legacy systems, a recently released report from ITSM and customer-service software vendor Freshworks raises questions about the efficiency of modernization efforts.

More than three-quarters of those surveyed by Freshworks say software implementations take longer than expected, with two-thirds of those projects exceeding expected budgets.

Third-party providers may not solve the problems, says Ashwin Ballal, Freshworks’ CIO.

“Legacy systems have become so complex that companies are increasingly turning to third-party vendors and consultants for help, but the problem is that, more often than not, organizations are trading one subpar legacy system for another,” he says. “Adding vendors and consultants often compounds the problem, bringing in new layers of complexity rather than resolving the old ones.”

The solution isn’t adding more vendors, but new technology that works out of the box, Ballal adds.

“In theory, third-party providers bring expertise and speed,” he says. “In practice, organizations often find themselves paying for things twice — once for complex technology, and then again for consultants to make it work.”

Third-party vendors unavoidable

Other IT leaders see some third-party support as nearly inevitable. Whether it’s updating old code, moving workloads to the cloud, adopting SaaS tools, or improving cybersecurity, most organizations now need outside assistance, says Adam Winston, field CTO and CISO at cybersecurity vendor WatchGuard Technologies.

A buildup of legacy systems, including outdated remote-access tools and VPNs, can crush organizations with tech debt, he adds. Many organizations haven’t yet fully modernized to the cloud or to SaaS tools, and they will turn to outside providers when the time comes, he says.

“Most companies don’t build and design and manage their own apps, and that’s where all that tech debt basically is sitting, and they are in some hybrid IT design,” he says. “They may be still sitting in an era dating back to co-location and on-premise, and that almost always includes legacy servers, legacy networks, legacy systems that aren’t really following a modern design or architecture.”

Winston advises IT leaders to create plans to retire outdated technology and to negotiate service contracts that lean on vendors to keep IT purchases as up to date as possible. Too many vendors are quick to drop support for older products when new ones come out, he suggests.

“If you’re not going to upgrade, do the math on that legacy support and say, ‘If we can’t upgrade that, how are we going to isolate it?’” he says. “‘What is our graveyard segmentation strategy to move the risk in the event that this can’t be upgraded?’ The vendor due diligence leaves a lot of this stuff on the table, and then people seem to get surprised.”

CIOs should avoid specializing in legacy IT, he adds. “If you can’t amortize the cost of the software or the build, promise yourself that every new application that’s coming into the system is going to use the latest component,” Winston says.