Legacy systems are everywhere, quietly powering core operations in some of the world’s largest enterprises. But behind that familiarity is risk. In this episode of The Business of Cybersecurity, Paul Savill, Global Practice Leader of Networking and Edge Compute at Kyndryl, joins me to break down why aging infrastructure is becoming a major liability in today’s security posture.
We talk candidly about the security implications of 44 percent of enterprise technology being “out of life” and unsupported. Paul shares how that vulnerability becomes even more exposed as IoT devices proliferate and AI-powered attacks grow more sophisticated. It’s no longer a question of whether legacy tech is a problem, but how long organizations can afford to ignore it.
This conversation moves beyond the buzzwords and straight into the operational reality. Paul explains how Kyndryl’s post-IBM spin-off transformation included shifting to a cloud-first, zero trust model—and why that decision was just as much about improving agility and cost control as it was about reducing risk.
We also explore the human side of cybersecurity. Paul outlines how Kyndryl’s internal phishing simulations and scenario-based training have led to a measurable increase in employee-reported incidents. It’s a compelling argument for why building a cybersecurity culture beats any off-the-shelf solution.
From AI-enhanced social engineering threats to the disconnect between IT and OT teams, this episode highlights the practical steps business leaders can take to modernize without compromising day-to-day operations. If your cybersecurity strategy still depends on outdated tools and last year’s training modules, it might be time to rethink the foundation.
For more insight, check out the Kyndryl Readiness Report at kyndryl.com,
[00:00:04] Welcome to The Business of Cybersecurity, a podcast which is part of the Tech Talks Network. My name's Neil C. Hughes. You may know me from the Tech Talks Daily Podcast, which covers a completely different area every episode. And in this series, The Business of Cybersecurity, I explore where security and businesses intersect. Well, my guest today is the global practice leader of networking and edge compute at Kyndryl.
[00:00:33] And he's going to be delivering a wealth of knowledge on networking, cybersecurity, edge computing, and share his belief that IT resilience on its own is no longer enough. Because we're going to explore why IoT resilience needs to become a top priority for organizations navigating this hyper-connected world. And also share insights on three critical challenges that businesses must overcome.
[00:01:00] We have the growing threat of social engineering, employee education, and the fact that despite having robust security measures in place, 70 to 80% of enterprises still struggle with enforcement. And finally, there's legacy technology. We all know about technical debt, and it should be of no surprise that nearly 44% of enterprise tech is currently considered outdated and out-supported,
[00:01:27] creating major security exposure. So, how can businesses build networks that are resilient enough to withstand modern IoT threats? What steps should leaders take to balance IT and IoT security without compromising innovation? And how does employee education play into the broader strategy of network resilience? With the scene perfectly set, it's time to bring my guest on to today's episode.
[00:01:56] So, a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do? So, I'm Paul Savelle. I'm the global head of Network and Edge at Kindrel. And basically what that means is that I work with our country presidents all over the world to support them in terms of how technology is evolving and changing in the network and edge compute space.
[00:02:22] My team looks at how new technologies that are emerging and does evaluations to decide what we think is going to really be of value to our customers. We oftentimes test that technology. We evaluate when it's ready for prime time.
[00:02:43] Those types of technologies that are really scalable and deployable across the world will productize them, so to speak, in a way that can be deployed and supported and managed at scale across the world. So, that's really the main responsibilities of me and my organization. Well, thank you for joining me on the podcast today. There's so much I want to talk with you about.
[00:03:09] When we look at things like threats, I think all too often it's AI and deepfakes. And AI, everything seems to be dominating our news feeds at the moment. But before you came on, one of the things I was reading is that the global deployment of IoT devices is expected to nearly triple by 2030. And I'm curious, from your vantage point here, how are these devices reshaping the threat landscape?
[00:03:35] And why do you think organizations are maybe not fully prepared for this new frontier of IoT vulnerabilities while everyone's distracted by AI? Yes, I think that it's changing the threat landscape dramatically. I mean, IoT is one of those areas that really expands the threat landscape from a footprint standpoint because there are just so many devices.
[00:04:03] And, you know, the scary thing about IoT is that there's a lot of research that shows that and tells us that hacks and penetrations that happen through IoT devices are actually much more costly on average than penetrations that happen from some other means.
[00:04:23] So when you look at history and some of the big hacks that have happened, some of the most costly ones have been as a result of penetration through IoT devices. Another big topic is technical debt. I think we've all seen examples of it. It exists in every organization in every corner of the world, whether it be a server sat in the corner of a room that nobody quite knows what it does,
[00:04:48] but it gets left on there or certain departments refusing to let go of those legacy apps. And the reason I bring this up is when I was looking at Kindrel's research before you came on the podcast, predictably it did show 44% of enterprise technology is out of life and no longer serviced by vendors. And it almost feels like sometimes you can go into the office. It feels like stepping back in time to some of the sophisticated tech that we have in our home.
[00:05:15] So how does legacy technology contribute to increased security risk too? And any steps organizations should be taking to modernize that infrastructure more effectively? Because it's a universal problem, isn't it? It is. And this is really maybe the number one problem that we see at Kindrel and that we see in my job, but where as we're helping customers understand what they should do with their networks and how they should evolve them over time,
[00:05:42] that percentage, that 44%, you know, that's a result of research that we did across all of the different technology areas that Kindrel supports, you know, including mainframe and security and cloud and applications. But when I saw that statistic come out, it didn't surprise me a bit, frankly, from what my own experience with customers that we work with.
[00:06:06] It is just really amazing how, and it's amazing how much of a security threat that that poses. I mean, you can, a simple way for people to understand this is just, you know, you think about your iPhone, how we're always getting updates, software updates. And if you look at, well, what does this update do?
[00:06:26] Well, it, you know, fixes a security exposure or there's some new threat that's happening that a bug that the hackers have been able to create or take advantage of. And the, the, I don't know about you, but I'm like updating my software every, every month.
[00:06:45] And our, and our CISO tells us are constantly on top of us in our organizations about keeping our software up to date for our laptops and our phones. Can you imagine that it's the same thing with, with network devices and, and the, this, this quote around the infrastructure 44% being end of life.
[00:07:07] That is such a huge exposure for companies to not keep that up to date because, because of just the, you know, things keep continue to evolve. And, and the, the bad people that are out there continually figure, figure new things out and they're, they're, you know, with the advances of things like, like AI now coming into play,
[00:07:31] that that's, that's just going to make things even, you know, a factor larger being worse of an exposure to us now from it. So, so yeah, that, that statistic is really alarming, but it actually is not surprising to me based off the, the experiences that I've had with customers and helping them make their transformations.
[00:07:53] And of course, it's not just at the technology that can be the cause of a threat because social engineering attacks have now become so much more sophisticated. AI can make phishing emails so much more easy to write, especially if English is not your native language. And they often target executives and employees through seemingly harmless interactions.
[00:08:14] I've heard so many horror stories of people going to a LinkedIn page or a bad actor going to a LinkedIn page, seeing a CEO is out of town at an event and they can pretend to be that person, go to the website, get the email domain and send an invoice to the finance department that these are proving straight away. But I mean, I'm curious, how can businesses better protect their networks against tactics like these, especially in hybrid working environments where people are not just in the office and you can tap them on the shoulder and jack?
[00:08:45] Yeah, it's, it's, well, there's a lot of things that, that you can do, but it is a, you know, it is a real issue. I, I think I've believed that there's a, there's some studies that say that roughly 90% of all penetrations begin with a social engineering engagement. And I believe that that's true based off of, based off of our, our experience.
[00:09:08] Your companies really have got to do a better job of, of training their employees and, and working with their employees on identifying these threats.
[00:09:18] You know, at our, at our company, I think our company has really done a really good job since we've been, you know, launched three years ago in building out our training programs involving things like, you know, online interaction with, with, you know, test scenarios.
[00:09:38] We do things, we do things even where we, we launch our own internally, our, our own security organization will, will run tests where, where they, they put out fake fishes to employees to see if, you know, employees will, you know, fall for the, fall for it.
[00:09:58] And if they do, then they let them know that, Hey, this was a mistake and, and we, and, and use it as a training opportunity to continue to raise the level of, of our employees awareness. But yeah, we've, we've seen this stuff happen a lot.
[00:10:15] And, and, and I've, you know, personally, I, I've had some funny instances where like, um, uh, you know, outside actors trying to, uh, fish, uh, us by, you know, claiming that there are our CEO, uh, that has an urgent request that, you know, things like this, uh, that, that is just, just popping up.
[00:10:37] And now we're, uh, with AI and, and the ability to create these, um, deep fakes of both a, uh, the sound of a voice or the image of a person that's just raising it to another whole level, uh, that, that we've all got to really, really be aware of. And of course, despite having robust cybersecurity practices in place, many enterprises struggle with enforcement. We've all seen those lazy headlines about, Hey, it's employees that are the weakest link in cybersecurity.
[00:11:06] But in their defense, they, for the most part, they're given an annual compliance cybersecurity, uh, course to do once a year from their desk where they just hit next for 25 minutes. So how can organizations better build a culture of continuous employee education and address these evolving cyber threats more effectively? Yeah, you know, and, and, and that's a, that is a, got to be one of the priorities of, uh, of a CISO's organization is, is continuing to,
[00:11:36] to, to recognize where those threat, uh, opportunities happen and, and continue to evolve the training programs around that. You know, and also they've got to recognize that a lot of, in a lot of situations, like some of the, some of the, the, the worst hacks that, that we've seen have actually come from, um, people that you might not think about as traditional employees, but, uh, contractors.
[00:12:00] People that you bring on, you know, that, that, that a company works with that, that they bring on as, uh, to do some kind of, uh, special maintenance or work on the, uh, on the side that may not have the kind of training that, that, uh, you, that, that, or go through the training that, that their core employees of a company has. And so that's another area of exposure that CISOs have to, to recognize and, and have an answer for, from a training and, and a governance standpoint.
[00:12:28] And whether we're talking about a new tech project or a new training initiative, one thing I always come back to is what's the ROI, what's the measurable difference, et cetera. And before you came on the podcast, I was reading that Kindrel cyber security training program actually led to a fourfold increase in employee reported fishing at incidents compared to industry standards, which is just fantastic. So what key elements of that program would you say contribute to that success?
[00:12:57] And for anybody or any leader or organization listening, what could they be doing to replicate results like this? Yeah. Yeah.
[00:13:05] So, you know, the, the, I know from my experience at Kindrel, that the, the training is really good in a sense that it, it, uh, walks you through different scenarios where you, um, uh, it gives you many examples of situations that are, uh, some social engineering type of threat and other things that are not.
[00:13:27] So it gives you that kind of contrast where you go through and you're, you're, you're like taking a test and a guidance saying, okay, well, this is the prop that, no, this one is, uh, this is not a threat. Uh, oh, this one is a threat. And here's the reason why it's a threat. This is what identified. And they, the, they take you through that learning process where you're, you're able to compare, uh, and contrast things that are, um, you know, what you do have to worry about versus what you don't, you shouldn't be worried about.
[00:13:56] That I think is, was, is really effective part of the, the training that, that, that we received on that. And then the other one I mentioned earlier also is just the kind of the, the randomized testing that, uh, they do where they, um, uh, send something out to employees and, and see if employees fall for it.
[00:14:16] And then they return back to, to, to educate them to say, Hey, you know, uh, nothing to worry about, but, uh, uh, uh, you know, this, if this had come from, you know, an outside, uh, actor, then this, you know, this would, could have created a problem for us. So, you know, learn from the mistake and this. So that I think also is a very effective part of, of what, uh, Kindrel does.
[00:14:40] And I think very often the lack of IT and operational technology integration, it could be another factor in expanding that threat landscape that we're talking about today. So how can enterprises, would you say, better bridge that gap to ensure, ensure comprehensive network resilience without disrupting operations? Because we've, I suspect we've all seen or had experiences where that balance has not got, uh, been gotten right. But any suggestions here or anything that you're seeing?
[00:15:09] Yeah, this is, this is actually an area that we see that is a, is a real struggle for enterprises now, particularly in certain industries, uh, like, like, uh, in the industrial sector,
[00:15:18] where traditionally, um, managers of the, of the operational technology really run that on their own without a lot of engagement, interaction, and support, and integration with the more centralized, uh, uh, CIO office type of activities that, that happen.
[00:15:43] And so now that particularly with the proliferation of IoT in these, uh, in these workplace environments, these manufacturing environments, and, and, you know, you could expand it to a lot of other different industries. The, um, that integration is just got, it's just imperative now that it happens because of the, the, uh, the threats that, uh, are posed by IoT that we were referencing earlier.
[00:16:07] The, uh, the, uh, the, the, these plant managers and the people that are managing that, that, uh, that operational technology really can't, uh, have the, you know, the CIO has kind of already made that in the CISO role has already kind of made that leap to understand where, what, what, what we need to do to prepare people and employees.
[00:16:29] But people managing the operational technology are, I think, less, less informed and less aware in there, and they're, the way that they have, the way that they, uh, support it is less integrated and unified with the, the corporate, um, the corporate standards and corporate approaches.
[00:16:46] So that's the real challenge that, that, uh, uh, I see in working with a lot of these enterprises and the companies that, that really where the operational leaders are open and they're, um, uh, able to coordinate with the CIO office and the CISO office, uh, much more closely. Those are the ones that, that are more effective in, in managing that risk.
[00:17:12] And I was also reading that Kindrel has been on somewhat of a journey of its own, uh, transition from an on-premises network to a cloud first SASE based model, which also significantly enhanced security and of course reduced IT costs. But what lessons can other organizations learn from this transformation? And especially when looking to support a global hybrid workforce or distributed team, because it seems to be coming the norm at the moment, but anything you can pass on here too?
[00:17:40] Yeah. Yeah. Yeah. You know, when, when really a few years back, we were really in much, uh, in kind of a similar situation as a lot of our customers where we were on legacy technologies and we had, uh, still had some, uh, older end of life equipment into, into some of our assets. And so we went through that transformation of, of, of, of embracing, uh, zero trust, SASE type, uh, service capabilities.
[00:18:07] And, um, the benefits that we received are just tremendous from that. Um, the, I, my advice would be that, uh, to people out there that these technologies are really ready for prime time. You can trust them. You ought to be moving to them as quickly as you can. The, the AI ops tooling that is behind many of these technologies is just really advanced and incredible, credibly effective, uh, in, in managing and mitigating security threats.
[00:18:36] And for us, in our experience, we believe that our security posture is magnitude factor greater and more improved than it was, uh, a few years back as a result of adopting these technologies. But that wasn't the only, the, the, the only benefit of it. Uh, we also received a lot of benefit in terms of reduction of costs of, of operations and networking expenses as a result of adopting these technologies.
[00:19:02] And the, the, the, we improved the, um, uh, employee experience by, uh, dramatically making it easier to, uh, uh, turn up and down services through, through, uh, the network and these technologies. So it was really a win-win, you know, over time across the fronts of security, exposure, cost and employee and customer experience. It was a win on all three of those fronts.
[00:19:30] But it does take some investment and it does take a lot of effort to pull that off. And that's actually one of the things that, you know, that my part of the business that we specialize in is helping customers make that transition and transformation in their own internal networks. And one thing that does seem to be speeding up, of course, is the pace of technological change. It's almost impossible to predict the future because of that pace.
[00:19:58] But if we do look ahead a few months or maybe into next year, what do you see as the biggest challenges and indeed opportunities for enterprises that are aiming to build those resilient networks that can withstand the increasing complexity caused by everything from AI, IoT, technical debt and cyber threats? Anything you can say around that?
[00:20:19] Yeah, well, you know, as I was saying, our research shows that most enterprises have not advanced their networks and their IT infrastructure to take advantage of these newer technologies now. The technologies I was just talking about, as I said, they're ready for prime time. And so they need to be working on making that change now and planning for that change now.
[00:20:48] Because, you know, the next big thing that's coming through, of course, that everybody's talking about is just how AI is going to play a role in supporting an enterprise from an infrastructure support standpoint, but also from a commercial standpoint and so on.
[00:21:06] So these technologies that are available to enterprises now really are not going to be replaced by AI, but they're just going to be further enhanced by AI.
[00:21:18] And you need to get that foundational, that next level foundational infrastructure in place for you to even be able to take advantage of the new tools that are going to be coming out from AI and the whole AI ops movement that we're starting to see happen now and is starting to really get real.
[00:21:37] Well, so many big takeaways from our conversation today, especially around cybersecurity, how it requires organizations to maybe equally prioritize IoT and IT resilience. But before I let you go, I'm going to have a little fun with you. We've been very serious today talking about a very serious and important topic. But I always ask my guests at the end to leave either a book that has inspired them that we can add to our Amazon wishlist or a song that means something to them we can add to our Spotify playlist.
[00:22:05] I don't mind which, but what would you like to leave us with and why? Yeah, sure. One book that really made a difference for me in terms of my management style and just how I approach the business and organizational issues is called Ego is the Enemy. And it's by Ryan Holiday. And he's written a couple of other books that I think are really good for business.
[00:22:30] But this is the one that really influenced the way that I handle, you know, as business managers, we have a lot of difficult decisions to make. We have a lot of scenarios where we have departments that are kind of in disagreement with each other. And so many times in my career, I've seen people's personal egos, you know, create a problem or result in the wrong decision.
[00:22:56] And this book, really, Ego as the Enemy, just walks you through so many different examples and stories of people that where they've succeeded or failed because of just the issue of ego. And so I would highly recommend that book to you in the audience if they haven't read it already. Oh, I'll be checking that out. And I will add it to the Amazon wishlist for everybody listening to check out too.
[00:23:19] And indeed, for anyone listening wanting to find out more information about Kindrel and what we've talked about today, we referenced a report, for example, in some research. Anywhere in particular you'd like to point everyone listening? Yes. Yes. If you go to kindrel.com, we've got a lot of resources there. You know, there is – we have that research report that you're talking about that is – we publish it every year.
[00:23:44] It's based off of a research we do across, you know, a thousand customers that are multinational corporations in the state of their IT infrastructure. So there's a lot of valuable information there. But there's also, besides that, just many, many different use cases and customer stories that we're allowed to talk about that actually some of them address the very issues that we've talked about today on the podcast.
[00:24:14] Well, I will add a link to the kindrel.com website and also a direct link to that research so people can find it nice and easily. And as I said a moment ago, we've covered so much talking about IoT and AI and how that affects the threat landscape. But equally, social engineering, employee education, legacy tech, so much work that needs to be done in those areas. And it can be incredibly difficult for businesses to hit all of those markers. But I think from listening to you today, it can be much easier.
[00:24:43] So thank you for sharing your insights today. Okay. Well, thank you, Neil. Really enjoyed the conversation. My conversation with Paul today, I think, has made one thing clear. Cyber security in the age of IoT is an entirely new frontier. One that requires organizations to rethink their approach to network resilience.
[00:25:06] And with IoT devices set to triple in deployment by 2030, the threat landscape is expanding faster than most businesses can keep up. And whether it be the weaponization of social engineering attacks to the staggering statistic that nearly 44% of enterprise tech is outdated and unsupported, the risks are clearly substantial. But it's not all bad news.
[00:25:30] As Paul highlighted, ongoing employee education, such as Kindrel's cyber security training program, can drastically improve threat detection. And the fact that Kindrel's employees are reporting phishing attempts at four times the industry average, that proves that awareness and training works.
[00:25:50] So looking ahead, IoT, IT integration and IT integration will ultimately define whether businesses can stay secure or fall victim to this new era of cyber threats. So is your organization prepared to face the IoT challenge head on? How will you balance innovation and security as networks become more interconnected? Please, I'd love to hear your thoughts. Join the conversation. Share your perspective.
[00:26:18] But I hope you enjoyed yourself as much as I did today. I enjoyed myself so much. I'm going to come back tomorrow and do it all again. Why don't you join me? Thank you.