When "If It Ain't Broke, Don't Fix It" Becomes Negligence

Written By Ross Saunders

There's an old saying in IT circles that has caused more headaches than it has solved: "If it ain't broke, don't fix it." On the surface, this seems like sound advice. Why tinker with systems that are humming along nicely? Why risk introducing new issues when everything is stable?

The problem is that this philosophy, while comfortable, can quietly transform from prudent caution into outright negligence.

I've seen this play out countless times in my career. A company has systems that have been running smoothly for years. Their IT team has done a stellar job of maintaining stability, and there's an understandable reluctance to rock the boat. But here's the catch: while your systems haven't changed, the world around them absolutely has.

Technology doesn't stand still, and neither do the threats facing your organization or the regulations governing how you handle data. What was cutting-edge five years ago might now be a significant liability. What was compliant last year might be exposing you to regulatory action today.

The Hidden Cost of Stability

Let me give you an example. A few years back, I worked with a company that had a customer database running on infrastructure that was "perfectly fine." It handled their load, it was stable, and the team knew it inside and out. The problem? The encryption methods they were using had been deprecated years earlier, and their authentication mechanisms were woefully outdated by modern standards.

They weren't technically broken, but they were vulnerable. More importantly, they were no longer meeting the security requirements outlined in their contracts with major clients or the privacy legislation that had come into force since the system was built.

The team hadn't been negligent in the traditional sense. They were maintaining the system diligently. But by not regularly assessing modern alternatives and security practices, they had inadvertently created a compliance gap that could have resulted in significant penalties and reputational damage.

Privacy and Security Never Stop Moving

This is particularly acute in privacy and security. These fields move at a breakneck pace. New attack vectors emerge constantly. Privacy regulations evolve and expand. What was considered best practice three years ago might be wholly inadequate today.

If you're a development team or a CTO, you need to be asking yourselves regularly: "Are we keeping pace?" It's not enough to have implemented privacy-by-design principles when you built your system. You need to revisit them in light of new legislation, new threats, and new capabilities.

The same applies to your security posture. That firewall configuration that has kept you safe might not be sufficient against modern attack methods. Your authentication system might need multi-factor authentication where it didn't before. Your data retention policies might need updating to reflect current privacy requirements.

Making the Assessment

The good news is that staying current doesn't mean constant upheaval. It means regular, considered assessments of where you stand versus where you need to be. This involves:

  • Reviewing your systems against current security frameworks and privacy legislation

  • Evaluating whether modern alternatives offer meaningful improvements

  • Understanding the compliance requirements from your contracts, clients, and regulators

  • Identifying gaps between your current state and required practices

Sometimes you'll find that your systems are fine as they are. But often, you'll discover opportunities for improvement that reduce your risk, enhance your compliance, and yes, even improve performance.

Moving Forward

The key is to shift from reactive maintenance to proactive assessment. Build regular reviews into your planning. Stay informed about developments in privacy legislation and security best practices. And most importantly, don't let stability become an excuse for standing still.

If you're finding that your team could use some guidance in assessing where you stand or how to implement modern privacy and security practices without disrupting your operations, I'd be happy to help. Whether it's coming in to speak with your development team about practical privacy engineering or working with your leadership on compliance strategies, feel free to reach out!

Ross Saunders
Previous

Training That Sticks: Why Role-Based Privacy and Security Training Actually Works
Next

Training Your Development Team on Privacy: The Missing Piece in Your Compliance Puzzle