What are the most effective ways to update legacy cybersecurity architecture, in your experience? Have you used consultants or external resources for modernization projects like this?

I am in the process of building a cybersecurity architecture program and practice.  We are in year 3 and the emphasis is on shifting to zero-trust principles and repeatable processes.  I'd love to network or collaborate with anyone else here who is in a similar role.

It really depends where you are in the journey. If you still need to fully catalog the architecture in meaningful categories, we got value from our VAR of choice - they all can bring their own framework to bear with no investment (besides time) and you'll quickly see a meaningful representation.

If you already have that and need to prioritize, we've started using ATT&CK for hotspots. We catalog our biggest external threats and threat actors as an overlay of the framework, which will show you the hotspots. We then also look at the efficacy and coverage for tools. YMMV, but this is another area you can often get free advice for.

Finally, for implementation, we have a SecEng team, but I've also used implementors or the VAR again ( a good VAR goes a long way, in my opinion) to augment the team.

Hope this helps!

I recommend prioritizing critical systems by understanding the technology that you would like to update and how the technology update will affect your administrators, team, and users. I prefer modern technologies like the cloud and Zero Trust Architecture. If you can make training paramount while keeping compliance and best practices in mind, you will create a successful culture for your modern technology journey. Consultants or external resources are often used since they likely complete modernizations more frequently than your internal teams may, making them more aware of new techniques and potential pain points.