Skip to content

A legacy system can't be patched, and the business won't fund replacement this year. What's the CISO's correct action?

Short answer

When you can't remediate, you manage the risk: reduce exposure with compensating controls (network segmentation, tightened access, enhanced monitoring), quantify the residual risk, and have the accountable business owner formally accept it with a defined review date. Unilateral shutdown oversteps the CISO's authority and harms the business. Ignoring it because it can't be fixed is negligence. Omitting it from the risk register hides accountability, breaks audit trails, and means no one is on record owning the decision.

Every organization has systems that can't be patched — end-of-life software, vendor-frozen appliances, fragile production dependencies. The scenario tests whether a CISO knows that "can't fix" does not mean "can't manage," and that risk decisions belong to the business, documented and owned.

Why compensating controls plus formal acceptance is correct

When remediation is off the table, you fall back to risk treatment. First, reduce likelihood and impact with compensating controls: isolate the system on a segmented network, restrict who and what can reach it, add stricter monitoring and alerting, and limit its privileges. Then quantify the residual risk that remains after those controls. Finally, present it to the accountable business owner — the person who controls the budget and the business value — and have them formally accept the residual risk in writing, with a review date so the decision is revisited rather than forgotten. This keeps the decision where it belongs and creates an audit trail.

Why the distractors fail

  • Unilaterally shut it down. The CISO advises on and manages risk; they don't get to unilaterally halt a revenue system. That oversteps governance and can cause more harm than the vulnerability.
  • Ignore it. "It can't be fixed anyway" is negligence. Unmanaged known risk is exactly what regulators and post-incident reviews hammer.
  • Keep it off the risk register. Hiding the risk to avoid alarm is the worst option: it removes accountability, breaks the audit trail, and means no compensating controls or acceptance ever get assigned. When it's exploited, there's no record that anyone owned the decision.

What the interviewer is probing

They want the risk-acceptance reflex: document, mitigate what you can, and push the accept/defer decision to the business owner with a review cadence — not a hero move (shutdown) and not avoidance (ignore/hide). The mature CISO makes risk visible and owned, even when it can't be eliminated.

Likely follow-ups

  • What compensating controls would you prioritize for an internet-exposed unpatchable system versus an internal one?
  • Who in the organization is the right person to formally accept this residual risk, and why not the CISO?
  • What would you put in the review-date trigger so this acceptance doesn't silently become permanent?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.