TeknaByte Consulting
// vCISO

Your 2020 IT Refresh Is Now a Security Liability

Your 2020 IT Refresh Is Now a Security Liability
July 10, 2026 / 5 min read / Brad Boelke

If your business used COVID-era stimulus funds to buy new switches, firewalls, or workstations back in 2020, that equipment is now pushing six years old. For many small businesses, that refresh was the first significant infrastructure investment in years, and it felt like getting ahead. The problem is that hardware and software have lifecycles, and a lot of that 2020-era gear is either already past its vendor end-of-life date or will be within the next 12 to 18 months. Running end-of-life infrastructure is not just an operational inconvenience. It is a security exposure that a vCISO should be flagging in your risk register right now.

Why Age Matters More Than You Think

Vendors publish end-of-life (EOL) and end-of-support (EOS) dates for a reason. Once a device or operating system crosses that line, the vendor stops releasing security patches. Vulnerabilities discovered after that date go unaddressed, permanently. Attackers know EOL schedules. They actively target devices that vendors have stopped patching because those devices will never be fixed.

A firewall running firmware that no longer receives updates is not a firewall doing its job. It is a perimeter device with known, public vulnerabilities and no remediation path. The same logic applies to unmanaged switches with outdated firmware and workstations still running operating systems that have aged out of mainstream support.

What a vCISO Should Be Doing With This Information

A virtual CISO’s job is not to wait for something to break. It is to look at your environment, identify where risk is accumulating, and give you a prioritized, budgeted plan to address it before it becomes an incident.

For hardware lifecycle specifically, that means:

  • Building an asset inventory with EOL dates attached. If you do not know what you own and when each device ages out, you cannot plan for it. A vCISO should be maintaining or auditing this inventory on your behalf.
  • Mapping EOL risk to your actual threat surface. A six-year-old workstation used by an accountant who handles wire transfers is a different risk than an old conference room display. Not every aging device carries the same weight.
  • Translating risk into budget language. This is where vCISO work connects directly to your planning cycle. You need to know, before your fiscal year starts, which devices need to be replaced and roughly what that costs, so you are not making reactive purchases after a failure or an audit finding.
  • Flagging compliance implications. If your organization handles Controlled Unclassified Information (CUI) and is working toward CMMC Level 2, running unpatched, end-of-life devices creates direct conflicts with NIST SP 800-171 requirements around system and communications protection and configuration management. An assessor will ask about it.

The Compounding Problem: Software Follows Hardware

Hardware EOL does not arrive alone. The software running on that hardware ages in parallel. Windows 10 reaches end of support in October 2025. If your 2020 workstations shipped with Windows 10 and have not been evaluated for Windows 11 compatibility, you may be looking at both an OS upgrade and a hardware replacement at the same time, because older machines often cannot meet Windows 11’s hardware requirements.

That is a budget hit that compounds quickly if you have not planned for it. A vCISO who is paying attention to your environment should have already raised this with you.

How to Think About the Replacement Cycle Going Forward

The stimulus-funded refresh of 2020 was a one-time event. Most small businesses do not have a structured hardware replacement cycle, which is exactly why so many organizations end up running equipment well past its useful life. A vCISO can help you build a sustainable model so you are not caught flat-footed again.

A practical framework:

  • Firewalls and network security appliances: Plan for replacement or subscription-based refresh on a three-to-five year cycle, depending on vendor support terms. Many next-generation firewall vendors now offer subscription models that include hardware refresh, which smooths out the capital expense.
  • Workstations and laptops: A four-to-five year replacement cycle is a reasonable baseline for most small businesses. Devices used for sensitive work (finance, HR, anything touching regulated data) should be on the shorter end.
  • Managed switches and access points: These often last longer than workstations, but firmware support windows still end. Know your vendor’s support timeline and budget accordingly.

The goal is to move from reactive replacement (something fails or gets flagged in an audit) to planned replacement (you already have budget allocated and a vendor quote in hand).

This Is a Planning Conversation, Not a Panic

None of this requires an emergency response today. What it requires is an honest assessment of where your infrastructure stands, which devices are approaching or past their support windows, and what the remediation timeline and cost look like. That is exactly the kind of structured risk and budget planning a vCISO provides.

If you have not had that conversation yet, the right time is before your next budget cycle, not after your firewall stops receiving patches or an auditor asks why your workstations are running an unsupported OS.

Share
Brad Boelke Business Development Manageer

Want this applied to your environment?

Start with a free assessment - we'll map what you just read to where you actually stand.