Don't Tell the CFO

The general view that mainframers have of senior financial staff in an organization is that they are people who want to stop anything new happening. They are the people who want mainframers – who are happiest when keeping their mainframe working optimally and keeping the organization in business – to write reports clarifying exactly why the organization should spend such large amounts of money. It’s often felt that the CFO just doesn’t get what it is the mainframe does for the business.

And that can be true of lots of people outside IT – and even some ITers who have no mainframe experience. They say things like, “The mainframe is old” or “The mainframe doesn’t scale” or “the mainframe is very expensive”. Let’s unpick some of those comments.

To begin with, mainframes aren’t old, they were simply first invented in the 1960s. It’s like saying every commercial jet plane is old because the first ones flew in the 1950s. It assumes that there have been no technology enhancements since the first ones rolled off the production lines. It ignores the fact that the latest mainframe models offer the most secure computing platform on the planet in terms of pervasive encryption and data privacy passports, and much else.

Or, they say that mainframes don’t scale, citing how busy social media sites can be in comparison to those sluggish old mainframes. There are said to be 7812 tweets per minute, or 15,650 Facebook posts, or 63386 Google searches, or 71,381 YouTube views. How does that old mainframe compare to that?!?! The simple answer is that IMS can do 3 million transactions in the same length of time. That’s impressive scalability.

Way back in the 1990s, a company called Xephon published an examination of the relative costs of different servers. And it found that the mainframe was the cheapest. Similar research has been carried out by other companies since. On paper, it might look like the mainframe is expensive, but you only need one of them and associated hardware. It would take numerous other platforms to run the same workload, and far more people to look after those platforms. In so many ways, the mainframe is cheaper overall.

But that’s not what we’re avoiding telling the Chief Financial Officer. We’re not telling the CFO about credit card payments. You see, there’s this thing called the Payment Card Industry Data Security Standard (PCI DSS), which is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. There are lots of regulations that companies have to comply with in order to be PCI-compliant. And what we’re not telling the CFO is that our mainframe is not PCI-compliant!

In particular, mainframes are not compliant with PCI DSS Requirement 11.5 (Change Detection Mechanisms). This says: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

The chances are that non-mainframe platforms are compliant and are using file integrity monitoring products such as Tripwire. But hardly any mainframe sites have that kind of software. So, if your company is handling credit card payments on the mainframe, they are not compliant without file integrity monitoring software. And the CFO doesn’t know because he has been signing documents each year to say that your company is complying with PCI regulations.

So, what can you do if someone does tell the CFO? How can you calm him down when he comes storming into the office of the Head of IT? The answer is simple. A quick Google search will find providers of mainframe file integrity monitoring software. You simply need to choose the one that not only ensures you’re compliant, but also gets you the information you need about unauthorized modifications as quickly and easily as possible – so, you can investigate things further and identify who has been making unauthorized changes and when they did it. And the software must let you restore back to the last correct version of the files. That all seems perfectly simply.

But if you don’t want to have that kind of facility – and to be honest it would be really useful to be able to identify any unauthorized changes to other mainframe files as well; and to identify any changes to mainframe backups that have been taken, just in case a breach has occurred – then it’s probably best not to tell the CFO (and the auditors) that your mainframe isn’t PCI-compliant.

Regular Planet Mainframe Blog Contributor
A popular speaker, blogger, and writer, Trevor is CEO of iTech-Ed Ltd. He has an extensive 40-year background in mainframes and IT, and has been recognized as an IBM Champion from 2009–2024 for his leadership and contributions to the Information Management community.

Leave a Reply

Your email address will not be published. Required fields are marked *