While at GSE UK, Planet Mainframe’s own Amanda Hendley, the Managing Editor of Planet Mainframe, interviews Phil Buckellew, President of Infrastructure Modernization at Rocket Software, and discusses the importance of mainframe security, emphasizing that while the mainframe is inherently secure, organizations still need to invest in security measures due to modernization and increasing regulatory requirements.
Phil shares insights from a recent survey on mainframe security, highlighting that 27% of respondents cited inadequate funding for mainframe security, despite its critical role in organizations. He also discusses the impact of regulations like DORA in the European Union, which are driving organizations to enhance their security measures.
The transcript delves into best practices for mainframe security, including vulnerability scanning, employee training, and integrating security into DevOps processes. Phil also emphasizes the increasing use of open source in mainframe environments and the need for vendors to support quick patches for vulnerabilities in open-source packages.
In conclusion, Phil underscores the importance of staying ahead of evolving security and compliance requirements, especially as organizations embrace modernization and open source in mainframe environments. The conversation sheds light on the challenges and opportunities in ensuring the continued reputation of the mainframe as the most secure platform in IT.
Listen to the Planet Mainframe Podcast
[00:00:00] — Intro
Welcome to the Planet Mainframe podcast, your gateway to the forefront of technology in the digital age. Join us as we dive deep into the heart of tech innovation, where industry experts and thought leaders gather to explore the ever evolving world of mainframes and beyond. In each episode, we’ll unravel the complexities of the digital realm, dissecting the technology that shapes our lives. From the giants of Mainframe computing to the latest breakthroughs in AI, cybersecurity, and more, we’re here to guide you through it all. Our mission is clear to bring you the brightest minds, the boldest ideas, and the most captivating stories from the dynamic world of tech. Whether you’re a tech veteran or simply tech curious, get ready to embark on this enriching journey with us. So fasten your seatbelts for a world of knowledge, innovation, and inspiration. Welcome to the Planet Mainframe podcast.
[00:00:50] — Amanda Hendley
Welcome to the Planet Mainframe podcast. My name is Amanda Hendley, and I’m the Managing Editor of Planet Mainframe. Joining me today for the podcast is Phil Buckellew. Phil is president of the Infrastructure Modernization Business Unit at Rocket. He joined Rocket in 2022, bringing with him an extensive history of driving product strategies and delivering value across varied platforms. As president, he oversees worldwide development, product management and solutions development for the infrastructure Modernization Business Unit. Phil, welcome.
[00:01:22] — Phil Buckellew
Thank you. Great to be here.
[00:01:24] — Amanda Hendley
Phil, to get us started, can you tell me a little bit more about yourself and what you do at Rocket?
[00:01:29] — Phil Buckellew
Sure, Amanda. So I joined Rocket almost two years ago, and that was after having spent a couple of decades at IBM. I’ve worked in many parts of the IT industry. The most recent stint at IBM was leading a lot of their public cloud efforts. So it’s really given me a broad perspective across lots of different sides of the IT industry. And I’m so excited to be working now with the mainframe as it’s really at the heart and the foundation of a lot of what we do in IT.
[00:01:59] — Amanda Hendley
So we’re here at GSE UK this week, and I know one of the things that Rocket is here talking about is the recently released survey focused on security. Can you tell me a little bit about what motivated you?
[00:02:15] — Phil Buckellew
Sure. So we’ve done a lot of other general research to try to better understand what’s important and what’s relevant to folks that work in and around the mainframe. And security again bubbled to the top of the list. It’s one of the most important reasons why people use the mainframe, but it’s also the thing that keeps folks up at night. And so we decided to dig a little deeper. We did a survey of around 250 it and vice presidents in NIT across primarily North America and Europe to just try to better understand some of their feelings about the space.
[00:02:51] — Amanda Hendley
What size of companies did you hear from?
[00:02:54] — Phil Buckellew
It was typically companies with at least 1000 people or more. Most companies that run mainframes are at least that size or considerably bigger.
[00:03:02] — Amanda Hendley
[00:03:03] — Amanda Hendley
And were there any surprising outcomes?
[00:03:07] — Phil Buckellew
I think the most surprising thing for me was that we had 27% of the respondents respond that they know mainframe security is important, but they really don’t have enough funding. Now, that’s not surprising about what it teams would respond about most things, but typically, security and compliance are the areas that are most important to organizations. So to see that they’re really constrained in those environments too, that piece was a little surprising, especially in light of the fact that of the Fortune 500 companies that rely, over 71% of them rely on the mainframe, and that’s keeping the planes in the air, keeping the trains running, and keeping the financial transactions of the world flowing. So it’s not like, it’s not critical stuff. This is the mission critical work that happens on the mainframe.
[00:04:00] — Amanda Hendley
Absolutely. And a lot of those organizations fall under heavy regulation. So you would expect there to be more availability of budget.
[00:04:12] — Phil Buckellew
Absolutely. And I think that’s actually increasing recently. In the European Union, they recently passed a new set of laws called DORA that, some of which have been passed, but they go into effect in January of 2025, that require organizations, particularly financial institutions, to do a lot more than they have and to be much more upfront and public about what breaches happen when they happen and have more formal plans around them. And that’s really having impacts on companies around the world that do business in Europe, because it’s guiding them to really increase or improve the level of security that they have in their organizations. And that’s on top of countless other regulations like PCI and others that continue to update their versions and require more and more security and compliance work from companies that they regulate.
[00:05:08] — Amanda Hendley
And I know a lot of these organizations in the banking sector or travel industry, they’re invested in their mainframes for a lot of reasons, and one of which is you always hear that mainframe is so inherently secure. So tell me why you think companies are struggling to maintain security and why they need to invest in security even though they’re on the mainframe.
[00:05:33] — Phil Buckellew
Well, I think I would agree that the mainframe is absolutely the most securable platform for it that there is on the planet. Everything from the full box encryption to a lot of other change management and other techniques that have been refined and honed for decades. At the same time, just because it is the most securable, that doesn’t mean it’s always secure. And you need to consistently make sure that everything is configured correctly. And there’s a lot of other steps like regular scanning, penetration testing and others that haven’t always been done on the mainframe because it’s been perceived to have that level of security. It was always on the raised floor or in the glass house. And some of its perceived isolation has led to the perception that it’s secure. Well, now, increasingly, as organizations modernize and open up the mainframe through APIs and other techniques, then the kinds of things that have always been done on distributed platforms now increasingly have to be done on a mainframe as well, right?
[00:06:42] — Amanda Hendley
That’s true that we’re continuing to open up the mainframe. It is no longer this isolated system. It’s got to be out there.
[00:06:51] — Phil Buckellew
Indeed, indeed. And that happens in a lot of different ways. Obviously, there’s APIs, there’s a lot of hybrid cloud modernization that’s happening. Companies increasingly want to modernize their mainframes by using DevSecOps type approaches, and all of those lead to various security challenges for our clients.
[00:07:13] — Amanda Hendley
So tell me, did the research reveal any trends that you’re seeing in the industry?
[00:07:18] — Phil Buckellew
I think broadly what we’ve seen is modernization is happening of these environments that sometimes haven’t had a ton of change over the years, but that modernization comes in a lot of different forms. Data is often shared from the mainframe to other environments. There’s modernizations in approach for building applications, moving from maybe traditional waterfall type development processes to things that are much more agile and cloud native in their appearance. And that causes organizations to need to use a lot of new tools and techniques in order to be able to pull off that kind of opening of the mainframe, but it again also leads to various security challenges as well.
[00:08:03] — Amanda Hendley
So in your professional opinion, what are some of the best practices that you can share with our listeners?
[00:08:10] — Phil Buckellew
Sure. I think like a lot of other platforms, you need to continue to do things like scanning for vulnerabilities. We’ve found that 62% of IT leaders conduct vulnerability assessments and do security audits using tools like Rocket Software’s Zassure VAP, which is a product that we’ve put into the market recently to help address some of the gaps. Tools like that can help identify and help report vulnerabilities so that organizations can find them quickly. So scanning is something that’s really important. And we’ve seen a lot of organizations continue to adopt that. Obviously, training is really important because the human element and employees are often the weakest link in any type of security approach. We see that around 62% of organizations consistently offer training to increase security awareness of their teams, but only about 31% do it more frequently than once every year or two years. And the fact is that the security threats are happening much more quickly than that, and the security threat environment continues to evolve. And so we would encourage companies to do training much more frequently with their employee base. The other thing we’re seeing is that as companies implement approaches like DevOps, it’s important to have security a part of that process.
So go from DevOps to DevSecOps, and around 44%, I think, of employee. Of the folks that we surveyed are doing that, we found another chunk of people that are doing encryption of all their data. That can be easier with the mainframe if you use some of the latest and greatest technologies, but having an integrated approach to all of those steps, from watching all the configurations, making sure you’ve got the encryption of data at rest and at movement, making sure you’re continuing to train all of your employee bases, and then doing those scans for vulnerabilities on a regular basis, and additionally pen testing at least once a year as required by the Dora and some of the other emerging standards, those are really the crux of the best practices that are needed.
[00:10:38] — Amanda Hendley
So I know that the results of the research are online and available. Tell me what’s next.
[00:10:45] — Phil Buckellew
Well, I think the other thing that we’re seeing that’s really important is that as companies have had to try and modernize, they’ve started to incorporate more open source into the use of the mainframe. As I mentioned, DevSecOps being able to have those CI CD pipelines that can help you build and deploy a lot faster, you need to include security into that process. And so as companies start to embrace that approach, they find themselves using more and more open source. And that’s something that we’ve recognized. Now, the open source community in General is very good about fixing vulnerabilities. At the same time, they’re not always good or quick at porting them to ZOS or where things run on the mainframe. And so that’s something that we encourage all of our clients to make sure you’re backed up by vendors that can support all of those packages that are the glue code of all the different parts of the DevSecOps strategy. And so as we look forward, I think we’re going to continue to see the bar raising in terms of the types of regulations, requirements around compliance and security that are needed in the environment. We’re going to see companies continue to embrace things like open source backed up by vendors that can help them address the patches quickly, continuing to do more scanning in their environment.
Those are the trends that I think will allow us to continue the reputation of having the mainframe as the most secure platform in it and it’s something that I’m really excited about.
[00:12:25] — Amanda Hendley
Well, this all sounds great. I appreciate you taking the time to share it with me and our listeners at Planet Mainframe. So Phil, thank you for joining us.
[00:12:33] — Phil Buckellew
Great, thanks Amanda. Great to be here.