Surveys Security and Spaghetti

Mark Wilson reflects on the findings of a recent mainframe survey, explaining why security should be the number one priority, and why we need to start talking about complexity and observability.

I read with interest the highlights of the Arcati Mainframe survey 2024, as published in Planet Mainframe. Describing itself as “one of the few [surveys] out there (perhaps the only one?) that is vendor-neutral”, it’s been running annually since 2005. So what did I learn?

I wasn’t surprised to read that analytics is a growing activity, with 90% of mainframe shops using it. Most are using analytics to identify application resource consumption, among other areas, and a smaller number to identify ongoing application costs. I’d expect the use of analytics to grow further, and diversify. Cloud usage is increasing, with mainframe users “predominantly hiring cloud talent”, and 70% of participants saying their companies were leveraging cloud services in some way.

Similarly, I didn’t find it surprising that the mainframe is still the preferred home for enterprise data, nor that 64% of companies rely on the mainframe for their business revenue in one form or another. In fact, 19% of respondents reported a greater than 75% reliance on the mainframe for their business revenue. This is of course because—as the Arcati survey puts it—the mainframe is “high-security, high-reliability, high-performance, and highly cost-effective.”

Despite the potential business benefits of AI, especially in the financial services space, the survey reported that only 25% of respondents had started to deploy or had deployed an AI solution. I’d expect this to increase significantly in the months and years ahead, and it was encouraging to see that 39% reported AI/machine learning was already a subject of discussion.

The big surprise, for me, was that ‘security’ only came second in the list of top IT priorities, behind ‘systems or applications modernization’. Hmm. In my view, any modernization project needs to be based on a proper secure footing—security should therefore form part of the discussions from day one. Okay, cards on the table: I think security needs to be top of the list of priorities, front and centre in any infrastructure or application design. If your systems aren’t secure and well protected, everything else is put at risk. What’s the point of investing in modernization if you’re leaving yourself open to attack, and all the dangers that poses, in terms of your ongoing operations, financial impacts, and reputational damage? I’ve been writing for years about a certain sense of complacency in some corners of the mainframe world when it comes to security. Unfortunately, that seems to persist, and on a bigger scale than I’d anticipated. I cannot think of one instance when myself or my team have performed a security assessment or a penetration test for a client and not found some kind of failing in their security posture, or identified vulnerabilities and potential back doors.

In summary, I wasn’t surprised at many of the main findings—I think they resonate well with a great deal of what we’re seeing with our clients. The big users are getting bigger, and the small-to-medium-sized users have a choice; some of them are choosing not to be on the mainframe, and that may be the right decision for their business. Not all applications need the power and capabilities that a mainframe delivers: it’s about the right server platform for the application.

I think something that’s missing from this and other surveys is a discussion around complexity and observability. Many mainframe deployments now sit at the centre of a complex web of applications and services; the mainframe today is very much a hub for digital transformation, with more spokes than you can shake a stick at. Some vendors are deploying tools for AIOps—using artificial intelligence to automate and optimize IT operations and service management—and machine learning. But they’re mainframe-focused, in many cases building on previous monitoring solutions. So what happens in this more complex world if you run into application/service issues? Where do you look? How do you connect the dots? Observability is key, and that means far more than the mainframe alone. Many applications today have components running on different software and servers, some may not even be in your datacentre; think hybrid and throw in a public cloud or two. How do we start to resolve these issues? 

It’s challenging, to be sure. But from a mainframe perspective, being able to clearly state that “it wasn’t me” and “we’re alright, Jack” is a reasonable starting position if you’re the mainframe platform manager. But what does the IT Director or CTO do, when he or she has purview over the entire IT estate? I remember, many years ago, seeing a network diagram pinned to the wall at a client’s site, and it looked like a plate of spaghetti. Many of today’s applications, with their various APIs and Connectors, make that network diagram look simple by comparison. I’m from the Midlands in the UK, and you may remember the famous tangle of motorways, slip roads and side roads in Birmingham known as “spaghetti junction”—well, multiply that a thousand times. Perhaps, in next year’s surveys, we can start having those conversations around complexity, observability, and security—so we can ensure we have the proper understanding and controls that we need.

A global thought leader and international speaker in mainframe security and technology, and passionate advocate of all things Z, Mark Wilson is Vertali’s Technical Director. He has more than 40 years ’experience across numerous industries and diverse mainframe environments. Mark is also Region Manager for Guide Share Europe (GSE) UK. For more information email:

Mark has been awarded IBM Champion status for the last four years.

Leave a Reply

Your email address will not be published. Required fields are marked *