Mainframes remain the backbone of enterprise IT—but as cyber threats evolve, so must the defenses. In this podcast, Ken Chism, Head of Worldwide Cybersecurity Sales at BMC Software, shares an inside look at the changing landscape of mainframe security.
Ken discusses how internal politics and limited awareness often leave mainframes underprotected, even as the stakes rise. He explains why insider threats now pose the greatest risk—and how machine learning and behavioral analytics are transforming how organizations detect and stop unusual activity before it becomes a crisis.
You’ll also hear about new global security mandates, the rise of ransomware targeting critical systems, and the organizational shift needed to keep mainframes resilient in 2025 and beyond.
The Hidden Cybersecurity Battle Inside the Mainframe
1. What do you see as the biggest challenges in cybersecurity for the mainframe today?
It’s an interesting question. A lot of mainframe teams want to be more proactive about cybersecurity, but internal politics and funding issues often hold them back. Security teams in many organizations don’t know much about mainframes, so they tend to overlook them. The problem is, if something happens to your mainframe, your company probably stops—so the risk is significant.
2. Where do the main threats to the mainframe actually come from? They seem quite different from other systems.
That’s right—they are. Most organizations have done a great job securing their perimeter defenses, so it’s difficult, though not impossible, to get onto a mainframe from the outside. The real issue is insider threats. Almost all successful mainframe attacks have come from internal users—people who already had access. There have been cases of insiders stealing millions of dollars, leaking information, or stealing encryption keys. In all those cases, the individuals ended up in jail.
3. So it’s not just negligence—it sounds like there’s a lot of outright theft involved.
Exactly. And there’s an even more concerning trend happening right now. Last year, the Department of Justice raided a woman’s home here in Arizona that was hosting servers. Those servers were being used by North Korean operatives posing as U.S. contractors to infiltrate major companies. Then, just this past June, the DOJ found 19 more homes hosting similar servers. It’s a serious, ongoing issue.
4. Given those threats, what can companies do—and what is BMC doing differently—to protect mainframes?
Traditionally, once someone was on the mainframe, the assumption was that they were authorized and safe. But that’s not always true anymore. Threat actors—whether insiders or disguised contractors—behave differently than normal users. They snoop around, look for vulnerabilities, and act outside their usual patterns.
At BMC, we use machine learning and behavior analytics to detect those anomalies early. With mainframes that can have tens of thousands of users, you can’t rely on humans to spot unusual behavior. Machine learning helps identify when someone’s activity deviates from their normal profile—so you can stop a threat before it escalates.
5. Is behavior analytics something any mainframe organization could implement?
Yes, absolutely. Behavioral analytics are common in distributed systems, but not so much on the mainframe. As far as I know, BMC is the only company that has built machine learning–based behavioral analytics directly into mainframe security monitoring as part of our standard offering.
6. As more countries strengthen their security protocols, what global differences are you seeing in how organizations protect their mainframes?
Regulations vary by region. In Europe, the DORA framework requires financial institutions to prove they can withstand and recover from ransomware attacks. In Eastern Europe, Russia’s invasion of Ukraine triggered a surge in cybersecurity efforts to defend against potential Russian threats. In the United States, especially in New York’s financial sector, compliance guidelines now focus on ensuring mainframes are both protected and recoverable. A key part of that is maintaining an immutable backup—a secure copy that can’t be altered—so systems can be restored even if compromised.
7. Why is ransomware such a unique challenge compared to other threats?
Unlike natural disasters or system outages, ransomware can simultaneously affect both primary and secondary systems. Traditional failover strategies don’t work, so companies need a completely new approach focused on isolation, detection, and recovery.
8. Final thoughts?
One of the biggest challenges isn’t technical—it’s organizational. Many CSOs aren’t familiar with mainframe environments, so part of our mission is to raise awareness about how vital mainframes are and why protecting them must be a top priority.
0 Comments