Three questions every CISO needs to ask about the mainframe

The mainframe is mission essential to your business… and it isn’t immune.

The Chief Information Security Officer (CISO) probably hasn’t worried too much about the security of the mainframe, especially when it’s assumed to be inherently secure.

But now the application economy is shifting the battleground in which businesses compete with mobile applications increasingly becoming the face of your business. More importantly to note is over 55 percent of these enterprise applications touch the mainframe.

This new digital landscape shifts the mainframe into the enterprise security discussion, but the CISO has likely had limited exposure to the platform.

When they’re checking off all of the boxes to safeguard the corporation, are they really able to account for the 70 percent of corporate data that resides on the mainframe? Do they know where on the mainframe that data is, how it’s being used, who has access to it and if they are compliant with industry legislation and regulations?

Our conversations with CISOs demonstrate a heightened respect and regard for the digital landscape shift and an increasing worry that they may not be doing enough to protect the “crown jewels” of their business. Times have changed and so too have the questions and answers on how to get ahead of potential data threats and mitigate risk.

For CISOs to truly secure the mission essentials of the enterprise, they need to be asking:

How can we ensure controls are in place for insider threats?

Data disclosure of any kind can cause significant financial ramifications and reputational damage to the business, and its main cause consistently remains insufficient or loose access controls for privileged users. Yet, many mainframes are only secured by a standard user ID and password limited to eight characters.

This single layer of defense used to be sufficient, but it’s simply no longer enough at keeping threats out when cyber-attacks and attempts are a daily occurrence. And that’s just the external threat.

It is widely estimated that 59 percent of employees steal confidential company information when they quit or are fired, leaving the enterprise with the conundrum of protecting information assets yet enabling employees to do their jobs and applications to run.

When internal and external security threats exist, there’s no choice but to adopt multi-factor authentication to add the additional layer of security the application economy demands.

The Advanced Authentication Mainframe feature recently added to CA ACF2 and CA Top Secret facilitates compliant two-factor authentication for privileged or all users on the mainframe. The feature supports both hard and soft tokens so applications have greater assurance that its users are who they say they are to strictly control access to critical business resources.

Are we ready for an audit?

Auditors need to understand exactly what resources and assets are accessible and to whom, what their sensitivity level is and the data’s full history.

Whether it’s PCI/DSS, PII, FISMA, SOX or any of the myriad of legislations in place to protect information, failure of an organization to adhere to these regulations results in costly fines, wasted time, the death of careers and an impact to the bottom line.

Mainframe security teams need to communicate their audit and compliance posture to the CISO at any given time so they are quickly able to act before adverse security events occur. Couple this with the fact that approximately 2.5 billion customer transactions take place on the mainframe per day and it’s clear to see how security teams might be challenged to keep up.

Tools like CA Data Content Discovery make it easy to prepare for an audit. The solution finds sensitive and regulated data on z Systems, classifies the data based on sensitivity level, and provides users with the option to archive or delete the data to prevent its misuse or duplication elsewhere.

CA Data Content Discovery scans the data infrastructure on the mainframe, so the right business decisions can be made to mitigate the risks associated with data retention.

What are we doing to make sure we are not the next significant data breach and are we doing enough to be proactive instead of reactive?

The average cost of a data breach is $4 million and growing. We’ve all heard of the famous data breach incidents that wreaked serious financial and reputational impact on some of the world’s top performing companies.

Well-known mainframe hacks at Fiducia and Logica have shown that weak passwords created by privileged users with elevated access opened the door to nefarious intent and results.

To mitigate the risk of a data breach, organizations must think and act upon mainframe security holistically. It’s essential the CISO sees that their security teams can:

  • Control who has insights into mainframe data, when they are resourcing assets, and how they have access.
  • Find mission essential data to quickly gain critical insights about the potential and magnitude of data exposure.
  • Classify data to prove that controls are checked by types to satisfy compliance regulations.
  • Protect critical resources by eliminating the risky offloading of mainframe data.
  • Audit and demonstrate compliance posture at all times while reducing the cost.


It all adds up: the intersection of the CISO and the mainframe + the ability for mainframe security teams to answer the above questions = an enhanced, proactive enterprise security strategy across the platforms that power the application economy.

Learn how we’re enabling customers to secure their mission essential data every month at our Mainframe Security No-Fail Fridays.

Marie is in her 19th year at CA Technologies and has over 25 years of…


Modern Software Factory Hub

Your source for the tips, tools and insights to power your digital transformation.
Read more >
Low-Code Development: The Latest Killer Tool in the Agile Toolkit?What Are “Irresistible” APIs and Why Does Akamai's Kirsten Hunter Love Them?Persado's Assaf Baciu Is Engineering AI to Understand How You Feel