Mainframe security is top priority for 85% of IT pros yet few are adequately protecting their systems

While 85 percent of companies say mainframe security is a top priority, just 33 percent always or often make mainframe decisions based on security.

mainframe security decisions

The “Don’t Let Mainframe Security Complacency Leave Your Critical Customer Data At Risk” study commissioned by Key Resources and conducted by Forrester Consulting, surveyed 225 IT management and security decision makers at North American companies with $500 million or more in annual revenue.

“Despite widespread awareness concerning the stakes, enterprises simply aren’t devoting enough attention and resources to mainframe security,” said Ray Overby, president and co-founder of Key Resources Inc.

“All it takes is one mainframe data breach to bring an organization to its knees. But, many organizations lack the tools, personnel, and in some cases, knowledge, they need to protect their mainframes and all the mission-critical data they hold.”

Complacency in the face of massive business risk

Many organizations are actively working to secure their cloud infrastructure, but are they taking the appropriate steps to ensure the security of cloud-facing mainframes?

Companies know that mainframe security is important, but they’re not taking actions that reflect their priorities.

Even though 95 percent of respondents say they’re concerned about the potential of customer data breaches on the mainframe, 67 percent admit that only sometimes or rarely are they factoring security into mainframe decisions. This complacency puts their most critical IT systems at significant risk.

Addressing the problem means prioritizing scanning mainframe operating systems for zero-day vulnerabilities, which are a significant attack vector in data breaches.

Yet, vulnerability scanning ranked last when respondents were asked to prioritize which factors are most important when managing mainframe security.

Misconceptions about how to secure the mainframe

Respondents’ top mainframe priorities are data breach prevention, compliance, risk management, IT cost reduction/optimization and application availability.

But despite this desire for data breach prevention, scanning for OS vulnerabilities is consistently ranked as a low priority.

There’s a fundamental misunderstanding among IT managers and security professionals about what it takes to secure the mainframe. Scanning for OS vulnerabilities is one of the most effective ways to prevent a breach.

IT managers do know, however, that they need help with their mainframe security. And while they find it easy to find the right mainframe security tools (65 percent), they overwhelmingly struggle to find the right personnel.

The majority of respondents are either bringing in third-party mainframe security technology (96 percent) or outside resources to review security and compliance (95 percent). And, nearly three-quarters expect to experience a reduced risk of data breaches as a result of using mainframe security tools.

mainframe security decisions

Protection against zero-day attacks

  • Eighty-six percent of IT management and security decision makers say that protecting systems from zero-day attacks is their biggest mainframe security challenge.
  • Additionally, 66 percent struggle to quickly identify vulnerabilities, while 63 percent struggle to ensure the integrity of vendor software.

They expect that using automated mainframe security tools will help them reduce the risk of breaches (73 percent) and decrease vulnerabilities (63 percent).

Yet, the study shows that they view tasks like application scanning, penetration testing and gathering resources to secure the environment as critical or high priorities, while scanning for OS-level vulnerabilities ranks as the lowest priority.

“Many organizations lack the awareness needed to secure their operating system, which is what hackers exploit to gain access to critical corporate data through escalation of security authorities,” said Overby.

“One of the most important things they can do is set up a process to scan for zero-day vulnerabilities.”