CIOopinion that are licensed to work in New York . The bottom line : routine vulnerability scanning and compliance checking are fundamental in any industry that has a mainframe at the heart of its IT environment .
Auto-pilot isn ’ t the only answer . Find an architect
“
THE STATE OF NEW YORK ’ S LATEST CYBERSECURITY REGULATIONS SETS UNIQUE STANDARDS FOR MAINFRAME PENETRATION TESTING AND VULNERABILITY SCANNING GLOBAL FINANCIAL ORGANIZATIONS .
How are you supposed to protect this important IT system if you are essentially flying blind in terms of its vulnerabilities and remedies ?
What should CISOs consider automating ?
Automating mainframe security checks can help . With the right tools , CISOs can arm their security teams with the resources required to mitigate vulnerabilities in mainframe operating system code , without requiring impossible time-consuming manual work . This has benefits not just for improving security , but also meeting compliance standards .
For example , think back to the insurance example at the start of this article . Insurance is a heavily regulated industry and companies are expected to meet high standards for information security . Automation helped that business solve a common problem – policy drift – that led to an unfortunate circumstance .
Standards are also high across other industries . Depending on your field , you might have heard of the NIST Security and Privacy Controls for Information Systems and Organizations . This is a catalog of recommended security technologies and processes created by NIST , an agency within the US . Department of Commerce . Federal agencies , state organizations and private businesses closely follow NIST guidelines because it ’ s the best way to verify that their IT systems comply with federal laws and standards around data privacy and security .
The most recent NIST update , in March 2020 , specifically recommended independent IT environment assessments that include routine vulnerability scanning for every IT system . That includes the mainframe . So , if your company works with federal agencies , it ’ s crucial to follow the NIST guidelines .
Other organizations , from the Department of Defense ’ s Defense Information Systems Agency ( DISA ), to the Payment Card Industry ( PCI ), make specific recommendations and requirements around security vulnerabilities . HIPAA does the same in healthcare , and the state of New York ’ s latest cybersecurity regulations sets unique standards for mainframe penetration testing and vulnerability scanning global financial organizations
Still , tech can ’ t solve everything alone . CISOs need experts they can trust , which is why we often advocate for the role of a mainframe security architect .
This is an ideal internal role for organizations that have struggled with mainframe security accountability in the past . A good mainframe security architect understands both broad IT security as well as the specific intricacies of the mainframe world . They can continually review and enhance corporate security policy , always considering mainframe protections along the way . They build your toolbox of software and technologies to protect the enterprise .
But they ’ re not alone . Separation of duties is important in IT security to eliminate conflicts of interest or situations in which the same person is reporting on their own activity . Your mainframe security architect simply builds the security architecture , but they should not be the same person that implements , tests , audits , monitors and reports on mainframe security . That work should be left to someone else in-house or a third-party consultant .
CISOs who surround themselves with the right support can make up for their own gaps in mainframe knowledge while building a more automated and effective mainframe security estate . That ’ s how you keep your data safe , keep the regulators at bay and keep your board of directors happy . •
ABOUT RAY OVERBY
Ray Overby is CTO and Co-founder of Key Resources , a leading expert on mainframe security vulnerabilities . He ’ s a 30-year veteran in the specialized and highly demanding arena of mainframe information security , consulting for some of the world ’ s largest corporations in finance , insurance , healthcare , government and beyond .
46 INTELLIGENTCIO www . intelligentcio . com