When I cast my mind back over a 40-year career in mainframes, two things are clear. First, the mainframe has proven itself to be one of (if not the) most efficient, resilient, and securable platforms globally. It has worldwide reach, and longevity. Second, its future is impossible to predict. That said, we can see pointers for the short- and medium-term. Above all, the mainframe continues to transform, keeping it relevant.
Current Usage
The mainframe is well used, and worldwide usage seems to be rising. A 2024 Forrester study reported that “among global infrastructure hardware decision-makers, 61% said that their firm uses a mainframe. Of those that use mainframes, 54% indicated that their organization would increase its use of a mainframe over the next two years.” It’s long been accepted that the majority of Fortune 100 companies use the platform, often guesstimated at around 70%. This generally means IBM Z. What issues are front of mind for these enterprises around the globe? My observations are partly anecdotal, based on interactions with end users, clients, and vendors. But these topics are verified repeatedly by industry reports and surveys.
Modernizing the Mainframe
In general, companies are continuing to modernize in place rather than rip-and-replace. We’re seeing a continuing shift toward hybrid IT strategies; Kyndryl’s 2024 State of Mainframe Modernization survey found that 96% of organizations are moving an average of 36% of their workloads off the mainframe to cloud platforms. And while enterprise-wide observability is highly desirable, it’s also acknowledged as tricky to achieve in a hybrid world.
You won’t be surprised to read that enterprises are rapidly embracing artificial intelligence: 86% of respondents to the Kyndryl survey are either deploying or planning to deploy AI. With the Telum processor enabling you to “infuse AI inferencing for real-time insights,” IBM says the opportunity is to “analyze real-time transactions, at scale, for mission-critical workloads such as credit card, health care, and financial transactions.” There are also important security applications for generative AI and machine learning, with security a primary concern for the industry, hardly surprising in a heightened cyber threat landscape. Linked to that are increasing calls for improved cyber resiliency.
And woven throughout all this, the skills gap remains, presenting barriers to improvement and modernization globally, especially in the aforementioned key areas of AI and security.
Focus on Security
Delving a little deeper into security matters, these statistics are worth repeating. They come from IBM’s Cost of a Data Breach Report 2024. The average global cost of a data breach increased 10% over the previous year, hitting US $4.88 million. On the credit side, the report found that security AI and automation are starting to pay off, “lowering breach costs in some instances by an average of U.S. $2.2 million.” While AI can help to detect and contain breaches faster, and so contain the costs associated with them, AI is a double-edged sword and a powerful tool in the hands of cyber criminals. My Vertali colleague Mark Wilson has written about this in an article for Planet Mainframe, The Good, the Bad, and the Ugly: Generative AI and Cybersecurity.
I think the vast majority of organizations do have underlying issues that can undermine both their security and their ability to comply with industry standards and cyber security regulations. Some issues can be serious and lead to breaches. From our own mainframe security practice and conversations with clients, we know that prevention is key. An important aspect is carrying out regular Security Assessment and Penetration Testing, to identify vulnerabilities and close them before a breach occurs. Such an approach lowers or removes the cost of the breach altogether, and will identify the issues that can make you noncompliant. These can be addressed to avoid penalties, improve the enterprise’s overall security posture, and help you become more cyber resilient.
How Cyber Resilient Are You?
This is another key trend worldwide, driven by regulatory concerns and the increasing frequency and range of ransomware attacks. For example, the European Union’s Digital Operations Resilience Act (DORA) applied from January 2025. This seeks to strengthen the IT security of entities such as banks, insurers, and investment firms, so they remain more resilient in the face of severe operational disruption including cyberattacks. Around 22,000 institutions have to comply. Perhaps the two most important things to remember about DORA are that (a) it extends to third-party service providers, and (b) it seems that addressing the regulation has not been a priority for many mainframe users. Let’s see what happens.
True cyber resilience brings together business continuity, information systems security, and organizational resilience, to counter external attacks, insider threats, and natural disasters. Preventing, detecting, and withstanding an attack is only part of the equation. Recovery is the other essential element. Today, organizations are making backups of data more regularly, believing they can then recover from any catastrophic loss quickly and effectively. If only things were that easy. In many cases, organizations are not really focusing on the recovery aspect, the point in time they can actually restore to, thereby maintaining the integrity of their business applications and data. The critical question to ask, when thinking about your ability to recover, is, “how far can I actually roll back to?” The first step in developing an effective cyber resiliency strategy and roadmap is to review your data backup, protection, and restoration procedures.
Building a Mainframe Workforce Globally
Back to that skills gap. In 2024, Gartner Research reported that “Lack of mainframe skills among new generations is a key factor driving organizations away from the mainframe.” But perhaps there is some light at the end of this particular tunnel, with 2024 research by Futurum Group describing a 65% increase in trained mainframe-skilled trained professionals, while stressing the continued need for targeted training.
Recent years have seen organizations starting to address the skills gap, including IBM, Broadcom, BMC, and the Open Mainframe Project, to name just a few. Here at Vertali, our New to Z (NTZ) program is one of the global initiatives that seek to introduce fresh talent. You can read about two recruits here. This trend is growing worldwide and, I think, a younger workforce is starting to emerge. Some universities and educational establishments are now including the mainframe in their curriculum. However, we must always be wary about focusing on specialisms: the industry needs fully rounded individuals, able to turn their hands to the many different facets of mainframe infrastructure, operations, security, and resilience.
The Global Outlook for the Mainframe
In April 2024, Gartner Research published The State of IBM Mainframe at 60, which stated: “The IBM mainframe will continue to offer significant value to organizations for at least the next 15 years and probably longer, because many global enterprises prefer to continue relying on their mainframe due to its features, as well as the cost, complexity and risk of migrating off of it.” That’s what it comes down to, the provision of “significant value” to the business. The mainframe is still very good at what it does, hence its continued usage (and market growth) globally. In my view, the mainframe will be around for a lot longer than 15 years as it continues embracing the new technologies and innovations that are driving all IT forward, and if the skills gap does narrow. The platform is well-positioned to exploit new opportunities well into the future.
Gary Dulon is services delivery director at Vertali Ltd. He has more than 40 years’ mainframe experience, from systems architect and program manager roles to senior leadership. He combines extensive management experience with client-facing programming expertise, database design, security skills, and pre-sales and post-sales support for a huge range of ISV products. Dulon also has significant platform transition experience.