Did you know that when you purchase a smartphone or a productivity software package like Microsoft Office, you probably only leverage about 30 percent of its functions and features? When you think about security software used to help secure the mainframe and the costs associated with that software, is 30 percent acceptable? Based on many security reviews, interviews, and surveys, the unfortunate reality is that mainframe security software is likely only being utilized at the same 30 percent.

Most people would not accept that level of security utilization in their home, particularly in an area that has higher rates of crime. Let’s say you’ve recently installed a burglar alarm, security lights, and cameras. You decide to leave the house and not switch on these features because you’ve not had the time to learn how to operate them. You lock all the doors and windows, only to return home to find burglars have ransacked it. By now, you are probably deeply regretting that you didn’t familiarize yourself with the additional security measures that might have prevented the intrusion. Imagine a security breach of your mainframe that could have been prevented if only you had learned about and implemented the specific security features you already own.

Every new release of mainframe security software typically comes with new functions and features that are designed to help fortify security and increase compliance. Given that customers want and need (and are paying good money for) these features to assist them in the ongoing battle of securing their mainframes, why do so many software functions not get implemented? Here are a few reasons:

• People cannot see the value proposition
• Features were not designed with ease of use in mind
• Insufficient staff and/or technical capability to implement
• Higher priority work uses existing resources
• Latest features get lost in “marketing speak,” leaving customers unaware
• Dependency on other hardware or software upgrades
• Customers do not know their software’s capabilities

From my experience, underutilized security software usually leaves the system exposed in one or more areas. Exploitation of the latest functions and features demonstrates that you are on a path of continuous improvement, and have a rigorous software adoption policy--and thus stronger defenses.

When you combine the requirements of your corporate security policy with external standards and regulations that your organization is bound by, you end up with an enormous amount of work for the security practitioner. Using all the features of the software you own can reduce that load in the long run. Compliance is a mixture of people, process and technology. It’s the technology aspect that has the biggest role to play in helping achieve our compliance goals.

What steps can you take to improve your utilization of existing security software?

• Get management support. They will want to know if the organization is not getting value from the security software they have already acquired and what risks remain unmitigated as a result.
• Document the functionality you are not using and how these would benefit your organization’s objectives. Include the risk of doing nothing.
• Involve your vendor to keep you up-to-date on the latest capabilities and to convince management on the benefits for your organization.
• Research new capabilities on an annual basis and add them to the security improvement plan.
• Ensure that security professionals are educated on new capabilities.
• Set dependencies on functions you have not yet deployed (e.g. “We cannot do this project without xyz functionality.”).
• Join user groups and attend conferences to learn about new innovations and to see how other organizations are exploiting security software.
• If you want a new function or feature added, send the vendor an enhancement request. Others may benefit from your requirements.

In a highly regulated world, we cannot justify the partial utilization of one’s security software. With the significant amount invested in security software, the key ingredients to better utilization is doing the required research, getting management support, the resources and funding to ensure a successful implementation. As security practitioners, our job is hard enough already, so we should be getting security software to work much harder for stronger defenses.