Sponsored content from Broadcom
Threats and changing regulations have everyone on point. Day to day, we may feel like we are trying to play the perfect game of security “whack-a-mole”, plugging gaps, fighting fires, and responding to compliance requests. However, we know security is anything but a trivial game. Poor planning and implementation lead to real consequences for all players.
As the operators of systems have evolved and shifted from only those in a data center to now the addition of all of us, every day, with our devices and perhaps even working off-site, there is an evolution with security as well. Security is not the sole responsibility of the security administrator. There is an overlap and convergence of responsibility from those in technical roles to various stakeholders.
Security has traditionally focused primary responsibility on the security administrator, but the demands on the security administration teams seem to be growing exponentially. Many of you may balk at the use of the word “seem” and demand use of a stronger word! And a stronger word may be warranted, as each day is exhausting juggling multiple requests and fire drills — not to mention trying to make progress on longer-term strategic projects. The demands on the security administration team is like no other time in history, leading to burnout at all levels. The average tenure of a CISO is just 26 months! And, 51% of security professionals experienced extreme stress or burnout over the past 12 months.
Historically, the security team focused on the system, and directly connected users with the applications and data along for the ride. They secured the perimeter — the system. Identity and access controls were administered so that a limited set of users with direct access could use the transaction-focused system. Along with identity and access, global system controls were the primary focus. Work intensity ramped up in preparation for biannual audits. At some point in the near past, the work intensity ramped up but never relented.
As previously discussed in John Krautheim’s article, “Addressing the Top 5 Mainframe Network Security Vulnerabilities,” the mainframe is no longer a walled garden — it is more connected than ever. The system housing more than 70% of global business data is accessed by a broader range of direct and indirect users and customers via APIs, web servers, and modernized workloads, connected over TCP/IP. In parallel to increased mainframe connectedness, the internet has grown from its infancy to become a very complex network, ripe with changing threats that come with a complex system of internetworked systems. It may feel as though a fire or a gap, generated by our complex connections, is always popping up! Ah, whack-a-mole — when does it end?
The evolution of the internet has generated an explosion of transactions and the resulting data. There is a strong current for data protection, which takes a dual approach at a system level and an application/data level. With the mainframe connected to the internet and hosting many business-critical applications that generate regulated data, the increased scrutiny on the system is well warranted, just as with other platforms. Increased scrutiny in the form of regulatory compliance is the norm. The application/data audits are continuous in contrast to biannual system audits. This is the root cause of the sustained demand on security teams.
Increased Teaming for Security
Security administration teams are the central point for communication and implementation of security, privacy, and compliance. However, there are cross-functional teams responsible for the security posture of business assets. Security is top of mind to end users, who suffer if their data is mishandled. Security is also top of mind for the full realm of organization stakeholders, who suffer if there is organizational brand damage or fines due to a data breach. This means that security teams, business units, and data owners need to prove security to a host of individuals, most of whom have a lesser understanding of the low-level details of security. So, how does a security team succeed in setting the foundation for a solid security environment, be proactive in continually reducing risk, and enable cross-functional communication that leads to security-and-compliance responsiveness by all?
Here are some activities that might help lead to success:
- Convergence of teams – there is no getting by in today’s world without team members working together. This means that teams outside of the security administration team must have at least an elementary understanding of security and risk related to their assets. A good place to start is Broadcom’s Mainframe Education Community.
- Speaking a common language – Communication is always twofold:
For security administrators: Security can be very detailed, but not all roles need the same level of detail. Raise the conversation to a common denominator of knowledge. Imagine yourself in the role of an application or data owner and speak to his/her concerns and responsibilities.
For cross-functional teams: If security data isn’t intuitive, ask questions. Most security administrators are very passionate about the domain and are therefore more than happy to explain what the details mean in terms of risk or action that needs to be taken.
- Automate and enable compliance self-service – Cross-functional teams likely have many repetitive requests to fulfill common compliance requirements. Automate these requests and enable self-service so teams can access security information on an ad-hoc basis. This empowers the team to maintain a security level for their assets by identifying risk and understanding remediation options. It also frees up time for the security team to focus on more detailed security work, such as security architecture and strategic planning. With better common communication and readily available data, rubber-stamping during entitlement re-certification may become a thing of the past!
Tools such as Security Insights take data and provide interpretive security information in a self-service platform to cross-functional teams. Continuous monitoring tools are also part of the automation equation, and continuous monitoring enables teams to know right away if critical security actions take place, allowing them to get out of the reactive cycle that manual report mining brings. Common interpreted communication, automation, and self-service!
- Documentation – Plan and document best practices that are in use. A plan can bring focus to the desired security state of the system, which multiple teams can follow. Ensure best practices are platform-specific and technical in nature. This gives credence to the security level of the system. Broadcom’s Security Technical Implementation Guides documenting security best practices are available.
The most successful game of whack-a-mole is when someone is standing on the side of the machine, helping the main player by tending to part of the field. Teamwork is critical to success. The complexity of the mainframe environment, in particular in a hybrid IT world, supersedes the playing field of a whack-a-mole game, and we know the stakes in our businesses are a lot higher than in a simple game. However, it is a good analogy to convey the success teamwork brings to the day-to-day juggle of fire-fighting, regulatory requests, and projects. The realm of responsibility and focus between a security administrator, compliance analyst, and auditor is distinct and yet overlaps more than ever.