You and your team may understand the importance of encryption and data security, but that doesn’t mean the people who write the checks get it yet. As a mainframe security professional, part of your job is making sense of the challenges of keeping the data on your system safe for the non-technical people in your organization. Understanding the importance of data security is not enough. You also have to be ready to explain and defend the need to invest in it.
There is a constant balancing act between keeping data safe and keeping a business functioning smoothly. As access to the mainframe opens up to more users and more distributed systems, the need for security increases. However, businesses are motivated to move quickly, cutting costs wherever possible. Unfortunately, one of the areas where costs end up getting cut is in data security. This is partly because the benefits are less clear than other business operations, such as hiring more employees or opening a new sales office.
You could easily secure a mainframe completely by disconnecting it from the network, hiring armed guards to stand watch, and authorize only a handful of highly trusted people to access the mainframe terminals. However, this sort of security would be too disruptive to business to be practical. Part of what makes your mainframe so valuable is its availability to your entire organization. But that is also what makes it vulnerable.
Those in charge of mainframe security have the added job of making the case for purchasing the software and enforcing the policies that will keep the system safe. There is no magic app or service that will protect a system completely, so even if you are able to convince the powers that be of how important it is to implement a better data encryption solution, your job will not be done. There are many technologies needed to provide full security. For example, to protect credit card numbers stored on your system, the text of the numbers should be obfuscated through encryption, the keys to decrypt the data shouldn’t be stored on the same system, and even administrators should be prevented from seeing the data they don’t own.
However, security doesn’t end with encryption. While encryption renders data useless without the encryption keys, it is useless against someone who has gained illicit access to the password of an authorized user. Effective password management is also a critical piece of the security equation.
There are many points in your system that will need to be kept safe, and, therefore, a large complex case to be made to upper management. Performing a self-audit of your mainframe will help you prioritize the potential threats and help you make the business case for taking the steps to addressing them. It’s not enough to make the business case for implementing one security system because the many systems have to work together.
Determining the value of the data on the system, the cost of damages to the business’s reputation if there were a breach, the cost of customer data that could be stolen, and the likelihood that your system could be an attractive target for data thieves should all play into the formula that determines how much would be prudent to spend on a comprehensive security system. Selling senior management on the need for increased data security is challenging enough, and the fact that you have successfully prevented a data breach so far will make the case even more difficult. However, oftentimes, no news is bad news when it comes to enterprise security.
However, software alone is not enough. It is a critical starting point and there are some features you must have, but a secure system also requires maintaining a culture of security.
If you’re looking to make the case for implementing one of ASPG’s data security products, start by requesting a free trial or scheduling a meeting with one of our specialists to help make the case for investing in a more secure system.
