To implement and maintain strong and sustainable controls requires your Mainframe Security Professionals to be wired in a certain way. Not the electronic way; it’s the way they think and approach the security of your mainframe. So, the question is, are they really a security person?
I started working life in retail at the tender age of 16 – I was a bit of a multi-tasker, one-minute serving customers, the next counting money in the cash office; mopping up a spillage down the alcohol aisle and so on. However, there were some other aspects that I think set the path for what I do today and the way I think. For example, on several occasions I would help the store detective catch shoplifters and I loved it; often I would visit unattended cash tills making sure the operator had secured their station; I loved doing security checks around the building and locking things up (no, not people); I also made suggestions to improve security.
After moving from retail, I ended up working for an insurance company, employed as a claims handler for car and home claims. As you can imagine, you see a whole new world of dishonest people with their fraudulent claims. I thrived on investigating these and catching people out – I was also given the responsibility for performing local user administration tasks (we were known as Terminal Supervisors) for 200 users, where I would create and delete users, reset passwords and manage access to business applications running on CICS and IMS. I remember running a tight ship, making sure the leavers were dealt with almost the second they walked out the door; oh, and you only got the access needed to do your job – something we now call the principle of least privilege/access.
So, there was a trend emerging by the age of 20 and at this age someone spotted the security in me – it’s how I started my journey into the world of Mainframe Security. While I was working in the Claims Department, I attended a training course for local user administrators – the instructor was the former Security Services manager for Mainframe. We talked a lot throughout the day because I bombarded her with questions. At the end of the course, I remember her saying to me, “Jamie, I think you’re wired to be a security person – you think differently to the other course delegates”. That was it; she recommended me as a candidate for a job vacancy in Mainframe Security and the rest is history.
Over the years, I have seen some people working in Mainframe Security teams who know RACF, know the processes and tools inside out and understand the business functions. However, the way they often implement security is geared towards availability, convenience and performance, often with a touch of tactical thinking and never questioning. Then you have another side where infrastructure folk are given dual responsibility for say systems programming and security. Now, I am not knocking sysprogs – they do a fantastic job; however, you need to remember that aspects of their job are potentially a toxic combination with security; also, security is not necessarily at the front of their mind.
So back to the mindset and the wiring of a true Mainframe Security Professional. How do they think and approach things? Based on my own thinking and what I see in others, here are a few things to consider:
- You never bypass processes, procedures, policies, even when under extreme pressure
- You have the power on your userid to do something, but you know you do not have the authority to do it (not tempted to do something when you know you can)
- You are never afraid to speak up or challenge your colleagues including the management!
- You will keep pushing until something is changed / fixed – you won’t be silenced
- When you are designing and implementing a control, you are thinking about ways in which those controls can be circumvented / bypassed. You think like a hacker.
- You want transparency; nothing hidden
- You always want the job done properly; half measures are not acceptable
- If you spot something is wrong that puts your employer or client at risk, you report it promptly
- When the Auditors come knocking, you’ll happily tell them about issues and risks you know they won’t find
- You thrive on implementing controls that align with the principle of least privilege
- You prefer Défense-in-depth; one control is typically never enough
- You always want to understand what you are doing, what you are working with, why you are doing it? For example, why does it work like that; why is it done that way?
- You are self-motivated and require little or no supervision
- You always want to learn more and take steps to self-educate, even when your employer will not pay for it
- You thrive on telling people that if we don’t do this, these are the risks
- You love continuous security improvement; always striving for how things can be done better
- You regularly keep up to date with external influences such as the latest threats, trends, regulatory requirements
- You get frustrated when you work with someone who just doesn’t get security
- You like doing security research and implementing the outcome of that research
- You like putting forward recommendations that improve security
- You love conducting security reviews and audits and reporting back to your stakeholders about issues and risks. You also love remediation activities!
- Your default position is never trust, always verify
- You regard your best “professional” friends as the CISO Office and Internal Audit
- You thrive on teaching others and sharing your knowledge
If your organisation is going to excel at Mainframe Security, you need people working in your team who have a security mindset. Just because the LinkedIn profile or CV/Resume has the words “Mainframe Security, ACF2, RACF” and so on, it doesn’t mean they have the right mindset. To help you build and maintain secure systems that will protect the Confidentiality of data, maintain the Integrity of data and ensure the Availability of data when its needed, authorised of course, you need a security mindset! Yes folks, CIA principles are still the core foundation of everything we do as security professionals.
Final thought. Throughout your working life, people help you through the different stages of your career. It could be mentoring, some adhoc training, sharing some knowledge, they spot your potential and recommend you. I would personally like to thank those who have helped me thus far; too many people to name, but you know who you are!
Jamie Pease CISA, CISM, CISSP, CITP, MBCS is a Senior Project Architect at BMC Mainframe Services by RSM Partners and Chairman of the GSE UK Enterprise Security Working Group https://www.linkedin.com/in/jamiepease/
Disclaimer: The views, thoughts and opinions expressed in this article, belong solely to the author and not necessarily to the author’s employer or GSE.