John Connors and Milt Rosberg on Mainframe Security and Pervasive Encryption
Vanguard Integrity Professionals’ John Connors and Milt Rosberg on Vanguard’s history of servicing clients, and the importance of careful pervasive encryption implementation
John Connors: Well it’s kind of interesting. My background started in the military. Back in 1977 I was a cryptographer there, working crypto maintenance, and spent 25 years in the military going around the world doing various security things with that, because I handled computers, communication, crypto, satellites, all kinds of com stuff. Then after I retired from the military I ended up being a consultant. I met Mr. Bailey, who was the founder of Vanguard, about 2001, the latter part of 2001, and I was a CTO over at another company. He asked me to join his team because he wanted to move Vanguard from just being mainframes to being mainframes and open systems, and moving into another realm. So back about 20 something years ago, about 21 years ago, it was my charge to not only learn the open systems, which I have a really good background in and crypto and communications and stuff like that, but to pick up the mainframe. I had done midrange before that, but not mainframes. And so from there I learned many, many different things and started out as a consultant for Mr. Bailey and then worked my way through almost every technical position in the company until where I am today, which is the CEO of the company.
Reg: You mentioned doing just about every job in the company. I feel like this is going to be a common theme throughout this discussion here is the idea that everybody at Vanguard sort of does everything, just from our previous discussion. With that said, let me move over to Milt Rosberg and Milt, tell us about how you ended up Vanguard and on the mainframe, and maybe a little bit about how you learned to do every different job in the company.
Milt Rosberg: Well it’s a long history with Vanguard, pretty much like John. Prior to Vanguard I worked for a company that was based out of Delft, and they were brought to the United States—myself and a couple of other people bringing the product to the United States. It eventually got purchased by IBM, so that was my original history in the security sector in the z/OS market space. I met Mr. Bailey in 2001 and came on board with him pretty much in the same role that I have today and continued my relationship with him up until March—
John: Yeah March, when he passed away.
Milt: When he passed away [laughs]. So I would say five years ago, I came to work full-time for Ronn. I had left him in early 2003 or 2004 and I started my own practice. I serviced a lot of the big companies in the United States who were interested in security and too international, anywhere from data loss protection to scanning for bad code to remediation to pin testing to products to SIM connectivity. Those were my clients that I serviced. And then about four years ago, five years ago now, Ronn came to me and asked me if I would—Vanguard was still my client—if I would come to work for Vanguard full-time and close my practice down, and I did. That’s when Ronn actually semi-retired and when he—
John: That was in May of 2017.
Milt: Yeah, May, and that’s when he really built his founding management team which is still in place today running the company. So it’s a long history of technology and being involved with major corporations that all had the same issue: How to improve operational efficiency, improve their security, meet their audit requirements, and how they can do that and afford it and take care of their clients. So we’re here to service them, so it’s a rich history of helping customers solve problems.
Reg: You both basically first met with Vanguard and with Ronn Bailey around the turn of the millennium. Interestingly, of course Vanguard had been around for about another 14-15 years previous to that. Maybe if I start with John, if you can kind of give us a sense of how did Vanguard come into being back around I guess 1986, and what was their journey forward?
John: Sure. So like you said they started in ’86. So Ronn was in the Air Force, prior to that in Vietnam and what not, and he had learned his skill set being a computer operator, okay? So the computer operations center that he did there, he saw a need. So when he got out of the military he founded Vanguard literally at his mother’s dining room table. That was kind of an interesting story too to hear both of them talk about it, but what he saw was a need for tool sets that did not exist in z/OS. Well back then it was called OS/390 or actually System/36 or System/37 by then, but the IBM platform, there was a security hole there. IBM had just brought in the security platform onto this thing and it was maturing over time, but it didn’t have the tool set necessary for people to do. It was very complex and you really needed to understand computers at a—you know, more like a computer science level. The average person had to learn a significant amount of information before they could actually manage their database. So he started the company thinking well, I can consult in that—and he was a very good consultant. He had a consulting business starting in ’86, but he understood that there was a missing tool set there, so he started out to bring out the first tool set for this platform, called Vanguard Administrator—and that Administrator is still our flagship product. To be honest with you, over time what that has done is grown this company to many different products and solutions, but it really was founded in the idea of taking the knowledge of the consultants and automating that security into the security platform to make it easy for day to day operations. That’s really the way this whole entire company is. Our presence in this industry is to make the day to day operations for any person who is operating this platform easier and easier, so all of our tool sets go around that concept. He was a consultant that took the knowledge that he had and the knowledge that has grown throughout the industry for 30 years, plus every time we learn these things we put them into our tools so that the people that are operating these systems don’t have to have that detailed knowledge. They can use very simple languages or queries or tool sets to make it good for them to do their job easily. You know our whole history from ’86 until now is about that premise. How do we take knowledge, put it into a product to make your job easier? That’s it.
Reg: Well it’s interesting because obviously you have to start with something, and my impression is that Vanguard started with basically making RACF better, but you have branched out to really be a much broader player in the mainframe security space, including I guess recently acquiring EKC and also really deepening your offerings concerning ACF2 and RACF—I’m sorry. ACF2 and also Top Secret. Maybe you could [cross talk] that journey?
John: Sure. As you think about it, it’s still the same premise, right? We really wanted to look at security holistically, so you’re right. We started with RACF; as a matter of fact a founder of RACF, Elder Morley, still works for this company. We looked at that as a security model that dominated the thing, but there are three security models as you said, right? There’s Top Secret, there’s ACF2, and there’s RACF. They cover pretty much the dominance of the market for the IBM platform. I mean there’s a little market outside of that, but most of those—and we looked at those over time. We started heavily in RACF. We were known as the RACF gurus. The professional services team, my managed services team, my penetration guys, they were the guys that people would go to in the industry and ask the security questions. How do you harden this platform? But that branches down into many things. Not only do you harden it, how do you audit it? How do you make it compliant with different regulations that have come over time? We evolved into how do you secure it using multifactor? So we built the first multifactor platform on z/OS. We brought that to market. When the government and the NIST decided in about 2009 that the mainframe platform was no longer considered a legacy system and it had to come up to speed with regulatory bodies and they produced a regulatory compliance measurement, we built a tool that automated that—you know that compliance regulatory body—and we brought that to the market. All of these are customer-driven things that the customers came to us as the experts in this platform and they said hey, here’s a problem. Our job has always been fix the problem for a customer. When they came and said the NIST said, hey there’s a compliance market and we’ve got to meet it. It was hundreds and hundreds of hours to do that. We automated that so that they could do it every week. When they said hey, the world is getting multifactor, we’ve got to be able to do that and there’s nothing on the market, Vanguard stepped up and brought that to the market. We’re market-driven based on what is the problem that somebody on the z/OS platform has. They tell us what the problem is. They’ll tell the experts in the room, which is my services team, here’s our problem. And then we’re going to go off and build a tool that makes that easier for them.
Reg: Hmm. Now that is sort of really interesting because it seems like in many ways we’ve really been taking the journey along with IBM and z, now Broadcom, in creating the future in the context of mainframe of security. One of the areas that you also are clearly participants is the SHARE user environment community. Obviously Barry Schrager, who had some dealings with you folks as well, was one of the co-founders of the SHARE Security Project back in 1972, but you folks are really heavily involved with that project now as well. I’m wondering if you have any thoughts about the role that Vanguard has played in moving forward both with the SHARE Security Project and just in the space of mainframe security, understanding, and community.
John: Well I think you’ve got a good story there because like you said, Ronn was involved in many, many different user groups—the RACF user groups, the RUGs, the SHAREs that are around. You know the RACF one, Ronn actually founded it in California and it spread across the country, and those type of user groups where SHARE—like you said, Barry Schrager was there. Barry used to work for us also. Now so all of these communities that grew up, the one thing that we have for a founding principle is that we want to give back to that community. Not only are they giving us business opportunities because they give us an opportunity to grow and they give us an opportunity to build new tools, but we participate in SHARE, in the RUGs, in the various meetings that are around the country, so that we can understand those problems. We could not be a leadership role in that if we didn’t participate, and if we don’t listen to those communities, what’s our purpose? So our purpose is really to respond to those communities. We’ve participated. We’ve spoken at almost every SHARE I think there is—either Brian, myself, Milt, Rox, the executive team has probably spoken. Brian and I have received rewards—you know, speaking at those—because we enjoy that. Participating with people that know what their job is and telling us what their problems are and resolving those problems—you’re not going to know unless you go to user groups, you don’t go to SHAREs, you don’t go to those type of things. We even have our own.
Milt: John, it’s interesting. When Ronn founded the company, one of the legs of the stool was product professional services and Vanguard security conference—
Milt: And the Vanguard security conference was the very beginning of Vanguard. When he built the Vanguard security conference, he made it a security event, not an event to talk about tools. And so when Vanguard—still to this day, we have a four- or five-day event. The first three or four days are all dedicated to helping the industry. We bring in well-known speakers from IBM, Broadcom, KRI, international speakers, auditors from ISACA. We bring leaders of the industry—Rob Clyde, who is with ISACA, he spoke several times. He sits on the board of directors for ISACA—and what we try to do is bring that knowledge into one place. So we’re transmitting the knowledge of what is needed in the industry for security, audit, and compliance in one place, so we can grow that knowledge base. It’s not a platform to sell product. It’s a platform to exchange knowledge.
John: And like you said—you mentioned SHARE. SHARE started out really as a system programmers conference and then grew and added a security conference as part of one event tenets that are in that conference over time. Vanguard started as a security conference and has maintained it as a security conference for—
Milt: To this day.
John: To this day for 36 years, every year.
Reg: Now one of the things that contributes to that whole community role that you folks have is—I sort of hinted that at the beginning of the discussion that your employees, and I understand that on the one hand, the majority of your employees are really about substance and technology and customer support and primarily about some of the more business-oriented things as much as the technology-oriented, but also that every one of your employees seems to be based on sort of whatever it takes to make sure that everything works well. I mean the people from your company that I know personally are pretty amazing people, just lovely people. Maybe you can talk a little bit about, you know just the makeup of your organization.
John: Well I mean you hit the nail on the head right there when you said customer service. That is the predominant tenet throughout this company. It doesn’t matter who you are. We are known in this industry by our customer service, because that’s the first thing that happens. I mean for us to maintain an industry or be in an industry with very big competitors like IBM, Broadcom, whoever they happen to be, the thing that people want is they want our customer service. We get questions about Broadcom products, about IBM products—because like I said earlier, we’re the experts in this platform. So my guys, whether it’s the customer support guy who answers the phone—which is an interesting concept even in its own, apart from a customer service point of view. There’s always a human on the end of the phone here. There’s no such thing as a dial-in recording in this company, and that was one of the founder’s things. To start the customer service and to be proactive, you talk to a human, and we’ve kept that up throughout this history. The human that’s on that phone, whether it’s a customer service person or the receptionist, whoever answers it has enough knowledge to get you to the right person to answer your question. We don’t care what the question is. Now granted, Vanguard has 30 products and we have to maintain those, but if you ask us a question about the platform or you ask us a Microsoft question or a Splunk question or something that interacts with us, we don’t care. It’s better for the community to get the answer for what they’re trying to do and that’s the kind of customer service it is. You said everybody wears many, many different hats? That's because they’ve learned so much over time. These guys know Splunk, they know Windows, they know IBM, they know z/OS, they know UNIX, and they’re there to help the community regardless of the question. Not just Vanguard but whatever the question is, as long as it’s hopefully something to do with the platform that we’re working on. We try to keep it limited there, but we’re here to help them. If they’re connecting to this platform, regardless of what the question is. This company is very proud of what its reputation is in the industry is, what you receive for customer service.
Reg: Well obviously you guys have done something totally unlike standing still in so many different ways, you know that you’ve continued to adapt. Right now I understand there’s some new changes, some new things that you folks are doing that you know, in addition to the acquisition of EKC, a bunch of other stuff. So maybe you could talk about some of the current initiatives that you’re involved with.
Milt: Sure. Like you said, EKC, we purchased last year and EKC brought us additional tool sets that we needed. One of the those tool sets really is the elevation of privileges on this platform, which was a needed add to our platform, and we’re going to expand that. That is one of our initiatives. EKC did a very good job of putting that in the market for RACF and for ACF2. We’re going to expand it to Top Secret so it goes across the entire industry, like you said those being the predominant external screen managers. We want to expand that product line. We also have some other initiatives going on that we deal with. If you’re familiar with the term SIEM, which is an integration of technology that allows you to dashboard a lot of different security events. We’ve now taken all the security events from the z/OS platform—just the security ones, not all the events that have happened but all of the things like logons and violations and you know, things that are pertinent to the security database, and have those things as an event monitoring system now to go to Splunk, okay? And we can send those to ArcSight, Splunk or LogRhythm, any kind of SIEM, whatever happens to be out there. That’s something we’re working on and we’ve also brought to the market this year. Another part of that, which is our compliance going to SIEM, we didn’t realize that, as the SIEM technology has grown and consumed more and more data, we’re now going to take our audit data and push that out to those dashboards. We’ve built some dashboards that make it easier for executives to look at their enterprise and say hey, how is my mainframe looking? Because they don’t know what mainframes are. They care about what’s my data, is it being audited properly, is it staying compliant with the standards that are out there? So we built dashboards now that are up to the national standards, or National Institute of Technology standards. You can see a dashboard; is this platform compliant with that technology? It makes it easier for those.
John: We’ve also bought out—are you familiar with patch management in the industry today? Because that’s the one thing we saw lacking, and now we’re coming out with a tool that actually helps with distributing software on this platform. Again because there were clients—how do we get from non-production to production and through the life cycle of that? And on this platform it’s hard because it’s a very, very large platform, right? It’s global and you might have 30 or 40 different integrated servers all talking and communicating with each other. How do you push a known good platform of software into the next system to the next system to the next system, so your whole enterprise is all up to date every day, improving in quality and all of that? By letting the system manage that for you. And that’s another initiative we have on the market today.
Milt: Yeah, that was actually—again, that was driven by a client. An international client—I think in six or seven different countries, you know, a big client and one of the top 10 banks of the world. They wanted to distribute their data—not their data. They wanted the updates to their information and be able to manage that from a central location and know that all the LPARs were updated like they should be. So we built a tool; it’s called VAD and it does aggregation delivery on an automated fashion to all the countries. They’re all in the same place and everything is up to date. The executives are thrilled to death with it because now they know each LPAR in each country has the updates that it should have.
John: Yeah so they have 36 different data centers they’re keeping in sync by having a master center—
Milt: Which is really pretty cool and we’re doing—so we’re treating the mainframe in an automated fashion. You would do that in an open system architecture easily, but we’re treating the mainframe for that. That was driven by a client, and now we have that installed, many, many large clients are taking advantage of that. It’s that whole push that we recognize in the industry today. So you have to improve operational efficiency. You have a lot of people retiring out of it. How are you going to keep them educated? How are you going to have tools to help them? How are you going to make sure that they’re getting the data to where it should be in a reasonable length of time? All of those things accumulate to one problem: Are they meeting their audit requirements and the governance requirements across their enterprise platform? So we’re working continually to help solve those problems for a client. This is just one of them.
John: And we consider governance as almost—you know, security actually is governance at the end of the day, right? They may be two different terms. Somebody says well, we have governance responsibility and the security team says, I have a security responsibility. They’re really the same thing. It’s the security team trying to meet the governance responsibility and our goal is again to make that easier for them. This client that he’s talking about said hey, this is my problem. How do I make sure that every one of my 36 data centers is the exact same image and it’s passed through my quality. It’s done through my production system. It’s gone through my prepro and everybody and their brother has signed off and said this is good. I can sleep at night knowing every system has been tested and proven before it goes live, and that’s what it was designed for. That is compliance and security all rolled into an automated factor.
Milt: That’s the fun part of the business, when you can work with a client and come up with a solution that they’re happy with. Those are the things that you go, wow, we actually built that. We build everything here in the United States. All of our developers work for Vanguard. They’re not someplace else. They’re right here. We go through very, very rigid background checks. We do a lot of work for the DOD and other organizations. We’ve very, very strict about who works for us. We constantly check them. We run a tight ship and it shows up in our products, because when you deliver something like this, there’s not a lot of room for failure.
Milt: I mean you can’t fail. You can’t be, gee I wonder if this is going to work? We have to deliver very solid code that operates efficiently and makes their business easier. We have another example where a large client came to us and said you know what? We’re having trouble getting our circuit class information. We have an audit finding. We can’t seem to get our hands around this. We work very closely with them. We took a couple of our tools, we tuned them up, added some stuff that they needed. We built it for them, we had it operate very efficiently for them and we solved their audit problem. This is a big client coming to us that had an opportunity to go anywhere in the industry. And so we just have that particular skill set of understanding the code, how it works, how the z/OS environment works, and we have a deep bench in that space. That really helps us solve customer problems and it gives us an edge, candidly.
John: Well you said [cross talk]. Go ahead.
Reg: Well I was just going to say one thing you sort of hinted at, that is really a big issue that sort of overlaps with all these is the available workforce in the mainframe space. Now obviously on the one hand, you obviously have vetted out and built a really solid company with a good workforce. But you’re dealing with customers whose workforces on the mainframe have been reducing since time immemorial, and yet whose requirements on the mainframe are increasing. I’m going to guess that some of the solutions that you’re offering are very much about addressing that issue productively. Maybe if you can give sort of a sense of how you are strategically helping organizations deal with the insufficiently large mainframe workforce given your skill set.
John: Well I think we have two solutions that we bring to the table with the industry. One, like you said, is our tool set. Our tool set is designed—whether it’s going to Splunk or going to an off platform collection of information—to make it easier for them, because then they can cross utilize other people. That’s big for the companies, right? If I can have a compliance guy who can look at a dashboard, regardless of the platform that’s under the covers, it makes it easier for the companies. We don’t have to have the z/OS expert doing the audit. We can teach an audit guy with the right tool to do the right job, and that makes it easier for the business side. But in addition to that, over the years Vanguard’s training has been really something else. So the last couple of years especially we’ve brought in college undergrads and grad students, and we’re bringing them in and training them as an opportunity for them. So I’ve done 20 students over the last two years, typically about ten a year. We bring them into the organization and hopefully we can backfill some of this industry knowledge as you’re talking about with the older folks, as we say, us silverback gorillas that are actually you know, dying off [laughs] and retiring—
Milt: Us young guys.
John: Us young guys, yeah. But at the end of the day we also feel there’s an obligation to the community to train that next generation. So Vanguard is very committed as a training organization working with local colleges around the country. We’ll take your CS, your CE engineers, whatever those are, bring them on staff, give them an internship for a year or two and teach them the system. And then on top of that, they’re bringing knowledge on all the newer technologies and we’re trying to blend in that newer technology with the tools sets that we already know.
Reg: Hmm. Cool. Now one of the issues with the mainframe that is related to this core issue is the fact that the mainframe isn’t going away and a lot of organizations are just starting to realize that now. You know some of my colleagues, they’re prone to saying the mainframe isn’t going anywhere, and I always slap their wrists when they say that, because in fact it is going somewhere. It’s just going further up and further in as it were. It is really the one platform that has proven itself like no other platform could. And given that the future of the mainframe is not only bright but that there’s a need to recognize that it is not going away, we need to be looking to the future. Part of that is looking at what are the current and upcoming issues, challenges, and opportunities on the mainframe and my sense is that you folks have done some very careful thinking about that and are deliberately taking actions to participate in building that future. Maybe if you can give us a sense of some of the things that you’re doing.
John: Sure. One of the things you just hinted at and I think a lot of people don’t understand, the mainframe is the backbone of data. Data is what’s important, okay? If you look—and it doesn’t matter what industry you’re in, but if you think about what you do everyday as a person. You go to a bank. That’s going to be on some sort of mainframe. You’re going to go to an ATM. It’s going to be back-ended by the data that’s on there. You do a financial transaction, I can guarantee you it hit a mainframe. There’s just zero chance that it didn’t. If you’re in a big retail environment, your point of sales may be a little PC that’s there. It may be an R machine or it may be some sort of little thing, but at the end of the day you went to Home Depot or Walmart or Target or a bank or whatever, the data that actually ended up processing that transaction, there’s probably an 80% or greater chance that that’s on a mainframe, and people don’t understand it because at the end of the day, it’s a zero downtime platform. It’s been running forever. It runs everyday constantly, over and over and over. You might have 100 boxes in front of it doing the preprocessing and making it an ATM machine, making your point of sales machine and all that, so it’s kind of really transparent. I don’t see it going away and I think it will grow as data gets smaller and smaller locations, because the companies are getting bigger and bigger and bigger. They’re buying up more banks, they’re buying up more things, but this platform is not going away. The biggest thing this platform has to do is mature as the world sees it. When you think about things like multifactor, the mainframe did lag behind, but now it is capable of doing it because the industry said that was something we needed to catch up on. So Vanguard came to the market and built—like I said—the first MFA solutions for it. But now they’re available for everybody, okay? We have got to stay up with this platform with what is perceived as new. It’s always been there but its perception, that’s different, okay? This box has been doing transactional information for decades, we just have to make sure that people understand it’s the backbone. It’s not the flashy machine that you see at the counter. It’s not the machine you drove up to and put your credit card into. No. It’s the guy in the back end who answered the question: Can you have money? Can you buy this? Can you do something? That’s what this platform does and we’ve got to make sure people understand that, because from a business need, people are losing track of that because it never breaks. It’s in the background and it doesn’t get the funding that it’s probably going to need over time, and that’s going to hurt but we do need to make sure we keep it top of mind presence for the industries. Look, this is what your real data is. This is the database in the background. This is the transaction processor in the background. It’s the horse that does all the work.
Milt: It’s interesting, John, because our clients, they’ll say well, I’m going to go to the z cloud. So they’ll ask us to rework their paperwork they may have had previously, let’s say for the last 20 years on premise z. Now they’re putting it up—maybe on two or three LPARs into the cloud, or six or eight, whatever number that happens to be—with some kind of an outsourcer. And so it’s still operating on z, still using the same tools, still has the same compliance and audit requirement—
John: But now it’s called the cloud.
Milt: But now it’s called the cloud, but it hasn’t changed the business operation. Because when the customer goes to use their credit card, they don’t care if the computer is on premise. They don’t care if the computer is the cloud. All they care if they can take out their $200 and continue to do what they’re going to do.
John: And be guaranteed that it’s secure.
John: They didn’t lose their information. They didn’t lose their credit card name. They didn’t lose—you know, and the companies care about their clients. The customer didn’t lose their information, and that’s what we bring to the table. Are we meeting the security needs to protect the data and the people? Because at the end of the day, that’s what matters. It’s not the machine. It’s the data and the people. Is it being protected properly, and are we doing that job? That’s what Vanguard stands for. Are we protecting that data?
Reg: Well this is really fascinating stuff. Now as we take a look at the current challenges and opportunities and the amazing technology, I like to say that the IBM z16 is the greatest computer ever made—although some people point out to me that that’s because the System/360 was. But you know when you look at things like the quantum resistant encryption, the AI on the chip—and there are just all these technological advances that IBM is making to move our mainframe ecosystem forward. Any additional thoughts just about how the technology is really something that you at Vanguard are interacting with?
John: True. I like the one you brought up there with pervasive encryption, because that is a great example of a good thing for an industry. Here you have IBM and Broadcom, and they brought to the market the idea of all data should be encrypted. That’s a phenomenal idea, it really is, but the problem with that is is people don’t understand how to use encryption. So we have to train those people. We have to make tools that are making encryption on the fly literally transparent to the end user, and that’s where Vanguard is stepping up to the plate. We’re building tools that manage that pervasive encryption, manage that key stuff. The part that the human has to do, not that the machine has to do. IBM has brought out a great machine to do that, now we have to have the tool set and the people trained to use that tool set. And that’s the niche that we fit, okay? And we really do. I agree with you. I think the z16 is definitely one great machine and it can make life easier and protected because if you don’t want to share your data with somebody, you don’t want to share your social security number, you don’t want to share this stuff, and we have to today. When you signed up for, you know Microsoft today, using a Teams viewer, you’ve got to give them your birthday. You got to do something. You’ve got to give them your data. Do you want to do that if it’s not protected? Z in the background where it can protect that on the fly all the time—once it’s set up, it’s great. Our job is to make sure that people know that. We train people on it.
Milt: Actually John, you mentioned that on the training part. With our security conference that’s coming up in September, we actually have several tracts that are just devoted to encryption. We’re having encryption specialists come in and we’re going to have some utilities that we’re going to offer to the industry to help what you’re talking about with the hands on the keyboard, making sure you implement it correctly. As you have talked about several times with clients that ask about this, you say you want to make sure you do your encryption correctly.
Milt: The last thing you want to do is make a mistake with it.
John: You know today we probably all talk about ransomware. If you think about it, at the end of the day, the pervasive encryption that IBM brought out, if you goof it up you just produced ransomware on yourself, so you’ve got to make sure you do it right [laughs]. You don’t want to be the guy who goes to his boss and says oops—
Milt: Oops I just locked down everything.
John: I encrypted everything and locked it out. We don’t want to be that guy, believe me.
Reg: It’s a different style of ransomware. It’s like the guy with the key. You just ransom it.
John: Yeah, you know.
Milt: You lock yourself by accident.
John: The system guy gets angry at you and leaves town [laughs].
Milt: Pervasive encryption is a really neat thing, but it is ransomware in a box if you don’t do it right. We are bringing this out for the Vanguard Security Conference as a footnote and we have a whole tract on that with some excellent industry leaders in knowledge and some utilities that will help customers solve this particular problem and give management a little easier feel on, we’re implementing it correctly.
Reg: Well this has been a great conversation, but I really want to make sure that we haven’t missed anything. Any additional and closing thoughts from both of you? Just to help our listeners really appreciate first of all, who Vanguard is and what your role is, but also just the current and future role of security in the mainframe and mainframe connected ecosystem.
Milt: Yeah, this is Milt. I just think what happens to people, just general communication is you have a preconceived idea of what the other person wants to hear. You know from Vanguard we work really, really hard at trying to understand what they’re trying to solve. We spend a lot of time. Let’s say we have a discovery call—John and I and Brian and some of the other team members are on a call with a client. We really listen, take very, very good notes. We try to understand what they want and then we have like a meeting afterwards. We say do we really understand what they want and start really driving through a requirements document, what they’re trying to solve. And so we have a place in our culture to understand what the customer wants. At the end of the day, they’re the people that are servicing their customers, and the better we do to help them do that, the better we are in doing our job. We work closely with industry leaders in the security space, the compliance space, the audit place, and we try to take our solutions we’ve already built over the years and fine tune these in such a way that they meet the new requirements of today. I mean you have all kinds of new requirements being thrown at us like GDPR. We had the STIG thrown at us. You got the IRS 1075. You got the NYZ23. I mean it just goes on and on and on. Well how do we fine tune our tools to help the players in the industry, the states, the government, meet their requirements? It’s basically a hands-on approach. Everybody in the company, we open the hood. We can put our hands on the engine and make it work, and I think that’s really the culture and the difference, and John has brought this forward. We have a CEO of the company that is cryptologist. I mean he grew up in this industry. He’s worked in every department: PS, development, client care, quality assurance. He works with us on discovery calls. We’re doing marketing work. He’s a speaker. That’s who we have as a leader. We didn’t go out and just grab somebody from another company and say you really get over here and this other organization, we’re going to make you the CEO of Vanguard. We actually grow our people within so we understand what the client needs. It’s just a different way of doing business.
John: And the founder—we need to talk about Ronn for a second—instilled that in the entire management team, okay? The management team at Vanguard has been here 20 years, okay? We’ve been around the block together. We’ve worked together. We’ve grown together. We’ve done that. When Ronn decided what, five years ago?
Milt: Five years ago, yup.
John: To step back, the management team said hey, we got this. We’re going to work on this. Everybody on this team does everything. We only have one approach, and it started with Ronn in 1986. Build from the knowledge that you have and use that knowledge to help the industry do something. It’s still what we’re doing today. We’re not going to change from that model. Everybody in here is a subject matter expert of something, and together we all work together and be a subject matter on a platform. That’s a good thing. A big part of that is to listen to what the community needs, listen to what the leaders are asking for, and develop what they need, not what we need. Develop what they need to solve their problems. As long as we can do that, Vanguard will continue into the future, and that’s our goal.
Reg: Yeah, this has been a wonderful conversation, a great chance to get to know you folks and your company better. Any last thoughts just before we kind of tie up?
John: No, we appreciate your time today and you know if anybody is looking at Vanguard, don’t forget, we’ve got a website out there. And if you need anybody in the industry who is looking for expertise in z/OS or anything that connects to z/OS, give us a yell. We’re here for you.
Milt: And if you have some time in September to go to a security conference that’s designed for security by security professionals from IBM, Broadcom, KRI, and the other organizations, you should sign up and go. It’s a great time.
Reg: Awesome. Well thank you both very much. So I’ll be back with another podcast next month, but in the meantime, check out the other content on TechChannel. You can also subscribe to their weekly newsletter, webinars, e-books, Solutions Directory and more on the subscription page. I’m Reg Harbeck.