Skip to main content

Explaining Mainframe Security to Your CISO

Mark Wilson of Vertali explains how to help your CISO understand the threats that face the mainframe despite its reputation for security

Mark Wilson December 4, 2025

Could the mainframe be subject to a ransomware attack? Absolutely. In today’s threat landscape, CISOs need to make sure mainframe security is aligned with wider CISO governance models and risk management strategies. The problem often comes down to a lack of understanding, particularly if C-level executives haven’t come from a mainframe or mainframe-adjacent background. (Not everyone is so fortunate.)

As a result, mainframes are still being overlooked. Some people see them as legacy platforms despite their continued (and often increasingly central) role. But the big problem continues to be an assumption that the mainframe is secure when it’s not, and with people lacking even basic skills relating to “that box in the corner.” This can lead to senior information security people not knowing the full extent of the vulnerabilities and therefore the threats facing their organization. And the reality, as borne out by the latest IBM data breach report, is that it’s more likely to come from a malicious insider – a privileged user who goes rogue.

When it comes to explaining mainframe security to your CISO, the key is to translate technical capabilities into business value. We need to frame conversations in a way that resonates with the CISO’s priorities, to enable more informed decision-making and, critically, a strategic alignment between mainframe security needs and CISO priorities.

‘Just Another Server’

IBM’s Cost of a Data Breach Report 2025 told us that the mean time to identify and contain a data breach is 276 days. Someone can do a lot of damage in nine months.

Probably the first thing to point out to your CISO is that the mainframe is not impregnable and could provide a way into the corporate IT environment, like any other server. Therefore, the mainframe should be treated the same as everything else: It’s just another server, it has an IP address.

The bad actors can easily figure out the fairly simple way that things hang together on the mainframe, like the catalog structure that allows you to easily find data. You don’t have to be a platform expert. So here you go, cybercriminal. You’ve got hardware with a blisteringly fast I/O capability, crypto cards that do super-fast encryption… what’s not to like?

We’ve run emulation software that allows us to run mainframe tech on non-mainframe hardware. We were at terabytes a minute and would have been in petabytes in 5-10 minutes.

‘That Time I Hacked the Mainframe’

Is the mainframe susceptible to a ransomware attack? Absolutely yes. Has it been? Yes, it has, because I’ve done it. In the most recent example, Vertali was asked by a client that wanted to properly understand its security posture.

What I should make clear that what I’m about to describe was all done as part of an entirely safe and secure controlled exercise.

We looked at their DR system, and I was given the userid and password of a systems programmer. They said, “Do what you’d do if you wanted to cause havoc”. I had no tools, nothing. It was three days to set-up all the tools, then 30 minutes to destroy the mainframe. Literally, one batch job, taking out system files, business data, configuration files… There was one dataset on the system, highlevelqualifier.system.recover.jcl. That was the first thing we encrypted so it couldn’t be used for system recovery. And yet, there are technologies, processes and procedures available now that you can deploy to protect against this kind of thing.

‘Just How Secure Do You Think You Are?’

Once your CISO understands the threat to the mainframe, the next step is prevention. What should he or she do?

Ask your CISO when the organization last performed a penetration test, security assessment or vulnerability scan on the mainframe. They will probably need to check with the mainframe people. In the best-case scenario, the mainframe team will point to a recent assessment or pen test. Worst case: Nothing like that will have been done in recent memory. This is something that we come across all too often.

At this point, the CISO should become rather more interested in what you’re saying, once they realize that they don’t actually have a solid understanding of the organization’s current security posture.

So, now your CISO accepts the mainframe can be hacked, the next stage is to help them to prevent it from happening: testing, checking and assessing to uncover, reveal and remediate the vulnerabilities.

There are many other avenues you can explore, preventative tools and techniques that help to secure not only the mainframe but, by extension, the wider corporate IT environment. Some may already be in place as part of existing governance models but, perhaps, don’t extend to the previously considered impregnable and/or taken-for-granted mainframe.

I’m talking about relatively simple stuff like multifactor authentication (MFA) to deal with credential theft and potential reuse. I’m also talking about real-time monitoring, threat detection and alerts. You can use “spot it and stop it” technology to immediately quarantine potential threats and gain the protective breathing space to carry out additional checks.

Throw a stick and it will hit any number of tools for password management, network segmentation, certificate management, file integrity monitoring and so on. Help is out there. All of these can contribute to the “zero trust” environment that any CISO should be striving for.

‘The Time for Action Is Now’

We’ve talked about technology, but that’s just part of the mix. There are three other major requirements for effective mainframe security, which need to form part of the conversation with your CISO. These are:

  • Making sure budget is allocated specifically for mainframe security
  • Investing in the people, skills and a company culture that you need to underpin security
  • Recognizing that maintaining security requires commitment and discipline

Securing the mainframe is not a one-time job. Maintaining that hardened “zero trust” security stance is a bit like how painting the Forth Bridge (Scotland) used to be: a never-ending task.

The good news is that, as an industry, I think we have moved the needle quite a bit in the last few years, and awareness of the mainframe’s vulnerability is growing. But we’re not over the line yet.

One last thing you might want to mention to your CISO: the time for action is now.

The next attack could be in a month, a week or the next few hours. And the situation is only going to grow in scale and complexity as the bad actors get smarter, and as the use of AI and quantum computing take the threat level to new heights. It’s imperative that “we”—meaning the CISO and the organization—can properly understand all our data, including the mainframe. We need to know where it is, how it’s encrypted at rest and what encryption techniques and cyphers are being used, constantly ramping it up to the latest and highest standards.

In summary, Mr. or Ms. CISO, you need to treat the mainframe like you would any other bit of data. You need to use the strongest cyphers at your disposal. You also must invest in the right people and skills alongside cyber awareness, and make security part of your corporate culture.

Related Articles See more

Articles

Recapping a Year of ‘z/OS and Friends’

Joseph Gulla

January 16, 2026

Articles

How to Survive a ‘Missile Attack’ and the Other Latest Cyberthreats

Robi Singh

January 9, 2026

Articles

McNelly: IBM Unveils watsonx.data

Rob McNelly

January 5, 2026

© 2026 TechChannel. All rights reserved

Key Enterprises LLC is committed to ensuring digital accessibility for techchannel.com for people with disabilities. We are continually improving the user experience for everyone, and applying the relevant accessibility standards.