New Survey of 225 Decision Makers Identifies Mainframe Security Risks

Key Resources Inc., a consultancy and provider of mainframe vulnerability scanning solutions, has announced the findings of a survey on security practices in a new report. “Don’t Let Mainframe Security Complacency Leave Your Critical Customer Data At Risk” reveals that while 85% of companies say mainframe security is a top priority, but only 33% “always or often” make mainframe decisions based on security.

The study, conducted by Forrester Consulting on behalf of the company, surveyed 225 IT management and security decision makers at North American companies with $500 million or more in annual revenue.

“Despite widespread awareness concerning the stakes, enterprises simply aren’t devoting enough attention and resources to mainframe security,” said Ray Overby, president and co-founder of Key Resources Inc. “All it takes is one mainframe data breach to bring an organization to its knees. But, many organizations lack the tools, personnel, and in some cases, knowledge, they need to protect their mainframes and all the mission-critical data they hold.”

According to the report, organizations know that mainframe security is important, but they’re not taking actions that reflect their priorities. Even though 95% of respondents say they’re concerned about the potential of customer data breaches on the mainframe, 67% admit that only sometimes or rarely are they factoring security into mainframe decisions, putting the most critical IT systems at significant risk.

Respondents’ top mainframe priorities are data breach prevention, compliance, risk management, IT cost reduction/optimization, and application availability. But, the company says, despite this desire for data breach prevention, scanning for OS vulnerabilities is consistently ranked as a low priority. There’s  also a fundamental misunderstanding among IT managers and security professionals about what it takes to secure the mainframe.

Respondents stated that it is easy to find the right mainframe security tools (65%), but they struggle to find the right personnel. The majority of respondents are either bringing in third-party mainframe security technology (96%) or outside resources to review security and compliance (95%). And, nearly three-quarters expect to experience a reduced risk of data breaches as a result of using mainframe security tools.

Respondents expect that using automated mainframe security tools will help them reduce the risk of breaches (73%) and decrease vulnerabilities (63%). Yet, they view tasks such as application scanning, penetration testing, and gathering resources to secure the environment as critical or high priorities, while scanning for OS-level vulnerabilities ranks as the lowest priority. This indicates that they lack awareness of what is needed to secure their OS, and one of the most important things they can do is set up a process to scan for zero-day vulnerabilities, according to Overby.

The full “Don’t Let Mainframe Security Complacency Leave Your Critical Customer Data At Risk” report is available for download at, and more information about Key Resources can be found at