In our lastest “ I AM A Mainframer” interview series, Jeffrey Frey, Retired IBM Fellow, chats with Chad Rikansrud. Chad Rikansrud is the Director of North American Operations for RSM Partners (www.rsmpartners.com) – a world leader in IBM mainframe security consulting services. Chad is a nationally recognized security industry speaker, with appearances at: DEF CON, RSA2017, SHARE, and other regional conferences. Most of Chad’s 20-year career has been in technology leadership for the financial services industry where he has held various senior leadership positions, including worldwide datacenter operations, infrastructure and recovery responsibility, as well as enterprise-wide system z storage. Jeff and Chad discuss the biggest challenge for the mainframe going forward and how Chad got into the mainframe ecosystem originally.
If you’re a mainframe enthusiast or interested in the space, we invite you to check out our new community forum.
Create a profile and post a selfie with your mainframe system, and you will receive an exclusive “I Am A Mainframer” patch.
Jeff Frey: Hello. And welcome to another edition of the, I am a Mainframer Conversation Series, sponsored by the Open Mainframe Project. I’m Jeff Frey, a retired IBMer, an IBM fellow and previously the CTO of IBM’s mainframe platform. Having spent my entire career in developing the mainframe, it’s my pleasure to host this mainframe conversation series.
Before we get started, let me tell you a little bit about the Open Mainframe Project. As a Linux Foundation collaborative project, the OMP is intended to help created a mainframe-focused based open community for technical folks. It’s also intended to serve as a focal point for development and deployment of enterprise Linux in a mainframe computing environment. The goal of the project is to excite the Linux community around the use of the mainframe and also to foster collaboration across the mainframe community, develop and exploit shared Linux tool sets, resources, and services in a mainframe environment. In addition, the project speaks to involve the participation of academic institutions to help assist in creating educational programs aimed at developing the Mainframe Linux engineers and developers of tomorrow.
So for today’s conversation we have the pleasure of speaking with Chad Rikansrud. Chad is the Director of North American Operations for RSM Partners, a world leader in IBM mainframe security consulting services. He’s a nationally recognized security industry speaker, with appearances at DEF CON, RSA2017, SHARE and other regional conferences. Most of Chad’s 20-year career has been in technology leadership for financial services industry where he’s held various senior leadership positions, including worldwide data center operations, infrastructure recovery responsibility, as well as enterprise-wide systems e-storage.
So Chad, welcome to the broadcast. It’s great to have you on today. I’m looking forward to our discussion.
Chad Rikansrud: Well thanks for having me, Jeff. I’m delighted to be here.
Jeff Frey: All right. Very good. Let me say just to get started here, tell us a little bit about what you do at RSM Partners.
Chad Rikansrud: Sure, will do. So at RSM Partners I’m responsible for our North American Business. And what we do is all things mainframe security, specifically we focus on the z/OS operating system on mainframe. We do a little bit of z/Linux and some zVM but we do a lot of z/OS. And our main goal is to help companies really bring their mainframes to the modern era of security, if you will. And you can read between the lines there that we don’t find that many of them are up to snuff, if you will, in terms of what the rest of the world considers reasonable good security practices and policies on the mainframe. So what we do, through consulting, through pen testing, through security assessments, and through some software, is try to raise the bar for these companies and this super important platform. Not only for them but frankly for the planet.
Jeff Frey: That’s very interesting. You know I’m struck by that because the mainframe kind of has a reputation for being a very secure platform. I’ve kind of always said when I was with the teams I was working with that it wasn’t really correct to say that the mainframe platform is secure but that the mainframe platform is securable. And what I meant by that was, obviously, the environment that the mainframe is managed in has to be secure and there has to be good practice around the security of an IT infrastructure. When you say, bring the mainframe up to modern kind of security environment, can you give me an example or two of that for our listeners? I mean I think that would be very interesting.
Chad Rikansrud: I sure can. And you’re exactly right. I don’t mean to imply at all that the mainframe can’t be a secure platform. It has all the bells and whistles and dials and knobs, if you will, that can be turned to make it one of the most, if not the most secure platforms on the planet. But you and I both know, given your experience and mine, that often the weakest link is the people, really, the human beings that build and configure the platform. And I don’t mean it out of a place of necessarily ignorance or neglect, but we have a lot of noise. There’s a lot of noise in the security industry every day, every week we read about a new breach, we read about a new vulnerability.
And to some end, I think, the mainframe is a little bit of a victim of its own success. It’s really reliable. It does what it does exceptionally well. And I think there is a tendency to conflate availability and reliability with security. And what I mean by that is, we see often in a lot of companies that there’s a finite amount of money to spend, everybody knows that. And on one hand you’ve got this system over here that just works and the people who run it know it well, generally don’t have any issues with it. For people who have architected it correctly they might not even have any unscheduled down time, because that’s a thing. And so we have over on this other side, a constantly changing landscape of threats and attacks and headlines and so on and so forth. And I think that leads to a little bit of maybe a false sense of security about that we must be doing the right things on the mainframe side because we’re not seeing the types of breaches and hacks and vulnerabilities.
And so what we tend to see and what we tend to do, to answer your question, is we’ll go in and say, okay, here’s a good example. Your password policy on the mainframe could be something out of the 80s still. And we still see a lot of that where people are still using max eight length characters with only upper and digits and that sort of thing in their passwords. That’s really a thing of the past as anybody who’s signed up for any kind of web service knows today. Another example might be multi-factor authentication. More and more you see on anything that is a serious consequence of a type of sign-on, whether that’s active directory or your bank account or something where you have in addition to your user name and password a token of some sort, so that idea of something you know, something you have.
These are all kind of well-accepted norms. And the mainframe has the ability to do these things but what we do is go in and say, “Look, by the standards that we would hold any other system and the mainframe accountable to, we probably need to move you, Mr. Customer, along the line a little bit here because it is such an important platform.” Just because we don’t see breaches and hacks and vulnerability doesn’t mean that they don’t happen, that they aren’t existing. And frankly, most companies couldn’t sustain one on this platform because of its importance to them. So we want to get there and help them move that along before something like that happens.
Jeff Frey: This is really a cool discussion. You know in the past I’ve talked to a lot of people about the perception of the mainframe, both good and bad. And one of the things that I’ve come across in the past is that some might claim, those pessimists among us might claim that the reason the mainframe has a reputation for security, or that environment has a reputation for being secure, is because it’s achieved security through obscurity, right? When you view the mainframe as an isolated piece of the IT environment and you haven’t really taken full advantage of its role and its place in a widely distributed network or now, of course, on the internet or in the Cloud for example. You know, it used to be that if you were running coax through the wall for 3270 terminals, right, that’s a much different set of security risk than opening up the mainframe to the world. And so as we’ve done that, I would imagine that the focus on security has gotten a lot more focused.
Chad Rikansrud: That’s exactly right. You know you touched on a couple things that I see that I think are part of, if you dig deeper into this security by obscurity is one thing. The mainframe came back from an era when everything was hard wired, there wasn’t switch networks, and sort of evolved through all of this. I also think that, if you think about it from a public relations perspective, you think about from a perception perspective, it’s actually important what the larger IT community thinks of the mainframe because at some level they set the policy. They influence the CIOs and CSOs. And I thought it was really interesting, and IBM is a good example. When IBM released their z14 recently with pervasive encryption, unless you were living under a really big rock you heard about this. They did a great job. You saw it in all the magazines, TV, I mean, when you see a mainframe in Wired, you know you’re doing it right.
But a lot of times next to that, they had a picture of the old System/360 room full of computer kind of thing, because that’s what people think about when they think about mainframe. And I think a lot of times there’s a conflation between legacy and something that is just backwards compatible and has been around, in terms of generations, forever. There’s a difference between neglecting something, where you’re literally still running on a System/390, okay. That’s not legacy, that’s neglect and you have forgotten to upgrade your systems. Versus something that has a brand new iteration today that has a nod back to the 50s and 60s but is nowhere near that, any more than my new Tesla is a nod back to the Model T because they have four tires. I don’t have a Tesla by the way but it’s a good example.
Do you know what I mean? And I think that perception is really important in terms of helping move the needle. So we do a lot of stuff like these kinds of podcasts and talking to people to say, “Hey, you know your life every day is affected by a mainframe.” If I get up in front of a group of people and say, “Everybody who’s used a mainframe today, raise your hands.” I’ll maybe get few people. It’s like, “Okay, did you use a credit card? Did you use and ATM? Did you fly on an airplane? Did you use any government services? What about insurance? What about going to a retail company?” And all of a sudden everybody’s like, “Wow, this is kind of important.”
So I think that we can’t underestimate the value of that perception of the product and getting kind of what the open mainframe group is doing in terms of building buzz and building awareness around it as well as the long term gain to helping secure the platform.
Jeff Frey: Yeah. Yeah. Very good. I think we may have started to touch on something here. Let me ask another question. What do you think, given all of this and given your perspective on the mainframe and its role in modern IT shops, what do you see as the biggest challenge for the mainframe going forward?
Chad Rikansrud: Well I am glad you asked that. I spent 20 years at a financial services company, well over 10 of which was directly involved with mainframe in some way, shape, or form. And the number one risk to the platform, bar none anywhere, everywhere, is talent. We need talent. We need people to be coming out of college, out of tech school, out of high school, looking forward to working on this platform. Like it or not, IBM and this platform are competing for the best and the brightest with every other really cool, new technology, programming language, hardware platform, start up company and so on and so forth. And I think it’s going to be really difficult to recruit people into this. One, because of the perception stuff that we talked about before and people either think the platform doesn’t exist or it’s old, boring legacy technology.
But two, because it’s really hard to get your hands on. It used to be that you’d come out of school and you’d get a job at a company and maybe you’d start back in the tape libraries, right? And then you’d go into operations and then you’d eventually end up as a network and system programmer and that sort of thing. Those days are gone. That chain doesn’t exist anymore and we’ve got to train people up to be coming in at the storage engineer or systems programmer level with maybe six months of on-site training.
But the issue isn’t that we can’t train them, the issue is that they don’t know about it or they’re not excited about it coming out of school because they have all this other stuff, because it’s really hard … I always use this example. If I were a kid in high school today trying to figure out what I wanted to do and I knew I wanted to be in tech, I could download just about any operating system there is. I could go buy for a few hundred bucks a computer, that sort of thing, play with them all from VMware to Windows to Linux. The only reason I would think about doing mainframe is if I knew somebody who was already in it. There just aren’t that many of them.
So I think what we’ve got to do as an industry is really figure out how do we cast a really wide net to get some of those folks in there so that we can continue to keep it a viable platform.
Jeff Frey: So I know we’re, this has been great, we’re starting to crunch up on our time limit here but I can’t help but ask a couple more questions on this because I want to dig into this just a little bit more. So I’ve thought about this, too, and so what do you think, what would be, if you have any specific recommendation about how to go about some of this. So let me give you a couple of my thoughts and maybe we can bat it back and forth.
In some ways, because certainly the platform has multiple personalities, right? There’s the traditional zOS environment and of course there’s the Linux environment. You know I think people might argue, rightfully so, that the Linux environment, for all intents and purposes, is pretty much a standard Linux environment. And if you had accessibility, if you had access to the mainframe in a Linux environment, from a programming standpoint, from a development standpoint, it would almost be impossible to tell you were actually on a mainframe. Now certainly the z/OS environment has very specific kind of idiosyncratic personality with its middleware, its transaction system, the way you deal with it operationally, etc.
So what do you think … the other thought I guess I had was, another approach would be to get people excited, not so much about the kind of low-level syntactic personality of the mainframe. I always kind of balk at people who say we’re going to teach the mainframe, so the first thing you do is you sit down and you learn some JCL. I think there’s another aspect of mainframe computing as an enterprise computing platform. So to teach conceptual notions of security for example, since we’re on that topic. And what enterprise security means and how the mainframe participates or contributes to securing an enterprise, right? Enterprise quality is service. So there’s multiple ways to kind of talk about the mainframe. What do you think? Do you have any recommendations or multiple we could do here? And what do you think IBM should be doing?
Chad Rikansrud: Yeah. I think those are all the right questions. I’ve got a couple of thoughts. I think you have to be in front of … I think, honestly, the biggest and first and foremost answer is the one that IBM doesn’t like to hear very often is, they need to get their operating system in the hands of people. So they need to have a version of it or an environment where the kids these days, right, the makers, the breakers, they’re tactile, they want to play with it all, they want to see it all. So while it may not be about teaching them JCL right away, I think a lot of people make their decision about what they want to do based on having some of that hands on and just getting a look at it. I grew up in networking and Linux world. I did not grow up in the mainframe. I kind of went in a little bit kicking and screaming. But once I got my hands on it the inner nerd inside me fell in love with the platform and the ability and the precise nature of it, the challenge of it, that sort of thing.
So I think the first thing you have to do, and it matters not only for the students coming in but it matters for the professors and everybody else who’s teaching about it. If you want them to include the mainframe in the discussion about enterprise security, and it absolutely has a place there, in cryptography and data at rest and encryption and all this kind of stuff, you have to allow them some ability to form their own opinions. If you go out on the internet and start disparaging one flavor of Linux for instance, you’ll get a whole cadre of people who will come and tell you what an idiot you are because you don’t know anything about it because it’s got a bunch of people defend it. If you do that with the mainframe, you’ll get the handful of like six or seven people that always do that, but you don’t have the wide girth of people who have knowledge about it first hand.
So I think the first thing they have to do is offer the operating system to people that could just play with it. I think the next thing they need to do, that IBM has to do, is kind of change a little bit of the persona around the mainframe to be more along the lines of all of the other operating systems today in terms of how they’re managed, how they’re seen, all this kind of stuff. Something, kind of a marketing campaign.
And then I think the conversation goes to where you said where it’s in the classrooms, in the go techs, in the engineering and the architectures. You know, we just start discussing it as another component, as a switch, a router, a Linux box, VMware, Windows. It has its place. It has pros and cons. It’s not everything to everybody. Certainly for high-volume secured transaction processing there’s very little that completes with it. But I think you can’t have these conversations in a bubble, it can’t be a mystery. We’ve got to have people be able to get their hands on it, get availability to all these kinds of things and then you can have more intelligent dialogues with folks because they’ll be coming from a place of knowledge about the platform instead of just what they’re meant to believe through marketing materials and that kind of stuff.
Jeff Frey: Well, yeah, I couldn’t have said it better. I agree. I agree with all of that. But Chad, I think we probably exhausted our time. I want to thank you very much for the time you spent with us here. It’s been great. I really appreciate it. And with that, if there’s nothing else I guess we’ll say goodbye and maybe sometime I can run into you and we can meet face-to-face. But once again, thanks a lot for the call. It was really great.
Chad Rikansrud: I look forward to it, Jeff. Thank you very much. And, yeah, I’d be happy to meet up sometime if you’re around in the local haunts, definitely.
Jeff Frey: All right, so that does it for this one. We’ll see you next time and bye now.