Why being an IBM Champion is hard!

Working within the mainframe industry is a great way to spend your day. The technology is interesting, and the people who understand it are interesting. And being recognized as an IBM Champion is a great accolade. IBM said: “On behalf of IBM, it is my great pleasure to recognize you as a returning IBM Champion in 2021. Congratulations! We would like to thank you for your continued leadership and contributions to the IBM technology community. This recognition is awarded based on your contributions for the 2020 calendar year.” I’ve been a Champion since 2009.

So, if the industry is great and the people are great, and I’m being recognized by my peers for my work, why am I suggesting that being an IBM Champion is hard? The answer is simply that it’s everyone outside the mainframe world who make life hard. For them, the mainframe is a legacy system (and not in the nice sense of receiving a bequest from some rich old uncle that you hardly ever met) that one day soon will completely disappear off the face of the Earth – and, in the meantime, it’s really strange that anyone should still be using them.

Now, I know that if you read the works of some self-help guru, they will tell you to be positive. And that positive people are happier and get the most out of life. And in many ways that’s true, but at the same time, it’s important to spend some time (and definitely not most of your time) looking at what might go wrong, or, perhaps, what would be better if it were different. And that’s roughly how I spend my time talking and writing about the mainframe. I look at the positive aspects about it – and I also highlight areas where I think it could be even better. What I don’t ever think is that mainframes should go away any time soon.

And that’s why I was concerned about PCI compliance on mainframes. This is all to do with mainframes that take credit card payments – and, according to IBM, 44 of the top 50 banks in the USA use IBM mainframes. Section 10.5.5 of the PCI regulations asks: “Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)?”. And section 11.5 asks: “Is a change-detection mechanism (for example, file-integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files?”.  

As I wrote in a previous blog, to be PCI compliant, mainframes would need to be running File Integrity Monitoring (FIM) software on their mainframe – and most of them aren’t. In addition, someone in the company, the CEO, CFO, even the CIO, will, each year, will be signing off the section 3 PCI validation form saying that they are. These execs may be convinced that there are ‘compensating controls’ being used, which there probably aren’t. Or they may consider their mainframe to be ‘out of scope’, which it probably isn’t.

So, what makes life hard is that when the finance industry press became aware of this situation, rather than highlighting the problem for their CFO to investigate and make changes to what was happening at their organization, the article used a headline making it look like it was only a problem for those last remaining companies that were “still using mainframes”. As we saw from the IBM figures, that would be 88 percent of banks. That’s a bit like referring to people who still travel by car, or who still use a laptop! It’s not some tiny minority, it’s the majority!

I once described it to a colleague as being like King Canute (Knut) who tried to tell the tide to go out when it was coming in. It sometimes seems like everyone is thinking one way and I, like the king, are thinking differently. It’s said that Knut knew he couldn’t control the incoming tide. However, I don’t have the king’s wisdom – I still strongly believe in the future of the mainframe. I’m just waiting for the rest of the world to catch up with my way of thinking. Perhaps I have more in common with Richard Doll, who, in 1948, published a study proving that smoking could cause serious health damage. Or Alfred Wegener, who, in 1915, came up with the idea of plate tectonics and continental drift.

I’m not saying that people are prejudiced against mainframes – nothing so active. I think that the problem is that people generally don’t understand what a mainframe can do – and how powerfully it can do it. They tend to view it as a vintage 1918 biplane, when, stretching my aviation metaphor to its limits, it’s more like the latest stealth fighter. And, I think it’s the role of IBM Champions, like myself, to spread the word, not only about the power, the security features, and everything else that a mainframe can do, but also explain how Open Source tools make the mainframe accessible by people with skillsets usually associated with Windows and Linux, etc.

However, thinking about it again, being an IBM Champion isn’t all bad. IBM provides regular online meetings where experts discuss the latest technologies. And there are IBM Champion-badged items that Champions can choose from that are sent out every year. There are Champion discussion groups. And much more.

So, thinking about it, maybe being an IBM Champion isn’t that hard after all!