Starving For IBM i Security Skills

August 18, 2014 Dan Burger

Skills keep organizations moving forward. The person who has skills and who can prove it is a hot commodity these days. Professional development is a great investment whether it is a company investing in its IT staff or an individual investing in his or her career. There is a skills gap and you don’t want to be on the wrong side of it, or let that gap get so wide you can’t jump back across.

Let’s take security skills as an example.

Many of you know Robin Tatam, a subject matter expert on security for the COMMON user group who frequently is invited to speak at IBM i technical conferences and local user group meetings. He is also director of security technologies at PowerTech, a division of HelpSystems. Tatam and I traded emails last week after I found out he recently attained a security certification from the Information Systems Audit and Control Association (ISACA).

The more you know about security, the more apparent weaknesses become, but companies with strategies based on “close our eyes and hope for the best” are setting themselves up for disaster. There’s a difference between risk ignorance and risk avoidance. Of course, one requires no action and the other requires a level of awareness and action.

The days of the AS/400 and iSeries platform operating on their own islands with a limited number of hands touching the system are fading fast. The systems are being increasingly integrated into the IT universe and direct access by end users is on the rise. And you can add to that intensification in hacktivism for profit cyber criminals. The world, including the IBM i world, is not such a safe place.

“I strongly recommend that all enterprises running Power Systems servers allocate budget to train their staff in security and to establish a regime for continually assessing risk; even if they are not formally required to do so,” Tatam says. “Risk is not simply going to disappear and the number of regulatory mandates that often result from it are only going to continue to increase.”

Tatam has 25 years of experience on the IBM i platform. He’s also the analyst and lead author of the annual State of IBM i Security study that’s been published by PowerTech for the past 11 years. His observation of the IBM i community is that few companies acknowledge risk and actively work to reduce it.

The community, he says, is largely starved for security experts. In many cases, companies entrust system security to a person whose qualifications are summed up as “knowing the AS/400.”

Formal certifications are one indication that a person has specific knowledge of a subject and a system.

“Certification in the IBM i world is becoming increasingly rare, unless it is for sales and hardware engineers, or for technologies such as WebSphere,” Tatam says. “I have gained some two dozen certs from IBM over the years, but sadly I believe they are all now defunct. In the past, I have pushed IBM to consider an IBM i-centric security certification to help to educate and also to formally recognize those individuals that have the skills needed by so many organizations, but I was unable to gain any traction.”

From Tatam’s perspective, most security certifications designate general security knowledge and do not touch upon Power Systems servers. He also believes most of the IBM i security experts started in other disciplines of IBM i and extended their skills to security. He includes himself in that category.

“The cold, hard reality is that we have a long journey ahead of us and we will continue to rely heavily on outside expertise,” he says.

Based on his own experience teaching IBM i security topics, he says many people are at the basic level of controls such as exit points and system values.

“Object-level security remains the domain of the brave, and reliance is often placed with the software vendor to ensure that their application is secure,” he says.

Regarding his recent Certified Information Security Manager certification from ISACA, it is an investment in understanding risk and governance. Tatam sees it as a means to establish that he has the skills to conduct and manage security engagements. Formal auditors, in his view, are renowned for their lack of IBM i understanding. “Therefore, they are prone to missing the strengths–and arguably the weaknesses–of the platform. This leads to a major disconnect between the people that are configuring the server’s controls and those that are overseeing that configuration.”