Hosts Daniel Newman and Joe Doria welcome special guest Mark Wilson, Founder and Technical Director at Vertali. Together they cover the wide-ranging implications of transforming your security posture and why it matters to your digital strategy and business reputation.
It was a great conversation and one you don’t want to miss. Like what you’ve heard? Check out Episode One of The Main Scoop, Episode Two of the Main Scoop, Episode Three of the Main Scoop, Episode Four of the Main Scoop, Episode Five of the Main Scoop, Episode Six of the Main Scoop, and Episode Seven of the Main Scoop, and be sure to subscribe to never miss an episode of The Main Scoop series.
Or stream the episode on your favorite platform:
Don’t Miss An Episode – Subscribe Below:
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Transcript:
Joe Doria: Hey, everyone. Welcome to The Main Scoop. I’m Joe Doria.
Daniel Newman: Daniel Newman.
Joe Doria: And we have a great scoop for you today. We have a great guest coming out. I think today, when you get to meet and learn about our guest… Today’s all about cybersecurity.
Daniel Newman: Absolutely. We’re here at the SHARE Conference. We’re in beautiful Atlanta, and we’ve had some really prolific guests, as you’ve seen. By the way, anyone that’s been on the show in the audience? Hands? All right, I see a couple. Applause for the former Scoopers. By the way, everybody out there that’s listening to this, because this is a podcast as well, you’re like, “Who are you talking to?” This show was being recorded in front of a live audience.
Joe Doria: Yes.
Daniel Newman: Joe, this is different though. By the way, this guy’s different, he doesn’t look like Greg Lotko, does he? Now, is that good or bad? Anybody want to take that chance? All right, Joe. Joe’s not going to respond to me.
Joe Doria: No, we do miss Greg. Greg wishes he could be here. Of the 10 Scoop productions we’ve done, I’ve done several already with this guy, but Greg has done more of them and he wishes he could be here at SHARE, but is unable to be here this week.
Daniel Newman: I believe he sent us a wish. He sent me a text right before we started. He said, “Dan, break a leg.” All right, so security. Let’s talk about security.
Joe Doria: Talk about security.
Daniel Newman: The other day you told me this story, and I said to you, “Joe, we need to tell this story in front of the audience at SHARE because it really sets up the stage really nicely for what we’re going to talk about when our guest comes out here in just a moment.”
Joe Doria: Yeah, I call this a warmup, but it’s a warmup, and it’s basically what’s going on with cyber attacks. This particular case that I’m going to refer to as a phishing episode – colleague of mine, friend of mine, fell victim, fell prey to on the mobile phone, click the link. Everyone in this room knows what’s going on with that type of situation. Hopefully, you recognize it and you don’t click that link. In this case, she did, and pretty much as soon as she was done with it, knew, “I’m in trouble here.” Called her bank. Had her credit card canceled. Safe, right? Safe. I handled it almost within 10 minutes, but the sophistication of the scammers are getting just bigger and bigger.
What they did was they knew she was going for a replacement card two days later and called her back, and said basically, “Hey, we want to secure your card today. We know that you had this situation play out.” Of course, the second trap was set, and she fell prey again. The net of that was they did cash advances out of her credit card into her checking account, and withdrew like $8000 from her checking account. I heard that story and I was like, “Wow! This level of sophistication is really going to the next level.” That’s the consumer side of it.
Daniel Newman: I think these stories are all microcosms of the reality of today. Every one of us has probably gotten a data breach alert. Now sometimes you get these alerts and you’re like, “Do I do anything with this? Should I act? Why is my password my children’s name and then 1, 2, 3, 4,” something like that. Maybe it’s time to grow up, and use a real password. Then you heard just this last week, I think it was LastPass or PassPack ended up getting hacked. Do you have some of these sophisticated tools that are supposed to be the ones that prevent us by having randomly generated passwords? These are just personal and consumer things.
Of course, everybody in this room though has got to be thinking bigger than that, and we’ve seen security move from a consumer conversation to a board level conversation. I think three, four years ago as an analyst, I looked at the market and I said it always felt like companies were spending on security, the exact amount that was at this line between risk, and cost savings, and reward. What I mean is what’s the least we could possibly spend to make sure our environment is secure, where if we do get breached, we have all this leftover capital. Now it’s at the point where I think the damage that gets done when we allow our company to be breached. By the way, these breaches can sit inside companies for months or years before they even get discovered. The risk is massive and companies need to get out in front of this. I think, Joe, you and I know a little bit about this stuff, but I think this would be the perfect time to introduce our guest.
Joe Doria: Yes. Our guest is Mark Wilson. So Mark, come out and join us.
Mark Wilson: Gentlemen.
Daniel Newman: Good to have you.
Joe Doria: So Mark, 40 years, actually 43 years as a mainframer, which is amazing. I’ve been in the mainframe business and a mainframer myself for 15 years, which gives me rookie status in this room. But 43 years, and you’re the only mainframer I know who started his career at age 16. If I could just take a second and do a shout-out, we have somebody else in the audience who is out there, Enzo. I don’t know if you could just wave your hand. Hey, there you are. This young guy is a senior in high school and just a shout-out that he has a z14 in his home, and started in eighth grade, so he outdid you.
Mark Wilson: Totally normal.
Joe Doria: Yeah. 14 versus 16, but 43 years all in the mainframe space. You’re an ethical hacker, and you’re the founder and director of a firm, Vertali, so welcome.
Mark Wilson: Thank you.
Daniel Newman: Why don’t you give us just a little bit more on the background, the work, kind of what led you to here, why you’ve stayed in the mainframe space? I think everybody would be interested in kind of, what’s the hook?
Mark Wilson: So the hook for me was the technology as a 16-year-old, and it was as soon as I sat in front of that green screen, and it was…this is a piece of code. I was interested from day one, and had some really good teachers and mentors. But then as you gain experience and you start seeing what this technology does for the world today and what we can do with it, it was just a no-brainer. I was in, all the way. I think if you split me down the middle, it would say mainframer, or security, or hacker, but mainframer.
Daniel Newman: Seems to be deep in your heart.
Mark Wilson: Very deep in my heart. Some folks out there will know that I did a little Valentine’s Day post on LinkedIn and my love affair with a mainframer over 40, almost 43 years. So yeah, very deep, very passionate about it. Always have been. I think today, we have a responsibility to bring through the next wave of mainframe technicians, mainframe developers, but we’re also custodians of that platform and making sure it’s secure. People think it’s a mainframe, it’s secure. No, it’s securable. We have work to do. Some people do, some people don’t, but I’m very passionate about it.
Joe Doria: On that comment, I have a question for you. Start at a broader level here. I know you’ve been in the market for 43 years, but let’s take the last 10, and can you give me a guesstimate of the percentage of enterprises that you know are doing it right. They’re on their front foot, and governance, and security, and tools and all those things are being applied to avoid the risk that Daniel was talking about. What percentage are on the front foot, and then what percentage over those 10 years would you say is on their back foot? Maybe has more to do, and they’re not getting themselves in a position to prevent or get past the bad scenarios?
Mark Wilson: Yeah, good question. I’d say today, I’d probably say about 25% of the clients we talk to are on that front foot. So my mission and what we do day to day is to move that 75% into that 25, and make it 100% on that front foot. But about 25% of them do it, as we would say, correctly, rightly.
Joe Doria: And even there, if you’re doing it right, there’s the sophistication that we were on earlier. You’re going to potentially have to still deal with these kind of problems. But I think that’s interesting to me that 25% are out in front, meaning they’re really doing it right. And that’s aspirational I think for the other 75%.
Mark Wilson: Yeah, absolutely. You look at how sophisticated and how motivated the bad actors are. It’s a business, it’s a multi-billion dollar business. This is not the kiddie in the bedroom, with his pizza and his full fat coke, and his baseball cap on the wrong way around sat there trying to hack a mainframe. These are business people that have org structures and help desks, and you suffer a ransomware attack. I get a better response when I phone somebody like that than I do off my mobile telephone company. They answer the phone quicker, because they want your money. Yeah, that’s quite scary.
Daniel Newman: They seem to have the ability to genuinely, like your friend went through, make intelligent people, capable and competent people, believe in this scale. And by the way, this is happening now at enterprises. And so I’m really interested, Mark, you mentioned the 25%. What is the ethos, the DNA of those companies that you’re finding? What are the questions that they’re asking you about their transformation to enable that they’re on the right path? Because it’s not just about threat detection, it’s not just about securing your perimeter anymore. You have to be asking better questions. Because these things are happening from the inside, these folks are very creative, they’re breaking in. It’s not just I have good antivirus on all of our edge devices anymore.
Mark Wilson: And for me, most of it, it’s about the attitude from the board, and it’s how they see the platform in their digital journey, whether we call it the digital background or the transformation. But they see the importance of it, and therefore they can align risk to it. So we talk about risk, we don’t talk about APF libraries, and link lists and SVCs. We talk about risk. And what we’ve learned over the years is we have to talk the C-suite language, and explain everything to risk. And when they understand the risk to their business, then you can have a conversation about how you invest in it, what you do, what’s the right thing to do. And investing in people, investing in tools. But everybody’s subtly different, so you need a slightly different process for everybody. But taking all that technology and deploying it properly.
Daniel Newman: So a hypothesis, you can’t complete your digital transformation without a security transformation. So the boardroom all understand digital transformation. But I would argue that a lot of them in the boardroom do not truly understand security transformation. How do you get it through to the board to understand you can’t complete a digital transformation without completing a security transformation?
Mark Wilson: I mean, for me, coming from the technical side of it, it’s using the right language and talking to them as risk and what this can do to the business. But educating the senior managers who have to upsell to their directors, to their C-levels to get them to talk the right language. And we are seeing, and in that 25% we see, the CSO sat at the board meeting. We see the guy who owns security operations sat around the table when they make business decisions about investment, about people.
Joe Doria: I think too, the technology is there. Because you have to get the ethos right, and the right conversation with the board. But the technology is there if you get on your front foot to the earlier conversation, and use the technology to help protect your business.
Mark Wilson: But the most frustrating thing for me is sitting with a client, and they’ve got all this technology and they say, “Can you come and do a mainframe penetration test?” And we do the test, and they’re generally successful. And we say, “All this technology you’ve got, if you’d have deployed it, you would’ve thwarted us, you would’ve noticed what we were doing.” And it’s there and it’s paid for, they just need somebody to encourage them to go and deploy it and use it because we’ve got great technology from what Broadcom do, with what IBM do and all the other vendors. There’s massive tools out there, just go use them.
Joe Doria: That’s right.
Daniel Newman: So I’m glad you said the M word. You know what the M word is?
Joe Doria: Mainframe?
Daniel Newman: God, you’re so good. I don’t think we ever need Greg back.
Joe Doria: Come on Greg. He knows Greg’s going to watch this, so he’s just…
Daniel Newman: We’re just having fun.
Mark Wilson: Yeah, we’re just having fun.
Daniel Newman: But you said the M word. And when it comes to mainframe and innovation, I’ve been one of the analysts. I’m not from the, I don’t proclaim to be from the mainframe world. I come from a more broad, IT viewpoint. And I look at public cloud, and I look at the hybrid. And of course I’m an advocate for the mainframe, and the role that it plays. But I’ve published in many cases that there’s a gross overstatement of how mature we really are in the mainframe cycle. And in fact the mainframe, in my opinion, is going to continue to grow and continue to be critical to businesses being able to successfully innovate. So there’s this intersection of security, of transformation, of innovation that all happen and start on the mainframe. As you bring those two, three things together, how do you talk about the mainframe specifically as a mainframer? Love mainframes more than west Brahm, which I’ll be in. Is that true?
Mark Wilson: Not quite.
Daniel Newman: Okay. Close. But as someone that genuinely has been from the space for a long time and you talk about it with people who probably are cloud believers, purists, we don’t need… How are you keeping them seeing the opportunities for innovation on the mainframe?
Mark Wilson: Try to take the blinkers off them, and understand that it’s just another server, it’s just another computer that has a set of special capabilities. And use the capabilities, whether it be for transactional throughput, whether it be for security. But take the blinkers off. It’s not a mainframe, it’s a big server that has a unique set of capabilities, and integrate it. I hate going and talking to people and they say, “We’ve done an identity and access management rollout.” And I go, “And what about the mainframe?” No. Why not? We don’t understand it, it’s too complicated. It’s not, it’s another computer. And it’s trying to educate people that we can do these things, we can integrate the mainframe, we can secure it. It’s just they’ve got to want to.
Joe Doria: So another moment last week for me opening up my newsfeed, I saw from your area of the world a customer, big enterprise insurance company that took a bad breach there. And what struck me was the breach happened in 2019, and first week of March of 2023 they’re talking about what the GDPR finds were. And as the marketing role that I’m in, I think about customer experience and trust and how do you keep that? And they found out about this three and a half years ago, and reported it actually, which is the right thing to do. And now they’ve sort of been suffering through three and a half years and finally are now at the point where it’s coming back out with the fines being promoted out there. So I think inside of that story though, and we haven’t touched on it yet, is obviously, and I think we would be remiss not to talk about it, is the regulatory mandates that you have to keep pace with, and then complying with them. So what’s the compliance strategy that you talk to customers about when you’re talking about this situation?
Mark Wilson: I mean, most of it comes down to understanding. So in Europe at the moment, we’ve got what they call the DORA Act, Digital Operations and Resiliency Act. That’s not here in North America yet, but if we’ve got it in Europe, something’s going to happen here. And it’s understanding what that means to you as an organization so you can start thinking about how you comply. Do I need, is it hardware, is it technology, is it people, is it process? But staying on top of the constant change in world. A few years ago we hadn’t heard about PCI. Yeah, what was GDPR? That was just an idea. But they’re kind of, Sarbanes Oxley, they’re all now SOX and GDPR and PCI. They’re just normal things we deal with. DORA will be the same, but it’s just staying ahead of it and staying on top of it. But you need to understand it, need to understand that it impacts the business, and then how can the technology help me be compliant? And it won’t be a single solution, it’ll be I need a little bit of that and a little bit of that and put it together and then that’s how you stay on top of it.
Daniel Newman: You mentioned this insurance breach, three plus years, data’s being potentially taken out of the company. A lot of times, even once they identify a breach, that doesn’t mean they’re immediately able to stop the breach or able to remove it. We’ve seen cases where these particular data leaks can go on for months and years, and as you mentioned, they found out, reported it, and it’s been multiple years and they’re still dealing with the potential fallout with their customers. And that might be an interesting question, Mark, you mentioned the special capabilities of the mainframe, and that’s been one of the big reasons why as an analyst I’ve stayed on as a believer is not only compliance and governance, but truly genuinely the security and the ability to lock down the mainframe for highly regulated industries just makes a lot of sense, things that the public cloud have not been able to truly accomplish. But you probably have clients that have been hacked and they have been breached. How do you help them come back from that? Because that to me is the biggest question, you didn’t do enough upfront, or even if you think you did, once you’re breached, you’re breached. How did they come back? What do you recommend to them?
Mark Wilson: Well, this comes back to what Joe said about this three, three and a half year gap. So they had the breach, they reported it, and then the regulator spent three and a half years talking to them to understand how well they are trying to protect themselves. Because the scale of the fight is predicated on how much work you did. We won’t stop them, we won’t stop them. We need more of the 75% joining the 25%, but we won’t stop them. And it’s a conversation because there’s so many different things you can do.
We had one in Europe a good few years ago now, where the guy was an insider, he went rogue. And I sit down, had a conversation with the security people and said to them, “When you onboarded this individual, did you do all the background checks on him?” They said, “Yes.” I said, “How long has he been at this establishment?” “25 years.” Now, a lot can change in 25 years. Now, this guy had been divorced twice and developed a gambling habit. Now, that was part of the reason he went rogue because he needed to do that. It’s simple things. Well, why don’t we reassess our staff every two, three years? It’s little tweaks in the processes. We talk about the bad actors taking the data today and just storing it because we can’t break, if it’s encrypted, we can’t break the security on it, but we might be able to in two years time or three years time. And so they harvest the data, then sit on it, then use it. So it’s trying to explain to the clients how this happens, why it happens, and what defenses they can put in place to protect themselves. But it’s no one simple answer.
Joe Doria: That story, for me, just talks to the zero trust architecture. 25 year employee, but zero trust. That’s not just for the ones outside of your company, the ones inside as well.
Daniel Newman: You definitely have that trend line, and I know people that are sort of against the zero trust framework, but I think largely it’s proven that you’re a little bit better off being too safe than the risk of being undone and being sorry. Now, I want to pivot, because as we talk, as we wrap up, I want to talk about what these companies can do, of course depending on where you are in the ecosystem, how you either work with your clients, how you develop your next generation of software. But investment, one topic though, that while it’s not specifically just about mainframe, but has been part of the mainframe, has been AI. And over the last few weeks with ChatGPT, OpenAI, Salesforce came out with theirs today, Salesforce GPT, but the rapid onset of generative, of large language models, obviously the mainframe space is going to have to capitalize on the power of AI. How much can AI enable the future mainframer? And of course, how much can AI enable a more secure environment in mainframe?
Mark Wilson: I think it can impact it massively, because one of the reasons people fear the mainframe is the amount of data that we hold, but also the amount of data we can generate. So you think about what we could do by way of logging data and sending it to one of those CM tools, Splunk, QRadar, doesn’t matter what it is, and we say we can’t actually ingest that data and process it, keep the data on the mainframes and start running those AI and ML models against it to try and do that predictive analysis, what’s happened, behavioral analysis. What’s the normal pattern for Joe when he logs on Monday through Friday? All of a sudden we’re seeing a log on a Saturday morning and he’s doing something slightly different. So we can get very much on the front foot here and use the power of the technology to protect ourselves. And I think that’s going to be a massive space for mainframe security, how we harness that technology and leverage all the data we’ve got because we have the data. There tends to be a lot of it, and that’s a big problem, but we can solve it.
Joe Doria: Definitely. I agree with that completely because for the ecosystem and for all the players in this space, everyone’s looking at AI technologies and machine learning and applying it to not only cybersecurity opportunities, but performance management, DevOps, all the different areas that touch and are critical to the mainframe vitality in the enterprise. So I agree with you on that.
Daniel Newman: So I have one more question Mark, and then I’ll let you go eat. It looks like everybody’s enjoying their lunch, but at least the clanging has stopped. So everybody’s done eating and now they’re being forced to listen to you. So getting the investment level right for security. I kind of started with this topic, and I want to end here. I think over the last few years, boards have increasingly looked at spend. And I know when I sat down with Arvind Krishna, he said to me, “The most protected line item in any company’s budget right now, even in this difficult market, is going to be the IT line item.” And I would say furthermore, it’s specific line items within IT that’s going to obviously include core business applications and security.
How does a company know that they’re investing the right amount in security? It’s harder with security than other things. It’s harder to know if you have enough licenses of an application or if you have enough storage for your data. Security is something you can always fortify. It’s the three wolves, it’s the straw house, it’s whatever. It’s the brick house, it’s the stone house, it’s the steel. How do you build that fortified house but not spend too much? How do you help companies do that?
Mark Wilson: And for me it’s testing and testing and testing. And you might do that with tools, you might do that with an internal red pen testing team. It might be an external team, but you have to keep testing the controls and you have to constantly test all the controls. You can’t say, I’ve done a pen test on a Monday, and I’ll come back and look at it in six months’ time because the bad actors will know what’s going on. They’re probably most likely already in the organization, in the network. So you have to constantly, constantly test. And that’s when we start talking about automation. How can we automate this? We’ve got tools, we’ve got mainframe automation tools, we’ve got things like Ansible and all that stuff, but constantly, constantly testing. You have to test the controls and constantly review them.
And if you get a negative result, how do we fix it? Do we need to change a process? Don’t test it, fail, and then test it and fail again? Go and fix the root cause. Is it a process? Is it a piece of technology that we need to upgrade, change? But you have to constantly test it.
Daniel Newman: Let me ask you a trick question. I’m giving you time to think. So-
Joe Doria: As long as you have a question first.
Daniel Newman: Yeah, it’s a trick question. It’s not really a trick. Maybe it’s a trick. See how good your answer is. When you know what you’re testing for, it’s pretty easy to do the testing. It’s not easy, but it’s easier. But with this level of sophistication, and it’s a tortoise and a hair, right? Of black hat sophistication, white hat catches up, we patch it, we fix it, we protect it, and then they figure out a new way in. It’s cat and mouse.
Mark Wilson: Yep.
Daniel Newman: How do you know that you’re testing for all the right things?.
Mark Wilson: You don’t.
Daniel Newman: Good answer.
Mark Wilson: You don’t know.
Daniel Newman: No, I’m actually really glad you said that.
Mark Wilson: But what you’ve got to do is take the behavioral data and understand what’s going on the system 24/7, 365, and use that to look at the emerging threats, talk to the risk and compliance team, talk to the wider security teams in the organization and collaborate. So we are seeing a new emerging threat, do we need to build some tests? Is it applicable to the mainframe? It might not be, but if it is, what do we do? And this is why we need your security 24 by 7 security. Operations centers need to understand what’s going on on the mainframe. Mainframe be excluded. We don’t understand it. Non-mainframers, call it the evil mainframe and it’s only evil because they don’t understand it. And yeah, they put it in a corner and say, no, don’t understand it, don’t use it. Can’t protect it. Yes, you can.
Joe Doria: I think that’s a good way to get to the close of our session here. And all you just said to me is all that front foot kind of actions that people can think about and bring into their business.
Daniel Newman: I think the sound bite is, the mainframe is not evil. You can protect it. Mark Wilson, The Main Scoop.
Joe Doria: The Main Scoop.
Daniel Newman: Mark, thank you so much for joining us.
Joe Doria: Thank you.
Daniel Newman: We really appreciate you joining. Joe, good job subbing in for Greg. Greg, we miss you buddy. And to all of you out here in this live audience, this first time doing The Main Scoop live, thank you so much for joining us. Thank you so much for eating with us and have a great rest of your share.
Author Information
Daniel is the CEO of The Futurum Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise.
From the leading edge of AI to global technology policy, Daniel makes the connections between business, people and tech that are required for companies to benefit most from their technology investments. Daniel is a top 5 globally ranked industry analyst and his ideas are regularly cited or shared in television appearances by CNBC, Bloomberg, Wall Street Journal and hundreds of other sites around the world.
A 7x Best-Selling Author including his most recent book “Human/Machine.” Daniel is also a Forbes and MarketWatch (Dow Jones) contributor.
An MBA and Former Graduate Adjunct Faculty, Daniel is an Austin Texas transplant after 40 years in Chicago. His speaking takes him around the world each year as he shares his vision of the role technology will play in our future.
