IBM i Reality Check: Outdated Assumptions, Real Risks

This episode explores the hidden risks within IBM i environments, challenging the common assumption that long-term stability equals security. Featuring expert Tim Kramer, the discussion highlights how evolving system connectivity, increasing cybersecurity threats, and an aging workforce are reshaping the risk landscape. The conversation uncovers common security gaps, real-world incidents, and the growing talent shortage, while emphasizing the importance of proactive management, modern security practices, and strategic planning. Ultimately, the episode encourages organizations to reassess their environments and move from reactive to proactive approaches to ensure long-term resilience.

Table of Contents

1. Introduction: Questioning IBM i Stability vs Risk 
2. Why IBM i Systems Are Now Higher Risk
3. Internal vs External Threats and False Sense of Security 
4. Workforce Challenges and Talent Shortage in IBM i 
5. Security Gaps, Real-World Incidents, and Exposure Risks 
6. Best Practices for a Well-Managed IBM i Environment 
7. Proactive vs Reactive Organizations and Closing the Gap 
8. Final Takeaways 

Introduction: Questioning IBM i Stability vs Risk 

Why IBM i Systems Are Now Higher Risk

But all right, let's start here. IBM I systems have a reputation for being rock solid. So why are companies starting to question their risk? I remember when I worked for IBM, one of the old sayings when I work for IBM was the best thing about an IBM I is it can run code that is from 30 years ago. But the worst thing about an IBM I is it can run code from 30 years ago. So customers of course, over the years have relied on the system so heavily because of its stability. I mean, it's it is rock solid in regards to every aspect of the business. They used to be very closed type environments where all you had connected to them was dump terminals, right? There was nothing coming in from the outside world. You had no external interfaces whatsoever. But what's happened in the marketplace of course is these systems have been completely opened up where you have interfaces, you know, to banks and to other customers and doing business to business type interfaces. So what used to be that completely secure system, because of how the marketplace has changed, it's become a completely open system. So the the risk has completely changed over the last 20 years. 

Internal vs External Threats and False Sense of Security 

When you're looking at the actual system, is it internal threats, is it external threats? What are we looking at here in terms of where the risk is coming from? The risk are actually coming from both internally and externally. I've personally worked with customers where unfortunately the end user, you know, clicked on that wrong e-mail link where it exposed their system to ransomware. And because of what that end user did and they did not have the proper, the proper security infrastructure, it actually encrypted part of their system. But also it comes from externally where that if that customer does not have, you know, the, the proper protections in place, it can come through one of those external interfaces or, you know, if the, a firewall rule is not set up properly and there's, you know, something that was left exposed on the public side. So it is coming from both sides of the world. And it's you unfortunately have people in the world anymore that try to, you know, find them openings that weigh into that, that IDMI system, even though it's extremely secure, you know, you have to be able to still have the capability to do business on a daily basis and protect yourself, though also against these threats that are coming up every day. 100%. So when when we're looking at the actual system, right, there are a lot of people that are out there that see these threats, or maybe they're, I don't know, kind of like head in the sand and not really seeing these. What's like the notion of like the, oh, it's still running create like that false sense of security.

Yeah, that's something that you do see especially in the IBMIS MB market or their their system has been so secure and so stable for so many years. You know, they've been running on the platform, you know, since it came out 20 or 30 years ago and they've never had an issue where now that they have opened the system up them security threats of course coming from everywhere. So you get that sense, that false sense of security that nothing is going to happen to you, right. But unfortunately, you know, I, like I said a little bit earlier, you know, I've worked with these customers that have had these ransomware events that you know, the good thing is that, you know, most of them that I've worked with, we have things in place. So the recovery is not a a huge interruption to the business. But unfortunately there is customers out there that have not prepared for when, you know that disaster happens, right. So customers need to look at investing into, you know, the procedures, the processes that need to be in place so that if it does occur that they have a way to recover in a very short matter of time and it does not impact their businesses, right? It's that idea of there's if there's no issues, there's no risk, why? Why try to fix something that isn't broken, at least in their mind, which they haven't really looked deeply into it? Because you're right, if they've been running it for 1520 years, even 10 years, even five years, and there hasn't been a problem, why should they start digging for a problem? And that makes a lot of sense. But how has the risk profile of IBMI environments changed over that time? One of the things that you know IBM has been known for with the IBMI, you know everybody thinks about that old green screen and stuff where it's not that and that old AS400 anymore. IBM has enhanced the system year after year giving you additional capabilities, you know with different languages that you can utilize on the system and also like passe that you can you know use a lot of them open source type utilities and pieces of software on the IBMI platform. But of course what comes along with that is once you, you know, use those type of open source type pieces of software and you're using them interfaces to with those is you're opening up yourself to those potential risks. So the good thing is, is IBM has given you the tools to secure your system, but of course you have to be proactive on putting, you know, utilizing those tools to protect yourself. So you don't have that ransomware type event.

Workforce Challenges and Talent Shortage in IBM i 

And especially with all these businesses that are dependent on IBMI, there's a high risk of if this does go down, if you do have that, and I know Sean Mead sitting somewhere and we've probably said ransomware one too many times and he's probably hearing it just in the vibrations of the world. I know, I know he his eyes have lit up here. And if they do click on that e-mail, if they aren't following certain procedures, that could break their entire system and something they've been relying on for many, many years. So again, it's just if you are that dependent on your IBMI, why are we not looking at security? Why are we not looking at the risk, especially when we're talking about that internal dependency on maybe it's specific people or maybe it's processes. What role does that really play in this risk?

Customers have to to understand that with the the aging workforce that goes along with the IBMIRAS 400 type world, that they need to make sure that they have plans in place for that cross training or that they're able to bring staff in house and train them internally. Or start to look at, you know, external companies to take over those responsibilities, be it for managing their systems or take on applications that the customer can no longer support internally. This is an ongoing issue in the IBM I field because a lot of the workforce of course, is at that age where they've been working on the system for that 20 to 30 years and it's an aging workforce. There is no doubt about that. The good thing is IBM is kind of supplementing that. They do offer some training, but also some customers are also looking at AI to possibly backfill some of the workload that was on these developers that are getting to that point where they're at that retirement age.

And the keyword right there was some. So they're still going to need that outside source in the managed services space or the backfill with someone that looks as young as me, hopefully, you know, just trying to help out my generation out there. So when you're looking at that like what, what would be the correct route in your opinion at least? I'm not so sure there is one correct route. There's many routes that that you can take. I know internally at ERP Suites we have started to train internally. You know, we have brought people off of a, you know, for one example, one lady we take, she was with the help desk and we put her through a training type process and we have brought her up over the last couple years where she is now a junior admin. So that is one of the possibilities. And of course some customers are not able to take, you know, backfill that position that quickly. So they've turned to us so that we can fill those managed services responsibilities that they can't do in house anymore. And also from the application management side, we've also had customers that have come to ERP suites to backfill their need for that application support.

So the risk isn't the system, it's how dependent businesses on unsupported or outdated processes or aging people that are truly around the system. Am I right in that you are correct on that? That is a correct statement.

Security Gaps, Real-World Incidents, and Exposure Risks 

All right, so let's switch a little bit. Let's look at the industry data like the Fortra IBMI Marketplace survey. It was one of my favorite articles that you sent over to me. So where are companies most exposed today? They are definitely most exposed probably in their security concerns. There is so many different vectors that the hackers of the world are, you know, the unscrupulous people that are attempting to take advantage of to impact these customers or steal from these customers. Many customers are also delaying modernization of applications because of that, because they are pulling resources to secure the existing applications instead of modernizing those applications. A lot of customers have very small teams, internal teams, so they're not able to put those resources towards the modernization of those applications also. Yeah. There's also that gap between the perception of what the risk is versus what the reality of what the risk is. And there seems to be a growing gap there. And it seems to be that a lot of the customers aren't truly understanding where the risk is coming from because like our earlier conversation, it's been running fine for 10 to 15 years. But I like what you said about the security concerns, because nowadays there are more bots out there than ever before. There are more tools for someone to hack or someone to break into your system. And with the growing risk of what AI truly is, yes, there are a lot of rewards that come from AI. I'm not saying that on one way or the other there. But there is that growing risk with AI and with all these spots in the space, that can truly bring up even more security concerns than are right here and right now.

So what is the data truly telling us about the IBMI talent shortage? Within the next 5 to 10 years, there is going to be a tremendous number of people that are in that arena that will be leaving and retiring. So there's going to be fewer professionals available and entering that space because most colleges do not offer courses in RPG or CL or Cobalt. So it gets increasingly difficult for companies to backfill those positions that are going to be open or if they're able to find an individual that does have those skills that they're looking for. That salary is exceptionally high compared to what it was five years prior. Of course, as mentioned before, some customers are, you know, training that next individual in house. Other customers are looking for external support for those for those needs. It's it's an ongoing problem and I don't think or don't foresee it changing much in the near future. Yeah. So it's about making the change now, getting in front of it starting if you want to go the in house route, it has to start today. You have to start training them in house today because you're right with an Asian workforce in the next 5 to 10 years. And there are people that are out there that have done this training and it's taken them about three years. I, I know we mentioned something off camera about we did that with someone in house. Could you tell me about that a little bit? That is correct. We actually took an individual off of our help desk that showed great potential and put her through multiple courses. So she has progressed over time and has become a junior administrator. That is, you know, one of the examples on how to backfill that position when when you go out and attempt to find someone in the marketplace to, you know, fill out an administrator position where it's extremely difficult because then those individuals are not readily available anymore. And if you do find one, of course, you're paying much more for that talent than what you were a few years ago. And it has fun for us now. Yeah. How long did that take to train her? It was several years to you get them up to the point where she can fill all the responsibilities of that position. It is not something that happens overnight and that's you know, as as stated earlier, that's why you need to start that sooner rather than later that process start it now start it now.

Best Practices for a Well-Managed IBM i Environment 

Proactive vs Reactive Organizations and Closing the Gap 

So it's interesting that you bring that up and maybe let's go a little bit deeper of what were some of the most common security gaps that you encountered on this. But maybe in some of the other customers that you've worked with, one of the most common things is they do not have user access controls or Acls in place. They don't have proper auditing. They're missing a logging for those type of events and they also don't have intrusion detection. They was not keeping things up to date, in other words, patching or in the IBM world it's called PTFS. And also there was security was not set up properly. So people have permission of things that they should not have. It's unfortunately it was a, a plethora of errors, I guess you'd say that permitted those type of things to happen, which never should have happened. If things were looked at on a regular basis, proper procedures put in place, you know, proper security was in place and it would have never happened.

So there's a lack of oversight there. And where, where do companies is that where most companies fall short in terms of their visibility and oversight or maybe other, some other stuff that people should be looking at today? A lot of them do not have a centralized monitoring where they're monitoring, you know, from a holistic type view or they're monitoring, you know, at the at the DMZ and at the firewall. And then internally and also at the endpoints. They're not looking at all those different vectors that you know the person that's attempting to hit you with ransomware then different factors that they're attempting to take advantage of. Some customers don't have a performance baselines where you know today that you normally running, you know a certain number of IOPS and all of a sudden your IOPS are doubling or tripling or quadrupling just because it's encrypting that data. So they do not know what they're even what a bad number would be when it comes to that metric. There's customers that are more 8:00 to 5:00-ish or they don't have the off hours type monitoring where you know someone's being alert or woke up. If you know some, even if you, you know, had that product in place that was, you know, catching that activity that was going on, they don't have that alerting after hours or, you know, waking that person up saying you might want to take a look at this might be a new product that we should launch, which is the Zapper. It's if your IBMI goes down, it zaps you awake and you have to jump on. I don't think many people would buy it, but it might make a little bit of a splash in the marketplace. That's a cute name. I don't have to agree there. We'll figure it out. You know, we'll, we'll go into business together one day.

So how confident should companies really be in their backup and even their recovery processes in regards to backups? A customer should be testing those backups on a regular basis so that they know that if there was that true event that did occur that they're able to restore from those backups. Same way they should have Dr. OR/HA in place and they should be tested on a regular basis being orderly or semi annually or annually depending on what their comfort level is on that. Some of our customers internally actually will switch data centers are run at an alternate data Center for either a day or for a week or for a longer period of time. That is also something customers should be doing so that in case of that event we that they are able to recover and keep the business flowing as it should.

So the biggest gaps truly aren't visible day-to-day. It's only when something goes wrong. Am I right with that? Yeah, you, you are exactly right. Because unfortunately, as we mentioned before, the IBM I platform is so stable and it causes that sense of security that that people become accustomed to. And then when that day comes, when you have that event that you need to rely on those backups for that Dr. or that HA, they need to prepare for that. And as we mentioned before, they should be tested on a regular basis. So when that day does come that you are ready, all right, let's get into the real reason people are here. What does a well managed IBMI environment look like today?

Final Takeaways 

24 by 7 monitoring should be in place across the whole infrastructure, not just the IBMI, but everything that interfaces with it. You know, so that that that external server or that external entity that is interfacing with it, that monitoring should be in place to cover all those different aspects. All processes and procedures should be documented clearly so that in case that one person does retire or that one person is not available so that anyone else could pick up in that places, that person's absence. Security reviews should be done on a regular basis. As mentioned before. Backups and recoveries should be tested on a regular basis. HANDR should be tested on a regular basis. A clear delimiter in regards to specific processes should be in place so you know that a specific individual is in charge or responsible for a a, a responsible for a particular system or application. And then also have that hierarchy where you know if that individual is not available, then we contact the next person in that list.

So what separates reactive environments from proactive ones? Proactive environments are ready and actually preventing those issues before they occur. They're performing continuous monitoring of their systems. They perform regular optimization of those systems so that they are ready when that event occurs. Unfortunately, you have a subset of customers that are not ready and they are just reacting when that that event or the disaster occurs. And unfortunately a lot of them have no visibility into specific vectors that people are trying to take advantage of.

So if we're talking about these proactive companies that are out there versus the reactive, how do the reactive companies start closing the gap between them and the proactive ones without overhauling everything at once? What they need to start with is just a basic, a baseline assessment. They need to look at the different pieces within their infrastructure and find out, OK, where are the holes today? Where's our weak points? What can we easily implement to prevent that in the future or be able to recover in a timely basis? Something simple, of course, is to look at, if you don't have a place today monitoring across the infrastructure on all those different vectors, you possibly, if you don't have the expertise in house that you look at either hiring that expertise or possibly use a consulting company or managed services company to fill that role and to perform that assessment for you and make those recommendations to you. They'll put together probably like a, a road map for you to follow. And then you can choose on which one of those pieces that you feel is right for your business.

So a low risk environment isn't 1 without problems, It's one that's prepared for them. I write that you are exactly right, so if this conversation raised questions about your environment, you're not alone. Most IBMI systems aren't failing, they're just not being actively managed for today's risk. At ERP Suites, we help organizations assess their current state, identify gaps, and build a proactive strategy around security support and modernization. Is the ERP suites.com to schedule an IBMI risk assessment and get a clear picture of where you stand. But that's a wrap on today's episode of not your Grandpa's JD Edwards. Huge shout out for you, Tim. I know you've been swamped with work this week and last weekend, probably forever, but we appreciate you jumping on. But if you found this valuable, share it with your team, send it to your IT leadership like and subscribe so you don't miss what's next? Because in our next episode, especially with Tim Cramer, we'll be breaking down the real cost of IBMI and why in house might not be as cost effective as it seems. Until next time, stay proactive, stay informed, and don't mistake stability for security. See you next time.