Though I’ve known Mark Nelson for over two decades, I was really looking forward to this interview. Mark has one of those ageless faces; he could be 30 or 60, you wouldn’t know because he always looks 25. He’s a renaissance man, husband, father, choir director, writer of a RACF reference book, volunteer at his local library, award-winning international presenter of mainframe-security strategy and tactics, and is an avid pilot. You’re never bored around Mark. He can pivot from how Billy Joel writes songs to how to write REXX programs in a heartbeat. He’s a clever but kind soul, and boy, does he have some stories!
His flight to fight story is my favorite. Mark takes the maintenance and upkeep of the planes he flies very seriously—performing a full checklist review of the plane before he even starts the engine—but he’s the first to tell you that the best checklist can’t substitute for the right tools and training.
“I always fly sometime around my birthday in July. I was on a dusk flight with my 11-year-old nephew on July 4th to see the fireworks from the air. We were headed north along the Hudson River and I had just started climbing to a higher altitude. Suddenly, there was a loud bang up front and my engine was running rough, so rough I had to ease the throttle down to idle, barely running. I didn’t know it at the time, but a valve had blown, and I had to fall back on my instruments and training and try to get us home in one piece.
“Since the 1930’s, the foundational instrumentation in aviation has changed very little: altitude, airspeed, vertical speed, horizon, and direction. This universal and centralized approach makes it easier to manage in emergencies. That’s an IT lesson for security as well: centralize, automate, and get the basics down to a level of standardization that makes reacting to trouble routine. The IT industry should learn from accidents in aviation as well. Since the mid-1980’s the aviation industry has formalized the constant effort to drive equipment and process defects out of all aspects of flying.”
Mark was impressed that I knew this part of the story. It all started on a foggy morning in November 1986. A Boeing Chinook helicopter returning workers from an oilfield crashed on approach to land at Sumburgh Airport in the Shetland Islands. At 2.5 mi from the runway the helicopter had a catastrophic transmission failure which caused the tandem rotor blades to collide. That transmission had just been serviced. The helicopter crashed into the sea and sank. Forty-three passengers and two crew members were killed in the crash. It is this accident that is often cited as the catalyst for a better certification process for vital components replaced in an aircraft and a constant, stubborn search for more effective safety standards.
Mark drove home the point “the five-P’s: “Proper planning prevents poor performance” is an aviation mantra. It should be a security mantra. Have a plan, practice like you would in a fire drill.”
I asked Mark what big changes he’d seen in Z Security since he started in RACF 30 years ago on a supposed 6-week assignment. He said there is a lot more focus on security now—it’s vital for companies and organizations. Also, having a centralized mechanism for managing, auditing, and alerts—that was a big step up. That’s the IT equivalent of standard aviation instrumentation and RACF, QRadar and zSecure provide that instrumentation for Z.
Mark goes on, “Everything IT used to be contained within physical barriers, the walls of your company or factory—now anyone can get to their network from anywhere. And the biggest surprise?” He was on a roll, “The biggest surprise is the sheer volume of work that comes through the Z platform; I’ve heard there are more CICS transactions than google queries per second. So, multiply the volume times the access points and you start to see the potential problems. You need layers of security; for example, multi-factor authentication (MFA) is the industry’s answer to safeguarding individual, internal and external access.”
I asked Mark where Z Security users are missing the boat. He had a list, of course: “(1) Leaders of large organizations think their systems are secure because they are primarily in Z-based environments, and as a result, they aren’t as diligent as they should be. We see this every day. (2) The tools are an investment in the company’s future—that should be the mindset, but so is the training and discipline. Think like a pilot: proper planning prevents poor performance. (3) The Z Security nomenclature is a barrier for new, younger developers and admins. We need to work together to solve this—build a Rosetta Stone for security. (4) Security is not an alarm clock you set and leave; it requires constant vigilance.”
Mark said, “the quote, ‘eternal vigilance is the price of liberty’ has been attributed to Thomas Jefferson. Turn that around a bit and you get ‘the price of security is eternal vigilance.’ There’s no tool that defends every corner of your environment on its own. And it’s not a question of if, it’s a question of when you will have a breach. The quality of our adversaries is improving all the time. They are motivated, clever, and love solving security puzzles to get to your data or interrupt your business…they love security challenges. We need to respect them and get into their mindset and think in their shoes. If you don’t, you risk being the victim, the loser in the match. Only in security, you may not know you’ve lost for a while unless you practice daily diligence and use the right set of tools.
Obviously, Mark and his nephew made it back to safety that July night. I asked Mark if the flight to fight episode was his scariest moment flying, especially with his nephew in the plane. His answer didn’t surprise me. “It wasn’t my ‘scariest’ moment flying. I haven’t had one of those. You see, ‘scary’ happens when you’re not prepared. To get your pilot’s license you go through hours and hours of emergency preparation, so that in a real emergency, you automatically fall back on your tools and training. When the emergency happens, you might go through a few seconds of disbelief. The FAA says it takes four seconds to realize that something bad has happened. Then it’s all about the next steps, the fight. I turned the plane around, kept it level, let air traffic control know I was coming back and practically coasted on to the runway. I wanted to get my nephew on the ground safely. Standardized, centralized instruments, hours and hours of training and retraining, and regular diligence to ensure the rest of the plane was ready were what got us home safe.”
Love to hear your feedback on the blogs or help you with a zSecure Workshop. Email me at: mpthornt@us.ibm.com or leave your comments below!
#ZSecurity#Mainframe-Marilyn