How to choose your
IBM i security consultant?

Despite all the security advantages that an AS/400 can offer, current attacks are forcing their owners to implement best practices for their organization: at stake is their ability to ensure continuous production, as well as the various legal risks associated with the possible loss of data.

Bob Losey explains the point of view of Bruce Bading, IBM i security expert.

With kind permission of Bob Losay. Jan. 2023

IBM i cybersecurity is one of the top priorities of the IBM users I talk to. I’m fortunate to have worked with Bruce Bading, a true IBM i security expert. With her permission, this is a modified reprint of another publication I wish to share.

There are many options when it comes to cybersecurity consultants or managed security service providers. One way of assessing your choices is to ask what security best practices the consultant (or his company) recommends for setting up cyber defenses. Some best practices are driven by massive organizational teams or company results. However, there is another way to develop security guidelines by leveraging CIS controls and benchmarks through membership of CIS SecureSuite.

CIS Controls and CIS Benchmarks are security best practices that pave the way for improved defenses through a unique community consensus process. Working with many of the world’s security professionals, CIS develops global security guidance (CIS Controls) and technology-specific reinforcement configurations (CIS Benchmarks).

Let’s take a look at how Bruce Bading, President of BFB Consulting, uses his CIS SecureSuite membership to strengthen his customers’ cybersecurity. BFB Consulting provides cyber defense services to help organizations improve their cyber policies, compliance requirements and procedures.

Implementing fundamental safety

With over 40 years’ experience in cybersecurity and regulatory compliance, Mr. Bading has seen the growth and development of various best practices. From his time as CFO of a major industrial company to his years of experience at IBM as a senior cybersecurity consultant, he has learned to leverage the resources of CIS SecureSuite. It relies on CIS Controls, CIS RAM (risk assessment method) and CIS Benchmarks to help customers operationalize fundamental safety. Mr Bading uses CIS-CAT Pro, a configuration assessment tool, to show his customers the security gaps in their configurations: “CIS-CAT Pro is a really solid foundation on which you can address any customer and show them. Look, here’s what the Center for Internet Security tells us you need to do to lock down your systems. You can read what Tony Sager says – stop chasing the shiny stuff and get back to basics.“.

Bading has seen first-hand how some customers fall into the “glitter syndrome” and chase claims of technical greatness while ignoring basic best practice. “
We need to get back to fundamental safety
“he insists. Part of this fundamental security includes implementing best practices such as CIS benchmarks and assessing compliance and adherence. Customers should ask whether consultants are members of CIS SecureSuite. If this is the case, they can ask to see their own CIS-CAT Pro results to identify any security gaps in the configuration. The consultant’s expertise can then help fill these gaps and address any remaining cybersecurity concerns.

Safety in hybrid environments

Bading’s customers operate in hybrid environments, i.e. on both on-premise and cloud infrastructures. The important thing, says Bading, is to identify the criticality and confidentiality of each data element. It recommends that private information such as personally identifiable information (PII) or other confidential data be stored in a private cloud. For public data, a public cloud is sufficient. Secondly, it’s essential that organizations harden cloud environments, wherever they’re hosted. CIS provides security best practices for securely configuring cloud accounts and services on three of the leading providers:

• CIS AWS Foundations Benchmark
• CIS Azure Foundations Benchmark
• CIS Google Cloud Platform Foundations Benchmark

Whatever environment you operate in – on premise or cloud, public or private – secure configurations are essential. “
And that’s what we need to communicate to people
“, explains Mr. Bading. “
We need to harden these images
“.

Collaborate and connect to the community

Bading participated in the CIS community consensus process to help develop the first IBM i Benchmark CIS. He enjoys being connected to a wider cybersecurity community and said, “My next goal is to enter some of the other communities.“CIS communities enable networking with other technical experts, solving security problems and finding consensus on best practices in cybercrime. “Professionals took part in the debate“explains Bading, “through a community, they’ve come full circle. And here’s what they said collectively. It’s not just one person, or one company – it’s a large group of individuals all conveying the same message..”

Serious security for serious threats

“
Cybercriminals are serious
“warns Mr. Bading, “
and they’re not afraid to break things.
“. The determination of cybercriminals demonstrates that customers need to be just as serious about implementing best practice and compliance. Cybersecurity is a business issue, not just an IT issue. For BFB Consulting and its customers, CIS SecureSuite Membership provides the resources they need to implement security best practices. “
Firewalls and antivirus are no longer enough in the age of malicious AI, fileless and metamorphic malware
“, explains Mr. Bading. “
We need to constantly up our game when it comes to security and internal controls
.” By combining the powerful CIS Benchmarks and CIS Controls, CIS SecureSuite Membership helps organizations keep their systems securely configured. It’s an essential resource for developing genuine basic safety throughout the company.

Find out more at
www.Source-Data.com
.

Original article in English: https: //www.linkedin.com/pulse/how-choose-ibm-i-iseriesas400-cybersecurity-consultant-bob-losey/