Volume 16, Number 37 -- November 26, 2007

Redefining Security the New Goal of Former i5/OS Security Architect

Updated: January 9, 2008

by Alex Woodie

There's a serious problem with the state of security in the IT industry, according to Pat Botz, former i5/OS security architect with IBM. The problem isn't a lack of tools and technologies for implementing security. Instead, the root of the problem stems from a lack of leadership from business people, who have given too much responsibility to the technical experts. Botz recently left IBM to work on this problem with his new consulting company Group8 Security, which formally launches next week.

To hear Botz talk about the state of computer security is a little bewildering. One goes into a conversation expecting the security expert to talk about the latest encryption standards, strong authentication, how to survive an audit, and the need for good intrusion detection--the daily cud of the security racket. But in fact those are the last things he wants to talk about. What Botz really wants to talk about is what he sees as the disconnect between the decision makers in the corner offices and technical pros in the server room, and how a good portion of the problems in IT security can be traced back to the absence of strong leadership emanating from the tops of organizations.

It's a little like getting an interview with Joe Montana, the legendary 49'ers quarterback, and instead of hearing how he came to perfect the two-minute drill that led to so many Super Bowl rings, all he wants to talk about is the importance of having a good organizational structure, flowing smoothly from the general manager to the linemen. Of course, the selection of personnel is a key ingredient in putting together a successful football team. It isn't as exciting as watching a master execute the two-minute drill, but without a solid foundation composed of individuals in positions they are qualified and trained to hold, the team's chances of success are greatly diminished.

And that's how Botz sees the state of IT security. Instead of having the general manager making strategic decisions that will lead to the success or failure of the team, these decisions are being handled at game time by the players on the field. Because these players--the IT professionals hired to run the servers and maintain the networks--aren't qualified to make these decisions, they often end up making the wrong decisions, thereby decreasing the security of their company's data, increasing the cost of implementing security, or both.

What's even worse is that the business managers have willingly ceded this responsibility to their tech-savvy grunts under the misconstrued assumption that security is a technical issue that they have no business getting mixed up with, Botz says. "Security isn't primarily a technical issue. It's a business issue," he says. "Part of the reason, I strongly believe, for the dismal state of information security across the whole industry--not just the System i, but the whole industry--is because the average chief security officer (CSO), the average chief financial officer (CFO) has assumed that information security in the electronic age is purely a technical issue."

To use another analogy, companies are putting the cart before the horse. Instead of defining security policies in plain English, and then figuring out which technical procedures and processes will allow them to accomplish the goals of that security policy in the most efficient matter, companies are forgoing the security policy entirely and jumping straight into the technical part of setting policies and procedures. (To take the analogy one step further, many companies have abandoned security policies entirely--they've gotten rid of the horse--and are just pushing the cart around by hand.)

Botz explains the problem using System i terminology. "Security isn't about setting QSecurity to Level 40. Security is about explicitly stating whether or not people in finance are allowed to access private employee data in the HR database. And it's not a technical issue--it's purely a business issue," he says. "If the business people aren't involved in defining what 'secure' means to that organization, I guarantee you there's no way to measure that organization as to whether or not it has properly secured its business assets, because nobody's defined it. And yet the vast majority of companies are jumping into information security at the enforcement stage, at the 'set that value this way stage,'" instead of starting with the security policy.

In case you haven't guessed by now, Botz's goal at Group 8 Security will be to bridge the gap between business people and technical people when it comes to managing security. The company aims to do this by working with CSO and IT directors to define their security policies. Once the policy is in place, Group8 consultants will work with the folks in the customer's IT department to come up with a set of procedures and processes that implement that security policy in the most effective manner possible. The company will also work to implement those procedures and set up a way to monitor their effectiveness over time, but these will often be separate contracts, Botz says.

Botz is adamant about respecting the balance between the level of security an organization attains and the cost it takes to get there. "We have this saying that security is a function of risk and cost," he says. "You cannot consider security merely by looking only at risk. You must look at cost. It's the only way you can manage security. And we want to help companies make valid, rational business decisions about security that put them in the best possible position for that particular company."

Group8 Security will target mainly small and mid-size businesses that lack the resources and expertise to implement information security in the proper manner, including setting a policy, deducing procedures, executing the plan, and monitoring it from long-term effectiveness. Bigger companies typically have a more solid grasp on these IT security fundamentals, Botz says. However, Group8 will take larger corporations as clients for point projects, such as implementing single sign-on.

Group8 Security, which is a double-play on the Group 7 security level in the hit movie "Tron" and the group of eight industrialized nations that make up the G8, will function as a distributed company. Its headquarters will be in Reno, Nevada, but its consultants will be located around the country. Botz remains in Rochester, Minnesota, where he worked in the System i division for a number of years. The company is currently ramping up. It has five employees, is looking to hire people skilled in the business side of IT security, and already has some customers lined up.

Botz says six months into his recent stint at IBM Lab Services--his last assignment at Big Blue--helped him to realize the existence of a huge disconnect between business objectives and security policies. "I would get phone calls mostly from technical people and they would essentially say, 'I have a requirement for single sign on.' And that always struck me as odd, because single sign on is the solution to a requirement, but it's not a requirement," he says. "It's one way to address the requirement, but the real requirement to that is 'I need to significantly reduce the cost of managing identification and authentication.'"

But in most cases, the real requirement can't be reverse-engineered from the series of processes and procedures that IT people are creating as pseudo-security policies in the absence of true security polices defined by the dollars and cents guys. "You read SOX, and nowhere does it say anything about QSecurity or whether or not QESECOFR should be allowed to log into more than one terminal at a time," Botz says. "You just can't possibly go backwards from looking at a configuration and determine what the policies were you were trying to enforce."

Where many IT folks moan about SOX's lack of clarity and the resulting tsunami of complexity, Botz sees illuminated flexibility and government rightfully keepings its hands out of telling a System i shop exactly which bits should be flipped, and when. "I would argue that it's nowhere near as difficult or complicated as it appears to be," he says. "The reason why it appears too complicated is, if you don't have a well-defined objective, how the hell are you ever going to be measure whether or not you've gotten there?"

In many ways, Group8 Security's goal is education, and convincing customers that security is not the black art that it appears to be to business folks. "They don't have to be technical experts in any way to play their proper role. They should not be telling technology people which firewall to use, or even what functions it should have. But they should be making clear statements, they should be driving the process," Botz says. "Instead, because the business leadership isn't playing its role, we have technical people, in effect, making business policy decision, and trying to enforce them."

In the end, Group8 Security is attempting to do something no other security consulting company has tried to do: Educate a wide swath of the market to the true goals of information security, thereby empowering executives to assume their proper place in the line and vanquishing the myths of security as a geeky black art forever. It's not quite "Rent a CSO," but it's pretty close

"The modest objective of Group8 is to change the way the entire industry manages security," Botz says. "And once we get done with that, we're going to attack world hunger. We thought we'd go after the low-hanging fruit first."

                     Post this story to
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

Two Free System i PHP Webinars


Wednesday, November 28th: Learn how RPG & PHP programmers create PHP apps over DB2 or MySQL files in 5 minutes using WebSmart PHP Templates.

Wednesday, December 5th: Learn how you can leverage existing RPG code and objects in PHP Web applications.

WebSmart PHP is more than just an IDE, it's BCD's complete, non-proprietary System i and multi-platform Rapid PHP Web App Development solution.

Click for Webinar Registration Details

Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Brian Kelly, Shannon O'Donnell,
Mary Lou Roberts, Victor Rozek, Kevin Vandever, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

RJS Software Systems:  Make your office paperless with WebDocs
COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
LANSA:  Hear how System i shops achieved modernization with RAMP



IT Jungle Store Top Book Picks

The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95

The Linux Beacon
Red Hat to Use Automation, Virtualization to Eat the Server Space

Red Hat Puts Out Fedora 8 Rev of Development Linux

Intel Announces First "Penryn" Xeon Processors

Mad Dog 21/21: Symphony for the Devil

Four Hundred Stuff
PowerTech Ships i5/OS Syslog Connector for SIEM

Change Management Software Gets Boost from Mighty Ant

Attachmate Ships Emulator, Touts Tolly Report

BCD Delivers Major Update of WebSmart ILE

Big Iron
IBM Acquires BI Software Specialist Cognos for $5 Billion

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru

Odds and Ends

Admin Alert: How Big is My IFS?

System i PTF Guide
November 10, 2007: Volume 9, Number 45

November 3, 2007: Volume 9, Number 44

October 27, 2007: Volume 9, Number 43

October 20, 2007: Volume 9, Number 42

October 13, 2007: Volume 9, Number 41

October 6, 2007: Volume 9, Number 40

The Windows Observer
Windows Server 2008 Pricing and Packaging Set by Microsoft

'Viridian' Hypervisor Gains Formal Name: Hyper-V

Intel Announces First "Penryn" Xeon Processors

Microsoft Makes Gains in HPC Market

The Unix Guardian
Solaris Conversion Rate: Sun Sheds Some Light

Blade Servers Make It to the Top HPC Sites

Intel Announces First "Penryn" Xeon Processors

The Blue Cloud Is IBM's Commercial Cloud Computing

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar


Vision Solutions
WorksRight Software

Printer Friendly Version

Redefining Security the New Goal of Former i5/OS Security Architect

The System i Fourth Quarter Sales Strategy

Power Systems Division Eyes Cognos Deal; Business Systems Shrugs

As I See It: The Sick Guys in Your Wallet

But Wait, There's More:

Reader Feedback on Native .NET for System i . . . IBM Slashes Linux SupportLine Prices for System i and p . . . Is There an NSA Back Door in Encryption Algorithms? . . . Top Execs at TomorrowNow Depart, SAP Hints at Sale . . . BluePhoenix Raises a $35 Million War Chest . . . Lawson and IBM Target Retailers and Manufacturers in Germany . . .

The Four Hundred


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement