IBM i Security Concern Hits All-Time High, But Solution Adoption Lags, Fortra’s Marketplace Study Shows
February 7, 2024 Alex Woodie
Security is the number one concern of IBM i professionals, according to Fortra’s Marketplace Study, the seventh straight year that security has topped the charts. More survey respondents chose security as their top concern than any other year. Despite the growing security concern, there doesn’t seem to be a corresponding increase in adoption of security tools, the survey data show.
Fortra released the 2024 IBM i Marketplace Study last month, representing the 10th straight year that the company (formerly HelpSystems) has conducted the survey and published the findings. Last fall, Fortra surveyed 270 IBM i professionals from around the world, representing companies large and small and across all major industries. It’s not a perfect sampling of the diverse IBM i installed base, but it’s the best one we have.
Marketplace survey respondents were asked about their top concerns, as they are every year. And for the seventh straight year, security came back as the biggest concern of IBM i pros, the results show (you can download a copy of the report here).
Security was picked as a top concern by 79 percent of Fortra’s survey respondents, which is an increase of 11 percentage points from last year and up 17 percentage points from the 2022 report (when Fortra paired cybersecurity with ransomware). The 79 percent figure for security tops the previous high of 77 percent reported in the fall of 2019 (as reported the following winter in the 2020 Marketplace report).
Tom Huntington, Fortra’s longtime vice president of technical services, didn’t sound surprised that security figures so prominently in the minds of IBM i professionals.
“For over two decades now, we’ve been doing our free IBM i [security] scan, and quite honestly, in the market we find a lot of systems that are still horribly configured,” he said during the January 23 webinar to present the survey findings, which you can watch on YouTube.
“There are still enough people out there that take the stance that ‘IBM i is behind the firewalls. It’s secure. I don’t need to worry about it. Our network team takes care of it,’” Huntington continued. “And I’m here to say we personally have seen many different things where all of a sudden, there’s an IP address showing up in exit point monitoring that we do.”
In its follow-up question on security, Fortra asked what security solutions IBM i professionals have in place, which it has done every year starting with the 2018 report. While two of the eight security categories hit highs, two were essentially flat, and the remaining four were down, indicating a flat-to-lowered investment in security compared to previous years. (Again, Fortra’s is not a perfect survey, but it’s the best sample we have.)
The most-used security solution is privileged user management, at 44 percent. However, that figure represents the lowest percent for privileged user management going all the way back to 2018, when about 50 percent reported having it.
Number two on the security-tools list was exit point security at 43 percent. This critical IBM i security component, which essentially implements network security directly on the IBM i, matched the figure from the 2023 report, and represents an all-time high, which is good news. About 42 percent of survey respondents said they had compliance and audit reporting in place, which is down from recent years; it has bounced around 45-46 percent most years.
Anti-virus and ransomware protection came in at 37 percent, the same as the past two years (it was at 38 percent in the 2021 report, but only 26 percent in 2020). Only 29 percent of Marketplace users say they are using secure managed file transfer solutions, a massive 20 percent decline from last year. In fact, the previous low for secure MFT was 42 percent in the 2019 report; all other years it has hovered between 45 percent and 49 percent.
Twenty-eight percent of Marketplace users report using a security information event management (SIEM) or Syslog solution, an increase of six percentage points from last year. The previous six years, this category bounced between 16 and 20 percent, so this is another positive indicator.
However, the warm fuzzy feeling you get from SIEM adoption turns into a cold knot of worry when you consider multi-factor authentication. Despite the massive focus on MFA as a central component of good IT security, only 24 percent of Marketplace survey takers report having MFA in place today. That represents a 2 percentage point decline from 2023, and it even comes below the adoption rate for 2021 (25 percent). In prior years, MFA adoption hovered in the 13 to 20 percent range.
Finally, database encryption was used by only 21 percent of the Marketplace survey respondents, the same as the past two years, and down 1 percentage point from 2021. Database encryption adoption is mostly unchanged since 2018, when 19 percent of survey respondents reported having it.
While concerns over security aren’t decreasing at the moment, it’s important for IBM i shops to know that are resources available to help bolster security, said IBM i Chief Architect and CTO Steve Will, who was also on the webinar.
“One of the best things about our community is that even though — especially in small shops — people tend to lack knowledge, they’re concerned about the changing threats,” Will said. “There are partners out there who have the skills, who can do engagements to help clients. And so if people are in this space and they’re concerned about these things, do talk to the experts.”
IBM does as much as it can to help IBM i professionals configure their servers to address security problems and close access to applications and data, Will said. “But you still need to know how to use them,” he added, “and a lot of clients really gain benefit from their partners who have both products and practices around this stuff.”