It’s just my humble opinion.

I’m not a mainframer—I would be viewed as an outsider by the community, but after three years working hands on with IBM Z platforms and diving into mainframe security, I’m still amazed by what these systems can do. To give you some context, I’m researching and co authoring a book on Mainframe Hacking with No Starch Press, drawing on guidance from gurus like Mark Wilson and Philip Young. These machines deliver unmatched performance, reliability, and scale, and yet their true power often stays hidden. While crafting a white paper in my day job, I realized that a broader audience might appreciate a more digestible article, so I put together this piece to share my insights as an outsider looking in alongside some key stats in a format that’s easier to consume.

Let’s set the scene.

On the floor of many large enterprise data centre sits an IBM Z mainframe whose legacy is rock solid but whose modern capabilities are often ignored. The latest z17 brings AI inferencing on chip, quantum safe encryption, massive throughput, and near mythical reliability—but it’s shrouded in complexity, hidden behind opaque pricing, and out of reach for many who’d benefit most. In the world of enterprise data centres, IBM built one of the most advanced platforms on Earth—and then wrapped it in complexity, opacity, and a pricing model that keeps it out of reach for those who need it most. As a result, most organizations barely scratch the surface of what z17 can do, leaving techies and managers to shrug and ask, “Why bother?”

In this article, I unpack the promise—and the frustration—of positioning the z17 as a central security powerhouse. Spoiler alert: I believe it can be done, but IBM must meet today’s enterprises halfway to ensure integration and learning is easy! This is not necessarily all about modernising the mainframe and getting rid of, shall we call it ‘backward compatible interaction’. Zowe plus Z/OSMF and now heading in the right direction to make it easier for those who don’t know TSO or REXX, but this is more about the positioning and taking advantage of Z security for the surrounding enterprise infrastructure and making it simpler to do that without ballooning the cost.  

The Technological Powerhouse Nobody Wants to Touch

Let’s be clear: IBM z17 is a beast.

• Quantum-Safe Cryptography via CRYSTALS-Kyber and Dilithium, baked into hardware.
• AI On-Chip via the Telum II processor for fraud scoring and anomaly detection with sub-millisecond latency.
• Security Features like pervasive encryption, RACF, and secure boot signed with lattice-based keys.

But here’s the catch: every shiny feature demands its own license. You want SIEM integration? That’s zSecure Alert. Real time streams? IZLDA (and maybe Common Data Provider). Modern DevOps APIs? z/OS Connect EE—with its own fee. Before you know it, your Z mainframe, technically capable of anything, is bogged down by costs and complexity, and turning it into a modern security powerhouse starts to feel like climbing Everest in flip flops.

Integration is Possible—But Painful

Yes, the z17 can integrate with Active Directory, federate identities via SAML or Kerberos, stream logs into Splunk, and even run AI fraud models inline with transaction processing. But the integration story is fragmented and scary, meaning that few outside the mainframe elite can understand it:

• Documentation is buried in arcane manuals that overwhelm you with information.
• Many tools demand special knowledge of CARLa, JCL, REXX and RACF command syntax.
• Pricing is opaque and gatekept behind long negotiation cycles.
• Skills are rare—and IBM does little to make them more common. The community is trying it’s best, but overall, it is being left to get on with – or at least that is how it feels to me.

Modern engineers, used to JSON, REST APIs, and cloud native services, see z/OS and walk the other way.  

The Cultural Lock-In: "Don't Touch the Mainframe"

Maybe the biggest barrier is not tech or licenses, but the cultural fortress IBM and senior management helped build around the mainframe. Inside many companies, the Z Mainframe is untouchable—it powers critical transactions, it’s rock solid, so “don’t mess with it, or don’t Pen Test it – you may knock it over!”

That mindset kills security integrations, sidelines z/OS innovation, and turns even IBM’s most secure system into an isolated island. The brutal irony? The platform with the most potential to be your security cornerstone is exactly the one you’re least likely to leverage as one.

What I believe IBM Should Be Doing

If IBM wants the mainframe to be a pillar of modern enterprise security, it needs to:

• Radically Simplify Integration: Ship z/OS with ready to go SIEM, IAM, and API configs. Bundle z/OS Connect and IZLDA into one affordable package.
• Revamp Pricing: Ditch the MIPS based billing. Offer clear subscription tiers for core security features. -_ Train Everyone:_ Build cloud native, DevOps, and cybersecurity courses—don’t just cater to those who are already in the mainframe community and working in large organisations who can afford Interskills and the like.
• Open It Up: Release a “Mainframe Lite”—a low cost, virtual z/OS sandbox (like LinuxONE Community Cloud) for hands on testing. Show other techies that even z/OS, which I found a steep learning curve – due to a lack of easily findable resources, is just another OS that can be used – in the same way Linux used to be scary.
• Be Transparent: Drop, or at least simplify, the arcane product names and tell users exactly what the system can do and how to do it. I can never remember what ISPF, SDSF, VTAM, LPARS, IPL etc mean – which makes it difficult to describe to others.

This isn’t about dumbing down z/OS—it’s about pulling back the curtain.

How it could work (in very simple terms) 😊

We can take a look at the diagram below – in simple terms it shows the potential for using the mainframe as the central security framework. However, unless all the standard connectors are easily implemented for inbound and outbound real time comms, and the costs are reduced (along with all the point products IBM currently have) it won’t happen. It is difficult to be a mainframe techy or mainframe consultant due to the large set of tools available, each for it’s own individual purpose – it’s a lot (too much I think) to learn.

Is It Worth It?

Yes, IMHO—the z17 really can be the nerve centre for identity, end to end visibility, AI driven threat detection, and next gen crypto control, including on chip quantum safe algorithms. Imagine pairing its hardware security modules with quantum key distribution to create a “cyber vault” where secrets never leave the protected z/OS enclave. All this power, though, is buried under complex licensing, painful integrations, and a risk averse culture that kills experimentation. If IBM truly wants the z17 to shine as a unified security platform—not just a fast processor, with all the things it can do within its own eco-system—it must simplify entitlements, streamline connectors, and foster a sandbox mindset. Until then, the mainframe stays what it is today: a phenomenal piece of engineering, tragically left on the shelf.

My Final Thoughts

Let’s be serious: none of this works while licensing feels like ransom, training sits behind ivory tower doors, and siloed thinking turns z/OS into a forbidden relic. IBM needs to revamp its playbook—listen to next gen engineers, make mainframe skills accessible and exciting, and unlock that idle capacity. Show that cloud alone isn’t the cure (hybrid’s solid, but seamless integration wins).

On the security side we need raw transparency, clear roadmaps, a bug bounty program, and a culture that rewards finding flaws instead of suing the discoverers. Remember, the mainframe is not inherently secure out of the box—it’s simply the most securable platform you’ll find if allowed to test it. The current “don’t touch” ethos, hidden costs, and sky high barriers to test systems (something most techies used to downloading a 30 day trial or a single user license) have fostered the myth that an unseen z/OS is a safe z/OS. Ask the Mainframe Hackers Society or any nation state red team—they’ll tell you that a mainframe untested, forgotten, churning away in the corner and believed to be impenetrable, is really a missed opportunity as well as a security risk.