ID-INFO blog

How to choose your
IBM i security consultant?

Despite all the security advantages that an AS/400 can offer, current attacks are forcing their owners to implement best practices for their organization: at stake is their ability to ensure continuous production, as well as the various legal risks associated with the possible loss of data.

Bob Losey explains the point of view of Bruce Bading, IBM i security expert.

With kind permission of Bob Losay. Jan. 2023

IBM i cybersecurity is one of the top priorities of the IBM users I talk to. I’m fortunate to have worked with Bruce Bading, a true IBM i security expert. With her permission, this is a modified reprint of another publication I wish to share.

There are many options when it comes to cybersecurity consultants or managed security service providers. One way of assessing your choices is to ask what security best practices the consultant (or his company) recommends for setting up cyber defenses. Some best practices are driven by massive organizational teams or company results. However, there is another way to develop security guidelines by leveraging CIS controls and benchmarks through membership of CIS SecureSuite.

CIS Controls and CIS Benchmarks are security best practices that pave the way for improved defenses through a unique community consensus process. Working with many of the world’s security professionals, CIS develops global security guidance (CIS Controls) and technology-specific reinforcement configurations (CIS Benchmarks).

Let’s take a look at how Bruce Bading, President of BFB Consulting, uses his CIS SecureSuite membership to strengthen his customers’ cybersecurity. BFB Consulting provides cyber defense services to help organizations improve their cyber policies, compliance requirements and procedures.


Implementing fundamental safety

With over 40 years’ experience in cybersecurity and regulatory compliance, Mr. Bading has seen the growth and development of various best practices. From his time as CFO of a major industrial company to his years of experience at IBM as a senior cybersecurity consultant, he has learned to leverage the resources of CIS SecureSuite. It relies on CIS Controls, CIS RAM (risk assessment method) and CIS Benchmarks to help customers operationalize fundamental safety. Mr Bading uses CIS-CAT Pro, a configuration assessment tool, to show his customers the security gaps in their configurations: “CIS-CAT Pro is a really solid foundation on which you can address any customer and show them. Look, here’s what the Center for Internet Security tells us you need to do to lock down your systems. You can read what Tony Sager says – stop chasing the shiny stuff and get back to basics.“.

Bading has seen first-hand how some customers fall into the “glitter syndrome” and chase claims of technical greatness while ignoring basic best practice. “
We need to get back to fundamental safety
“he insists. Part of this fundamental security includes implementing best practices such as CIS benchmarks and assessing compliance and adherence. Customers should ask whether consultants are members of CIS SecureSuite. If this is the case, they can ask to see their own CIS-CAT Pro results to identify any security gaps in the configuration. The consultant’s expertise can then help fill these gaps and address any remaining cybersecurity concerns.

Safety in hybrid environments

Bading’s customers operate in hybrid environments, i.e. on both on-premise and cloud infrastructures. The important thing, says Bading, is to identify the criticality and confidentiality of each data element. It recommends that private information such as personally identifiable information (PII) or other confidential data be stored in a private cloud. For public data, a public cloud is sufficient. Secondly, it’s essential that organizations harden cloud environments, wherever they’re hosted. CIS provides security best practices for securely configuring cloud accounts and services on three of the leading providers:

  • CIS AWS Foundations Benchmark
  • CIS Azure Foundations Benchmark
  • CIS Google Cloud Platform Foundations Benchmark

Whatever environment you operate in – on premise or cloud, public or private – secure configurations are essential. “
And that’s what we need to communicate to people
“, explains Mr. Bading. “
We need to harden these images

Collaborate and connect to the community

Bading participated in the CIS community consensus process to help develop the first IBM i Benchmark CIS. He enjoys being connected to a wider cybersecurity community and said, “My next goal is to enter some of the other communities.“CIS communities enable networking with other technical experts, solving security problems and finding consensus on best practices in cybercrime. “Professionals took part in the debate“explains Bading, “through a community, they’ve come full circle. And here’s what they said collectively. It’s not just one person, or one company – it’s a large group of individuals all conveying the same message..”

Serious security for serious threats

Cybercriminals are serious
“warns Mr. Bading, “
and they’re not afraid to break things.
“. The determination of cybercriminals demonstrates that customers need to be just as serious about implementing best practice and compliance. Cybersecurity is a business issue, not just an IT issue. For BFB Consulting and its customers, CIS SecureSuite Membership provides the resources they need to implement security best practices. “
Firewalls and antivirus are no longer enough in the age of malicious AI, fileless and metamorphic malware
“, explains Mr. Bading. “
We need to constantly up our game when it comes to security and internal controls
.” By combining the powerful CIS Benchmarks and CIS Controls, CIS SecureSuite Membership helps organizations keep their systems securely configured. It’s an essential resource for developing genuine basic safety throughout the company.


Find out more at

Original article in English: https: //


Other articles you might like

IBM i: security remains the main concern (Fortra 2023 study)

Fortra 2023 study IBM i: security remains the main concern On February 1, 2023, The Four Hundred's Alex Woodie explained how security remains the number one concern for IBM i resellers. In its ninth annual survey, Fortra questioned over 300 members of the IBM i...

read more

IBM i security: 10 major risks and how to avoid them

ID-INFO blog Security on IBM i : 10 major risks and how to avoid them Security threats are on the increase. Whether it's a cyber attack or a virus, identity theft is becoming more and more common, not to mention the fact that certain vulnerabilities can also lead to...

read more

IBM i historical users: 2022 summary

ID-INFO blog IBM i legacy users: what you need to know in 2022 Switching to the cloud to keep costs down, security issues, spare parts problems, increased IBM support costs: keeping your AS/400 sometimes has to be earned! Bob Losey's thoughts on what to consider......

read more

IBM i: four key trends affecting the market

ID-INFO blog IBM i: four key trends affecting the market These are interesting times for everyone. Indeed, no one could have imagined global containment, or such a widespread pandemic with such restrictions to prevent the virus from spreading. This may be stating the...

read more

The strange story of the IBM i

ID-INFO blog The strange story of the IBM i IBM i developments are now almost as famous as the Fitzgerald novel in which Benjamin Button, the protagonist who was born old, gets younger as time goes by. Instead of "aging", becoming a "legacy" system and on the verge of...

read more

6 IBM i features that give it an edge

ID-INFO blog 6 IBM i features that give it an edge Here are the main features of IBM i, in response to critics who claim that IBM i is "old". He's not "old", he's always ahead of the game. Last week, one of my customers confided in me that his network team leader...

read more

Does your IBM i have a future? Of course!

ID-INFO blog Does your IBM i have a future? Of course! As an IBM Business Partner and cloud hosting provider, I talk to IBM i users every day. Many "experts" claim that IBM i is an old and dying technology. I've even heard accountants and auditors ask their clients...

read more

How long does it take to leave IBM i?

ID-INFO blog How long does it take to leave IBM i? Last week I was talking to an IBM expert who explained that 5 years ago, new management complained that their IBM i system was really old. Why? Because it was based on characters instead of a graphical interface. As a...

read more
Partager cet article