Let’s be honest: the mainframe still moves the world. Despite all the noise about the cloud and distributed architectures, when we talk about banking, insurance, or large corporations, the heart of the business still beats in a z operating system (z/OS) environment. However, we have a problem, and it is the "elephant in the room" that few talk about: the knowledge gap. With the entry into force of the DORA Regulation 2022 and the NIS2 Directive, regulatory pressure on CISOs and compliance departments has skyrocketed. It is no longer enough to fill out an Excel sheet; you must demonstrate real operational resilience. And here arises the million-dollar question: Who is really auditing the security of the mainframe?

The Auditor's Challenge Before the "Black Box"

Historically, many IT auditors have treated the mainframe as an inscrutable black box. It is understandable; it is complex technology. But in the current scenario, where GDPR, financial regulations such as Basel 3 (Basel III), and Sarbanes-Oxley compliance audit (SOX) requirements demand strict controls, ignorance is not a valid excuse. It is useless to have a Cybersecurity SOC monitor alerts in distributed systems if the central core, where critical data resides, is not audited with sufficient depth. A SIEM fed with low-quality or incomplete data from the mainframe is like an alarm system with one eye closed.

Specialized Training: Breaking the Barrier to Entry

At Bsecure, we have detected this critical lack in the industry. That is why we have developed the only training course for z/OS IT auditors currently available in the market. This is not boring academic theory; it is pure trench work based on ethical hacking principles. We are talking about nearly 30 hours of video and a curated selection of essential documentation, designed so that any IT auditor—internal or external—stops fearing the mainframe and starts understanding it. The goal is not to turn the auditor into a systems engineer in a month, but to equip them with the necessary criteria to:
  • Ask the right questions to system administrators.
  • Verify if reasonable minimum security controls exist.
  • Understand the structure of an LPAR and its potential vulnerabilities.
  • Verify real compliance against standards like ISO 27001, NIST 2, or the rigorous Payment Card Industry Data Security Standard (PCI DSS) compliance.

The Ultimate Checklist: Decades of Experience in Your Hands

The jewel in the crown of this training is found in its final section. We analyze and break down what is possibly the best audit checklist in the sector. This is not a generic document downloaded from the internet. It is the distilled result of decades of real experience in auditing, ethical hacking, and security administration in z/OS environments. It is the treasure map that allows a professional to distinguish between an "apparently" secure system and one that is truly armored, helping to meet PCI 12 requirements and other strict standards. Our motto sums it up perfectly: “Knowledge is Security”.

From Training to Continuous Improvement: DATAPASS

Understanding how to audit is the vital first step, but security is a movie, not a still photo. Environments change, and threats evolve faster than manual procedures. For this reason, although training is indispensable for the human factor, at Bsecure, we advocate increasing the frequency and depth of cyclical and automated audit services such as DATAPASS. Imagine it as a continuous improvement system for your mainframe: a tool that never sleeps and ensures that what you learned in the course is applied and maintained over time, guaranteeing that your security posture always meets ISO 27001Solvency II, or PCI data security standard requirements. Whether it is to comply with PCI and GDPR, DORA, or NIS2, or to sleep soundly knowing that the core of the business is protected, specialized training in z/OS is no longer optional. It is time to open the black box and shed light on mainframe security.