7 Critical Mainframe Security Blind Spots That are Costing Banks Money in 2025

Banking executives recognize that mainframes are the backbone of financial services. According to 2024 Forrester research, 61% of global infrastructure decision-makers use mainframes, with $10.4 trillion in purchase volume flowing through general-purpose credit and debit cards in the United States alone. However, despite this importance, banks treat their mainframes as security islands that remain invisible to modern security monitoring platforms.  Download our infographic.

The cost of this lack of visibility is staggering. IBM’s 2024 Cost of a Data Breach Report shows that the average breach now costs $4.88 million, with financial services firms facing even higher costs. Meanwhile, SOX compliance expenses range from $181,300 for smaller institutions to over $2 million for large banks, according to Protiviti research, with organizations spending over $1 million annually on compliance initiatives.

We have identified seven of the most critical mainframe security blind spots that banking CISOs must address:

1) External Security Monitor (ESM) Administrative Access

The Risk: Security administrators have full access to mainframe systems, yet some banks cannot monitor when these privileged accounts are accessed, changed, or misused.

The Impact: A rogue administrator could access customer financial data, modify transaction records, or disable security controls without detection. In 2024, insider threats accounted for significant portions of financial services breaches.

The Solution: Real-time monitoring with behavioral analytics that establishes baselines for administrative activity and alerts on anomalous behavior patterns.

Source: IBM Cost of Data Breach 2024

2) Invisible CICS Transaction Monitoring

The Risk: Customer Information Control System (CICS) processes millions of real-time banking transactions, but traditional SIEMs can’t parse CICS transaction logs or detect suspicious patterns within transactions.

The Impact: Fraudulent transactions, unauthorized fund transfers, and customer data exposure can occur without triggering security alerts.  According to 2024 Experian data, Americans hold an average of 3.9 credit cards, indicating that the volume of CICS transactions and potential attack surface continues to grow.

The Solution: Native CICS transaction monitoring with real-time fraud detection and automated correlation with network security events.

Source: Credit Card Market Share Data

3) DB2 Database Access Gaps

The Risk: Your DB2 databases contain customer financial records, account balances, and transaction histories; however, database access logs are often left unmonitored or reviewed only during quarterly audits.

The Impact: Unauthorized data extraction, customer privacy violations, and compliance failures.  Database breaches in financial services result in some of the highest regulatory penalties and customer churn rates.

The Solution: Continuous DB2 access monitoring with real-time alerting about suspicious queries, bulk data extractions, and after-hours database access.

4) Batch Job Security Oversight

The Risk: Nightly batch processing jobs handle interest calculations, account reconciliations, and regulatory reporting, but most banks don’t monitor who submits jobs, what data they access, or whether job outputs are properly secured.

The Impact: A malicious batch job could manipulate financial calculations, extract customer data, or corrupt critical banking records.  Given that batch processing often occurs during off-hours with minimal oversight, detection typically happens days or weeks later.

The Solution: Automated batch job monitoring with pre-execution authorization checks and post-execution audit trails.

5) JCL Modification Blind Spots

The Risk: Job Control Language (JCL) modifications can redirect data outputs, alter processing logic, or bypass security controls; yet, most banks rely on manual change management processes with limited real-time visibility.

The Impact: Unauthorized JCL changes could redirect customer statements to external systems, modify interest rate calculations, or disable audit logging.  These changes often leave minimal traces in traditional security monitoring systems.

The Solution: Real-time JCL change detection with automated approval workflows and rollback capabilities for unauthorized modifications.

6) TSO/ISPF Session Monitoring Gaps

The Risk: Time Sharing Option (TSO) and Interactive System Productivity Facility (ISPF) sessions provide direct mainframe access for developers and administrators, but session activities often go unlogged or unmonitored.

The Impact: Privileged users could access sensitive customer data, modify production code, or disable security controls through TSO/ISPF without generating security alerts.  This represents a significant insider threat.

The Solution: Comprehensive TSO/ISPF session logging with keystroke monitoring for privileged users and automated anomaly detection.

7) Cross-Platform Correlation Failure

The Risk: Even banks with some mainframe logging typically can’t correlate mainframe events with network intrusions, endpoint compromises, or cloud security incidents, creating incomplete threat pictures.

The Impact: Multi-vector attacks that begin on network systems and pivot to mainframes go undetected. Advanced persistent threats (APTs) specifically target this correlation gap to maintain long-term access to banking systems.

The Solution: An Integrated SIEM platform that normalizes mainframe logs with other security data sources for comprehensive threat detection and response.

The Path Forward: Comprehensive Mainframe SIEM

Addressing these blind spots requires more than periodic audits or manual log reviews.  Modern banking security demands real-time mainframe monitoring integrated with existing security operations centers.

According to Protiviti research on SOX compliance costs, organizations that invest in automated monitoring and continuous controls see significant reductions in audit preparation time and compliance expenses.  The key is implementing purpose-built mainframe SIEM capabilities that provide:

• Real-time Event Processing: Handle millions of mainframe security events per hour without impacting performance
• Native integration: Work seamlessly with RACF, ACF2, Top Secret, CICS, DB2, and other mainframe components
• Behavioral Analytics: Establish user and system behavior baselines to detect anomalous activities
• Automated Compliance: Generate SOX 404, PCI DSS, and GLBA reports automatically
• Threat Correlation: Integrate mainframe events with network, endpoint, and cloud security data

Taking Action

Banking CISOs can no longer treat mainframe security as a separate concern from their broader cybersecurity strategy. With data breach costs averaging $4.8 million and SOX compliance expenses exceeding $1 million annually for many institutions, the business case for a comprehensive mainframe SIEM is clear.

The question isn’t whether to implement mainframe security monitoring, it’s how quickly you can deploy it before these blind spots become breach vectors.

Next Steps:

1. Conduct a mainframe security visibility assessment
2. Evaluate current SIEM capabilities against mainframe requirements
3. Pilot real-time mainframe monitoring in a controlled environment
4. Develop integration plans with existing security operations
5. Establish metrics for measuring security posture improvement

Your mainframe processes the transactions that define your business. Isn’t it time you could see who’s accessing them?  The solution is VitalSigns SIEM Agent for z/OS – VSA.  Eliminate the blind spots with real-time mainframe security monitoring, automated compliance reporting, and comprehensive threat detection.

Sources:

• IBM Cost of Data Breach 2024
• SOX Compliance Cost Analysis – StrongDM
• Credit Card Market Data – Motley Fool
• Mainframe Usage Statistics – Precisely