CPT Insights

Your Mainframe is Secure, Your Security Practice is Not

Written by Luke Tuddenham | Oct 23, 2025 12:03:41 PM

Luke Tuddenham, CEO: Your mainframe is secure, but your security practices are riddled with holes – and it’s costing you. It’s a hard truth to accept, especially when we have invested so much in technology that, by design, is one of the most dependable platforms in existence. We see the mainframe as a fortress, but we often overlook the human element that can render its defences meaningless. This disconnect between a secure system and the flawed human processes surrounding it is one of the biggest unaddressed risks in business today.

As leaders, we trust our teams. Yet, I am constantly surprised by the naive and dangerous practices that persist within large organisations. We see scenarios that seem unbelievable: shared root access, default passwords left unchanged for years, and employees retaining high-level permissions long after they have moved roles. These are not sophisticated cyberattacks. They are unlocked back doors, left open by mistake or complacency.

We all know the adage: Security is everyone’s responsibility. But the standard is set at the top. It is up to leadership to move beyond a checkbox compliance mindset and foster a culture of genuine security awareness.

The Leadership Imperative in Security

Luke Tuddenham, CEO: For too long, security has been treated as a departmental function, handled exclusively by IT. As leaders, we review audit reports, comply with regulators, and assume we are protected. But this hands-off approach creates a dangerous gap between perception and reality. A secure culture is not born from compliance – it’s forged through leadership.

The C-suite has a fundamental role in driving a culture of security and accountability. Many damaging security failures are not the result of sophisticated attacks but of simple human error and poor processes, all of which are preventable with stronger leadership.

Consider the distinct roles of the CEO and the CISO. The CISO owns the technical strategy, deploying the tools and frameworks to protect our digital assets. My role as CEO, however, is to champion security as a core business value. My investment is in fostering a culture where every employee understands their part in protecting the company. I am accountable for ensuring security is a strategic priority discussed in the boardroom. When both the CEO and CISO are aligned, security transforms from a technical function into a powerful business enabler.

What We See in the Field

James Loftus, CISO: When we talk about security vulnerabilities, the conversation often turns to external threats. But from my experience on the front lines, the most significant risks are internal, stemming from the one variable that is notoriously hard to control: the human being. Your technology can be state-of-the-art, but your weakest link will always be a person who makes a mistake, takes a shortcut, or gets complacent.

Think about everyday life. Why do we sometimes forget to lock the car? It is rarely intentional. We are tired, distracted, or in a hurry. These same human tendencies are magnified in a complex corporate environment. An employee keen to impress a manager might share credentials to speed up a project. A system administrator, stressed and overworked, might put off changing a default password, thinking, "I'll get to it tomorrow."

It is like locking your front door but leaving the back door wide open. You have addressed the most obvious point of entry but ignored the simpler vulnerabilities created by everyday habits. Here are some of the most common lapses we encounter:

  • Shared Root Access: System-level credentials being passed around between departments, giving dozens of people the "keys to the kingdom."
  • Unchanged Default Passwords: Critical systems still using factory-set passwords years after installation. Basically, the digital equivalent of leaving a key under the doormat.
  • Over-Permissioned Employees: Staff accumulate access rights but rarely have old permissions revoked, leaving a trail of unnecessary access points.
  • Lack of Insider Monitoring: Organisations focus on external threats, forgetting that a disgruntled employee with legitimate credentials poses an enormous risk.
  • Poorly Managed Third-Party Access: Vendors are often granted broad, persistent access with little oversight, turning a partner into a security liability.

These issues are not born from malice. They are the direct result of laziness, lack of training, and misplaced trust. A tired employee making a mistake is a far more probable threat than a shadowy hacker.

The Cost of Naivety

James Loftus, CISO: These security gaps are often dismissed as low-level oversights. But this isn't just about sloppy housekeeping. Really, it’s about leaving your most critical assets exposed. The cost of this naivety is measured in real-world business consequences. When one of these simple gaps is exploited, the fallout is immediate and severe. First comes business disruption. Operations can grind to a halt as systems are taken offline and data is locked down.

Next, and perhaps more damaging, is the loss of customer trust. A breach, especially one from a basic internal failure, shatters that trust. It suggests a culture of carelessness, and once that perception takes hold, it is incredibly hard to reverse. The long-term reputational damage can far outweigh the initial financial impact.

Luke Tuddenham, CEO: And from a leadership perspective, these are not IT problems, but rather significant business risks. Every internal security lapse represents a potential threat to our operational continuity, brand reputation, and bottom line. As executives, we are the ultimate stewards of customer trust. Allowing preventable weaknesses to persist is a failure of that stewardship.

Fixing the Gaps with Proactive Leadership

Luke Tuddenham, CEO: Recognising that these gaps originate from human processes is the first step. The next step is taking decisive action. We must actively drive the change required to close these vulnerabilities. The most critical shift is moving from a culture of compliance to one of accountability. An annual audit might satisfy a regulator, but it does little to address the day-to-day habits that create risk.

True accountability means embedding security into the fabric of our operations. This cultural shift starts at the top. When leadership visibly prioritises security, the rest of the organisation follows. To support this, we must invest in continuous security assessments, not just periodic audits. A one-time check gives you a snapshot, but continuous assessment provides an ongoing, real-time view of your security posture.

James Loftus, CISO: From a practical standpoint, this is where clear policies for access control become critical. This means implementing a "least privilege" access model, where individuals are only granted the minimum permissions required to perform their jobs. This single step dramatically reduces the potential damage from a compromised account.

Beyond privileged users, robust monitoring and alerting for all system access and activity are also essential. Furthermore, we should be moving towards a zero-trust framework, which assumes that no user or device is inherently trustworthy. It requires strict verification for every person and device trying to access resources, systematically removing the misplaced trust that so often leads to security failures.

Security is Everyone’s Responsibility, But Leadership Sets the Standard

Luke Tuddenham, CEO: The strength of your mainframe is a testament to decades of engineering. However, the greatest technology is only as strong as the human processes that surround it. Often, the most significant threats often come from simple, preventable internal lapses born from complacency and a lack of oversight.

These aren’t technical failures, they’re leadership failures. While security is everyone’s responsibility, the culture that enables it – or neglects it – is built from the top down. We, as leaders, set the standard. It’s our duty to move beyond a passive, compliance-driven mindset and actively champion a culture of proactive security and accountability.

The security of your data, the trust of your customers, and the stability of your business depend on it.