Blog

To Prioritize Upgrades or Security

To Prioritize Upgrades or Security elizabeth.hau

The technology world is all about trade-offs. MFA versus accessibility, speed versus robustness, stability versus expandability. Struggling with tight budgets and limited resources, one of the biggest decisions IBM i organizations face is whether security or maintenance gets the green light first?  

Fortra’s latest Marketplace Survey shows that IBM i skills are now the top concern for most teams, with cybersecurity a close second. Meanwhile, the latest State of IBM i Security Study reveals gaps in foundational controls. So, while upgrades matter, they should never delay basic IBM i security work. Companies can weather the inconvenience of delaying upgrades, but a cybersecurity breach can be catastrophic.  

Competing Priorities Keep Security Waiting  

Constantly handling urgent work like production issues, upgrades, audits, and user requests, IBM i professionals are forced to put off pressing security concerns. But it is precisely because urgent work will never disappear that security must be scheduled as a core operational task, not deferred until someone has spare time.  

Waiting for the next server refresh or OS upgrade rarely fixes exposures, while delaying foundational controls often extends periods of avoidable risk. If a security initiative depends on a newer release, upgrade first. Otherwise, run security alongside upgrade planning.  

Lean Teams Raise the Stakes  

Most IBM i environments are run by small teams with broad responsibilities, making modernization and security harder, especially when experienced staff are retiring faster than organizations can replace them. That’s why Fortra’s 2026 Marketplace Survey shows that the IBM i skills gap has overtaken even cybersecurity as the top concern.  

While this doesn’t diminish the need for security, it does explain why security administration is often under-resourced. When skills are scarce, organizations reduce security work, simplify administration, and invest in training and automation. Leaders can’t expect overstretched administrators to absorb security as a side task, and must fund skills development, outside expertise, and tooling that helps teams secure platforms.   

Budgeting for Resilience  

Security projects struggle to compete for funding against operational improvements like performance enhancements or lifecycle upgrades… until the cost of weak controls becomes evident during security incidents, audit failures, or compliance issues.  

If security is treated correctly as a recurring operational need, it cannot be an optional task dependent on surplus funding. The 2026 State of IBM i Security Study emphasizes that many organizations lack fundamental controls, not just advanced protections, so budget decisions must reflect that many environments have yet to complete the basics.  

Security should be funded similarly to resilience, availability, and compliance, with regular cycles for reviewing policy, access, auditing, and network controls.  

IBM i: Robust, Not Invincible 

IBM i is renowned for its robust architecture and integrated security model, but this reputation can lead to complacency when foundational settings and controls are not properly configured. Many environments still rely on outdated authentication methods and overly permissive default settings. As connectivity and data access tools evolve, these outdated assumptions pose a significant risk.  

The core problem is not the security capabilities of IBM i but the unfinished foundational work in many organizations. A firewall and a strong platform reputation are insufficient, so consistent access controls, monitoring, and remediation must become routine.  

Compliance and the Cost of Delay  

Regulatory and audit expectations make delaying security an increasingly bad idea. Organizations must demonstrate that access, monitoring, and change controls are not only documented but actively enforced. While staying current with new software and patches is crucial, compliance demands that auditors provide evidence that foundational security settings are in place and regularly reviewed.  

Security and maintenance are intertwined. Patch recency, configuration hardening, and monitoring all contribute to the same risk profile. Security becomes a board-level issue when regulators are involved due to the significant financial and legal consequences of weak controls. No organization is immune. If the data is important to the business, so are the controls.  

Charting the Path Forward  

The evidence points to one clear conclusion: do not wait for the perfect upgrade opportunity to build a solid security foundation.  

Unless a newer release supports a specific security objective, focus on strengthening access control, auditing, monitoring, and network security immediately while continuing the modernization roadmap. Upgrades should support but never delay security.  

For most IBM i environments, the recommended strategy is to address foundational security gaps now and plan upgrades in parallel, guided by staffing realities and business risk. External services can assist with rapid implementation by identifying weaknesses and prioritizing remediation. If unsure about the current state of an environment’s security, a Powertech Security Scan can offer a quick overview and flag any problem areas. This approach effectively balances security and modernization efforts, safeguarding organizations against potential threats while reliably advancing technological capabilities. 

Blog

You’ve Upgraded Your Hardware. Now It’s Time to Upgrade Your Security Posture

If you have recently upgraded your hardware, our this is a great opportunity to establish IBM i security best practices for your organization now and into the future — and our free Security Scan will help you do just that. The Security Scan takes an inventory of your current security settings and uses the results to demonstrate your data’s degree of vulnerability and pinpoint specific weaknesses.
Blog

Reduce Downtime on IBM Power with Live Partition Mobility (LPM)

According to the IBM i Marketplace Survey, nearly half of businesses rank High Availability (HA) and Disaster Recovery (DR) among their top IT concerns. A key component of this is minimizing downtime during planned server maintenance, whether upgrading to the latest IBM Power hardware, or applying disruptive critical platform firmware and VIOS updates. With cybersecurity as the top IT concern,...