To Prioritize Upgrades or Security
To Prioritize Upgrades or Security elizabeth.hauThe technology world is all about trade-offs. MFA versus accessibility, speed versus robustness, stability versus expandability. Struggling with tight budgets and limited resources, one of the biggest decisions IBM i organizations face is whether security or maintenance gets the green light first?
Fortra’s latest Marketplace Survey shows that IBM i skills are now the top concern for most teams, with cybersecurity a close second. Meanwhile, the latest State of IBM i Security Study reveals gaps in foundational controls. So, while upgrades matter, they should never delay basic IBM i security work. Companies can weather the inconvenience of delaying upgrades, but a cybersecurity breach can be catastrophic.
Competing Priorities Keep Security Waiting
Constantly handling urgent work like production issues, upgrades, audits, and user requests, IBM i professionals are forced to put off pressing security concerns. But it is precisely because urgent work will never disappear that security must be scheduled as a core operational task, not deferred until someone has spare time.
Waiting for the next server refresh or OS upgrade rarely fixes exposures, while delaying foundational controls often extends periods of avoidable risk. If a security initiative depends on a newer release, upgrade first. Otherwise, run security alongside upgrade planning.
Lean Teams Raise the Stakes
Most IBM i environments are run by small teams with broad responsibilities, making modernization and security harder, especially when experienced staff are retiring faster than organizations can replace them. That’s why Fortra’s 2026 Marketplace Survey shows that the IBM i skills gap has overtaken even cybersecurity as the top concern.
While this doesn’t diminish the need for security, it does explain why security administration is often under-resourced. When skills are scarce, organizations reduce security work, simplify administration, and invest in training and automation. Leaders can’t expect overstretched administrators to absorb security as a side task, and must fund skills development, outside expertise, and tooling that helps teams secure platforms.
Budgeting for Resilience
Security projects struggle to compete for funding against operational improvements like performance enhancements or lifecycle upgrades… until the cost of weak controls becomes evident during security incidents, audit failures, or compliance issues.
If security is treated correctly as a recurring operational need, it cannot be an optional task dependent on surplus funding. The 2026 State of IBM i Security Study emphasizes that many organizations lack fundamental controls, not just advanced protections, so budget decisions must reflect that many environments have yet to complete the basics.
Security should be funded similarly to resilience, availability, and compliance, with regular cycles for reviewing policy, access, auditing, and network controls.
IBM i: Robust, Not Invincible
IBM i is renowned for its robust architecture and integrated security model, but this reputation can lead to complacency when foundational settings and controls are not properly configured. Many environments still rely on outdated authentication methods and overly permissive default settings. As connectivity and data access tools evolve, these outdated assumptions pose a significant risk.
The core problem is not the security capabilities of IBM i but the unfinished foundational work in many organizations. A firewall and a strong platform reputation are insufficient, so consistent access controls, monitoring, and remediation must become routine.
Compliance and the Cost of Delay
Regulatory and audit expectations make delaying security an increasingly bad idea. Organizations must demonstrate that access, monitoring, and change controls are not only documented but actively enforced. While staying current with new software and patches is crucial, compliance demands that auditors provide evidence that foundational security settings are in place and regularly reviewed.
Security and maintenance are intertwined. Patch recency, configuration hardening, and monitoring all contribute to the same risk profile. Security becomes a board-level issue when regulators are involved due to the significant financial and legal consequences of weak controls. No organization is immune. If the data is important to the business, so are the controls.
Charting the Path Forward
The evidence points to one clear conclusion: do not wait for the perfect upgrade opportunity to build a solid security foundation.
Unless a newer release supports a specific security objective, focus on strengthening access control, auditing, monitoring, and network security immediately while continuing the modernization roadmap. Upgrades should support but never delay security.
For most IBM i environments, the recommended strategy is to address foundational security gaps now and plan upgrades in parallel, guided by staffing realities and business risk. External services can assist with rapid implementation by identifying weaknesses and prioritizing remediation. If unsure about the current state of an environment’s security, a Powertech Security Scan can offer a quick overview and flag any problem areas. This approach effectively balances security and modernization efforts, safeguarding organizations against potential threats while reliably advancing technological capabilities.