Amy Williams

Amy Williams

Sr Security Services Consultant
Fortra
 

Amy Williams is a Senior Security Services Consultant who joined Fortra in 2015. She holds CISSP, CISA, and PCI-P certifications.

Amy has worked on the IBM i platform for nearly 30 years and her experience includes application testing, system installation, system administration, and architecture. She has worked in the warehousing distribution, travel, and gaming industries.

Amy has performed many successful role swaps as well as object level remediations of disparate applications on the same IBM i LPAR. She has been responsible for consolidating over 60 LPARs to less than 30 while keeping the business moving forward. She has implemented exit point security when working towards a PCI ROC filing.

Since joining Fortra, Amy has worked with clients on a variety of mission critical projects, including performing system migrations and ensuring their application architecture was maintained, remediating all special authorities from users accommodating specific operational and security needs, strategically implementing Powertech's suite of solutions for a multi-system implementation, and completing remediations to remove *ALLOBJ authority. She was named an IBM Champion in 2024. 

Amy also served in the Air National Guard for 10 years in the communications flight (IT).

 

External Resources from Amy Williams
 

 

Q & A with Amy

 

What’s the most interesting or impactful project that you’ve had the chance to work on?

Definitely implementing object level security for a hosting customer. They're a hosting service, so they have many customers connecting into their IBM i and storing their data on their hardware. And I worked with them to get to a deny by default architecture and worked with them on implementing their change management process to ensure that their security stayed in place and didn't drift. That was probably the biggest, most impactful one because they went from an open architecture to a deny by default.

The most interesting would be a remediation to a deny by default architecture for a large company across about 19 different LPARS. I helped them create unique configurations for each of those LPARS because of the unique processes on them. The entirety of that project took just about ten months to complete.

 

What would you say is the biggest barrier holding customers back from strengthening their security?

I would say fear. More specifically, the fear of change because they can't afford any outages or downtime so they don't understand what the consequences might be when they make a change. So they have this paralysis of “I'm just not going to change anything because if I do something might break.” The value that I've been able to bring to those customers is being able to show them how we can make those changes without impacting their business and without causing outages. We can identify ahead of time what those risky configurations would be to prevent those types of outages and make them in a more responsible way rather than just clicking the button and hoping for the best. We anticipate as best we can the consequences of any of the changes that we're going to make to their environments.

 

What changes do you foresee in the world of cybersecurity in the coming years?

I think awareness is really going to change the playing field. People already are more aware today of what's happening and what's possible. However, they are mostly just hoping that it won’t happen to them, while in practice that thinking is slowly fading away. People want to say technology like AI is going to change everything, but I believe the first step is always going to be building awareness surrounding what could happen if preventative security measures are not taken – and I continue to see more and more people willing to be aware of what the consequences of not doing anything could be. I think the biggest change is that people are actually becoming aware that security is an ongoing journey and a constant question of “What do we need to do next?” because the landscape is continually changing.

 

Have you ever worked with a customer that was in the midst of, or recovering from, a ransomware attack?

Without going into too much detail, I do have experience with assisting a company who was breached and lost a plethora of resources and had to basically rebuild their entire environment from scratch. However, their IBM i was not impacted because I had just completed remediations on their IBM i that limited access to it and established a deny by default architecture. So when that breach happened, the risk landscape to the IBM i was very, very small and they weren't able to take advantage of that. My job afterwards was to verify that the data was not corrupted. So, we did validations with the business teams and then got the business up and running. Also, the day after the breach happened, payroll was due. Now, payroll ran out of the IBM i system. So our number one job was to ensure everybody still got paid – and they did. That was definitely one of the most consequential experiences of my career.

 

How has the cybersecurity landscape changed since you got your start?

Definitely the attention that the IBM i is getting by bad actors and the attention that IBM is paying to security vulnerabilities on the IBM i. So IBM is taking a stronger position with the release of the newest OSV7R5. They have made leaps and bounds of changes from what they used to ship as defaults that were able to be updated and made secure to now shipping systems that are more secure out-of-the-box than they were before. For me, on the IBM i side, this is probably one of the biggest changes I've seen. It's no longer IBM saying “Hey, it's all yours and you're responsible.” They're starting to take a more active role in ensuring that the systems out-of-the-box are more secure and more securable.

 

Contributions From Amy Williams