① Journal · IBM zSecure
An IBM (International Business Machines) zSecure renewal is commonly waved through as a compliance cost that cannot be questioned. It can. What moves it is rarely a discount ask; it is the module set, the measured capacity, and the timing. Here are five levers that commonly move a zSecure number, and how to build each.
The zSecure number is not a fixed compliance tax. It moves on scope and capacity.
zSecure is IBM's mainframe security suite, a set of separately licensed products, zSecure Admin, Audit, Alert, Visual, Command Verifier, CICS Toolkit and Manager for RACF z/VM, that sit on top of an external security manager (ESM) such as IBM RACF, Broadcom ACF2 or Broadcom Top Secret. Because it carries the word security, the renewal is commonly treated as untouchable, a cost the audit and risk teams will not let anyone question. That framing favors the vendor. Most estates hold entitlement to modules they no longer actively use, and most pay a Subscription and Support charge measured on a capacity they have never validated for this product line.
zSecure is licensed under the IBM International Program License Agreement, the one time charge plus recurring Subscription and Support model, with the recurring charge commonly tied to sub-capacity MSU (Million Service Units). That gives the buyer two structural levers most renewals leave on the table: the module set, and the measured capacity. Read this with our explainer on IBM IPLA one time charge licensing and the IBM publisher hub.
zSecure renewal levers · what moves the number and how it works
| Lever | What moves the number | How to build it |
|---|---|---|
| Suite vs point modules | Dropping unused modules removes recurring S&S you earn nothing on | Map real usage against entitlement, module by module |
| The ESM alternative | A scoped native or consolidation path removes pure dependence | Cost native RACF coverage for specific functions in advance |
| Sub-capacity MSU | A lower measured capacity lowers the S&S charge it sits on | Validate the capacity this product is priced on with SCRT |
| The S&S baseline | The recurring Subscription and Support number anchors the cycle | Reset the base on validated use, not last cycle plus uplift |
| Audit and compliance timing | A deadline running against you hands the vendor the clock | Open the renewal early, ahead of any compliance milestone |
These are patterns and levers we commonly observe on zSecure renewals, not statements of IBM policy or guaranteed outcomes. Your specific entitlement, pricing model, and contract terms govern; treat them as the analysis to build, validated against your own SCRT, entitlement records, and contract data.
zSecure is sold as discrete products, not one license, and the renewal commonly carries every module the estate ever bought. Map current usage against entitlement: which modules feed live administration, auditing and alerting, and which were enabled for a project that ended. The modules that earn nothing are recurring Subscription and Support you can decline at renewal. Scope discipline on the module set commonly moves the number further than any headline discount.
Renew the modules you run, not the ones you once enabled.
zSecure adds automation on top of an external security manager, and native RACF tooling covers a subset of what it does. It is rarely a full replacement, so the lever is not a bluff that you will rip it out. It is a scoped, costed view of which specific functions could move native, or where consolidating ACF2 or Top Secret onto one ESM changes the footprint. A credible, bounded alternative gives the conversation leverage that pure dependence never does.
A scoped alternative moves the number; total dependence does not.
The fastest way to lose a security renewal is to negotiate it under a compliance deadline. A pending audit, a regulator milestone, or an internal control date all become the vendor's pricing ally the moment they are closer than your renewal. Open the conversation twelve to eighteen months out, map usage and validate the capacity first, and the deadline stops setting the price. The timing you control is the timing the vendor cannot use.
Negotiate ahead of the deadline, or fund the urgency premium.
④ Where the zSecure number is won
The zSecure number moves on scope and capacity. Renew what you run, validate the base. Open it before the audit clock can set the price.
Typical reduction negotiated on renewal spend
Mainframe spend negotiated on the buyer side
Engagements delivered since 2019
The module set. zSecure is licensed as separate products, and most estates carry entitlement to modules they no longer use. Mapping real usage against entitlement, then declining to renew what earns nothing, moves the number more reliably than a discount ask. The sub-capacity MSU the Subscription and Support charge sits on is the second lever.
Partially, for some functions. zSecure automates administration, auditing and alerting on top of an ESM, and native RACF tooling covers a subset. It is rarely a full replacement, but a scoped, costed plan to cover specific functions natively, or to consolidate ESMs, gives leverage that pure dependence does not. See ACF2 vs Top Secret vs RACF.
Twelve to eighteen months before the Subscription and Support term expires, and ahead of any audit or compliance deadline touching the security estate. A compliance clock is the vendor's strongest pricing ally. See how vendors time renewal pressure.
Treating a security renewal as untouchable, renewing every module on the entitlement, and negotiating under a compliance deadline they let creep closer than the renewal. Our license negotiation service maps usage and resets the base on validated data, and our IBM contract review reads the terms for the scope and uplift clauses that drive the number.
Related: IPLA one time charge licensing · z/OS renewal negotiation · z/VM renewal negotiation · IBM contract review · license negotiation
Audit notice or renewal under 18 months out? We mobilize within 48 hours.
Get expert help →