If any packages need to be secure (not viewed by unauthorized persons), the application can be preprocessed into a private bind file that is only accessible to the authorized person(s). VSAM security control mechanism could then be used to protect this private VSAM file so that unauthorized access is denied. You can change the JCL of the preprocessor to specify the file_id of the private VSAM Bind file on the SQLBIND DLBL statement and use this file_id with the CBND transaction.
With CICS/VSE, you can only establish SECURITY=SAME conversions with remote partners. Therefore, DRDA security checking is performed during handshaking.