InfoWorld: IBM Digs into Security Management

IBM is aggressively expanding its security portfolio in hopes of becoming the de facto source of advice and technology for businesses looking to adopt high-level IT governance and risk management strategies — a transformation among customers that officials at Big Blue cite as both ongoing and inevitable.

As the waves of security threats and data management regulations have washed ashore and left organizations struggling to balance perimeter and internal security concerns with mounting obligations to protect highly-valuable data, companies are being forced to take more of a top-down approach that addresses broad sets of IT-oriented risks, versus individual problems, IBM officials maintain.

And while a host of players ranging from security software makers to massive IT consultants have begun marketing themselves as those best suited to help customers embrace a governance and risk management approach, IBM executives claim that their firm’s mix of technology, services and partnerships place it at the top of any list of providers capable of helping organizations prepare their security operations for the future.

“We feel that we’re ahead of the curve and driving forward our ability to meet these needs, some of which that might not yet have emerged from a broad perspective,” said Kris Lovejoy, IBM’s director of corporate security strategy.

“We feel that we are creating security risk management capabilities and have an opportunity to commoditize them in a way that can be leveraged at large,” she said. “From an overall strategic perspective, that doesn’t mean that customers are ready to stand up en masse right now and require everything we’ve built, but we’re actively trying to extend the portfolio in advance of that trend.”

Industry specialists, including Symantec and McAfee, the world’s two largest security software makers, have also adopted high-level product and marketing efforts meant to help customers move away from battling individual threats and compliance regulations in favor of a more generic risk management strategy, but IBM claims that it is better positioned to help customers move in that direction today.

While the traditional security vendors have long been focused on shipping products that address various elements of end-to-end security and have only moved into risk management in the last two years, Big Blue has its own products and services as well as partnerships with those very vendors and many others that give it an upper hand, IBM executives said.

“In a sense, today, security is like a car without a steering wheel, and we think we’re the only vendor who has the right abilities across all the involved domains that can drive change across business processes,” said Eric McNeil, manager of corporate security strategy at IBM. “These other companies touch on a lot of domains, but we’re the only ones who have all the pieces that span identity, applications security, physical security, and asset lifecycle management.”

With its broad array of product and services skills, the executives said that IBM is best qualified to pull together key components that will allow more organizations to manage security using analytical reporting, policy creation and enforcement, and through the use of risk analysis dashboards.

The executives cite two areas, IT service management and master data management, as tremendously important to its ability to aid customers in addressing risk. To be able to build controls to oversee change and configuration issues on the services side and help companies get their heads around the intricacies of master data management, customers will need more than the traditional security vendors can offer, said Lovejoy.

“The security companies of the future are not the companies that offer capabilities for the newest bells and whistles, it’s about those things and more, including all the plumbing needed to make these strategies work,” said Lovejoy. “While traditional security players that off threat management have great benefits in securing a perimeter, they’re not adept at installation of basic plumbing, which actually helps in managing the majority of the risk.”

Partners fret about potential downgrades

Throughout its Global Technology Services unit and IBM software group, including its Tivoli product lines, Big Blue officials contend that the company is far better suited to handle configuration and change management around complex issues like employee identity.

Top executives at Symantec and McAfee concede that IBM enjoys a unique position in the security sector based on the breadth of its products and partnerships and its huge services delivery capabilities.

And while the CEOs of both companies first point out that they consider IBM as one of their closest and most important partners, respectively, they maintain that they too have strengths in IT governance and risk management that will continue to distinguish them from the technology giant.

They also said that IBM will have to resist the urge to promote its own security technologies at the expense of providing customers with best-of-breed technology.

“They’re a different beast than us because they play such a big services integration game up and down the IT stack, but it does seem sometimes that everything does look ’blue’ to them,” said David DeWalt, chief executive at McAfee. “We’re not looking to compete with them, and there’s not a lot of overlap, so the idea will be to continue to partner where we can.”

While recognizing that his company partners with IBM around the globe and that he considers it extremely valuable to continue to do so, John Thompson, chief executive at Symantec, said that there are concerns about IBM giving preference to its in-house technologies.

Prior to joining Symantec nine years ago, Thompson served in the role of general manager of IBM Americas and a member of the company’s Worldwide Management Council.

“The issue in terms of our relationship with IBM is if they will continue to be open to technologies that come from outside their own software group, or will they have a strategy as has been articulated as ’blue on blue,’ or IBM services packaged around IBM software,” Thompson said. “To the extent that they bias their engagements that way, they might limit their ability to compete, and it is clear that they have an institutional bias if you look at some of the things that we have observed on the marketplace.”

Responding to those comments, IBM’s Lovejoy said that while IBM has continued to make investments in expanding its security product portfolio — most notably via the acquisition of Internet Security Systems for $1.3 billion in August 2006 — that it will continue to foster a best-of-breed approach using its partners to ensure it meets its customers’ needs.

She also noted that IBM’s services business would never have grown to become over half of the company’s annual revenue without a “vendor agnostic” approach.

Industry experts said that IBM and its security partners are likely to compete more frequently as the company acquires additional products and its rivals build out their services and risk management capabilities.

However, said Paul Stamp, analyst with Forrester Research, all the involved parties likely have too much riding on their existing partnerships for any competitive ill will to affect their relationships.

“There will be competition, but I think that IBM sees this risk management issue as going far beyond what we consider traditional security, they are looking more at setting policies and security within a larger IT management framework that includes performance management, data governance and overall business services issues,” said Stamp.

“If anything I think Symantec will compete with them more in some areas, and there will be areas where [Symantec] has some individual strengths, but these companies all need to partner,” he said. “You also have to remember that customers IT shops aren’t monolithic, and each company will continue to sell into different constituencies; in the end there should be room for everyone.”

By Matt Hines, InfoWorld (US)