What IBM can learn from its own cybersecurity business

IBM’s recent financial results sent Wall Street into a tizzy as the company missed its targets on multiple counts. Brooks Brothers-clad equity analysts quickly freaked out, declaring that IBM is too big, has lost its sense of innovation, and needs to be broken up a la HP. 

I grew up close to Armonk, New York, so I’ve known IBM my whole life. While I have some opinions about the IBM Corporation’s problems and what it should do, I’ll hold on that perspective for now. As food for thought on IBM’s woes, here is an excellent article in Forbes magazine, written by industry veteran Robert Cringely. 

For my part, I am happy to point out a successful business model that IBM should emulate. This should be pretty easy to grasp as it comes from within the company itself – the IBM security division.

Now, I realize things haven’t always been rosy with IBM and security. If you asked an IBMer about infosec a few years ago, they would point you toward Tivoli identity management or mainframe tools like RACF. Even more recently, IBM acquired network security leader ISS and then buried it within its services group, alienating employees and customers alike. IBM also had a series of me-too SIEM platforms that only true-blue customers had any interest in buying.

So what happened next? IBM’s half-hearted cybersecurity effort went through a profound transformation in 2011. This change was a realization that:

1. IBM couldn’t pitch its “smarter planet” initiatives without wrapping these new-age applications with strong comprehensive cybersecurity coverage.
2. IBM couldn’t sell second-tier products and expect to succeed. 
3. IBM couldn’t win in cybersecurity without focus. 

In summary, the “ah-ha” moment was when IBM recognized that its cybersecurity strategy could only succeed if it responded effectively to market needs rather than internal business concerns. Once IBM had this epiphany, acquired Q1, and formed its dedicated division, it turned its cybersecurity ship around and is now a clear market leader. As of 2014:

• IBM is one of few vendors that can offer an end-to-end enterprise security architecture for incident prevention, detection, and response.
• IBM established a dedicated “tiger team” of highly experienced infosec professionals as part of its security sales team. This team works directly with CISOs, security analysts, and architects. 
• The infosec division now owns ISS, modernized its products, and is gaining momentum.
• IBM’s acquisition of Trusteer puts the company in the anti-fraud market and positions it well for the emerging battle for endpoint security 2.0.
• The IBM security division is working closely with its industry groups. This should result in unique offerings as cybersecurity grows more industry-specific on the back of IoT applications and new regulations.

Of course, IBM’s security division is far from perfect. It still bogs down under the weight of IBM’s corporate bureaucracy, remains tied to the IBM base, and hasn’t been as aggressive in areas like network security as it should be. It also needs to aggregate its products and services in a more logical and customer-consumable way. In spite of these shortcomings, however, the IBM security division is growing precipitously, aligning core IBM enterprise scale and sophistication strengths with cybersecurity technology, and delivering real value to customers. 

The lesson for Armonk is simple and right there for further study: Rather than focus internally on financial engineering, metrics, and cost cutting, IBM would be wise to emulate the company’s cybersecurity success strategy moving forward. A market-driven strategy worked in security. It can work in hardware, software, and services too.