Inside IBM’s Billion-Dollar Security Push

Can money buy security?

That’s a question that IBM may be set to answer as it prepares to enter 2008
with a multibillion-dollar effort to bolster security.

At the time Big Blue unveiled its big security plans in November, it gave some indication as to how the money would be spent in developing new technologies and products.

The announcement, however, represents just the tip of the iceberg: The company’s new vision has far deeper implications that may well transform the nature of IBM itself.

Kris Lovejoy, IBM’s director of corporate security strategy, outlined a number of the changes taking place at the company in its effort to make good on its sweeping goals in the security space.

For one thing, she explained to that she spent a lot of time this year talking to customers, ultimately coming away with better ideas about what drove security spending.

“Most security technology that customers had been buying was because they had a compliance requirement,” Lovejoy said.

Compliance wasn’t the only factor, though. A number of security appliance purchases came about from business-line executives seeking to address specific problems. In some cases, those purchases took place outside of the traditional IT capital expenditure budgets.

According to Lovejoy, the multitude of security products in the enterprise led a number of IT organizations to re-assess their purchases. Increasingly, she said, they realize they have silos of capability in products they use — along with, in other instances, an inability to correlate data, as well as redundant costs.

“Organizations want and need to simplify,” Lovejoy said. “They need to work with strategic vendors that will provide them with asset-based services. What we’re trying to do is take a look at our portfolio and take a look at our capabilities and make sure that what we offer meets business criteria.”

Among those criteria, IBM hopes to address the need for technology that is easily consumable. That’s becoming important since it’s not just traditional IT people that need and use security-related software and services.

Integration has also become a key necessity for customers, Lovejoy argued. Businesses need to ensure that security capabilities are ubiquitous, existing at various layers in the enterprise — including policy, management and reporting.

With its new security push, integration also has become critical within IBM’s own corporate structure, as it melds various product groups and structures to execute on its vision.

“The governance of the security portfolio has changed pretty radically within IBM,” Lovejoy said. “The way IBM is looking at its security portfolio and recognizing that it has assets that exist in multiple brands.”

As a result, Lovejoy said IBM adopted a new organization to execute on its security plans.

A Security Executive Committee oversees activities of subgroups, which include Lovejoy’s Corporate Security Strategy Group. That unit itself has working groups looking at areas of practical concern for users, such as information privacy.

Working groups include members of IBM product brands, who develop a strategy on how to evolve, build or buy the technologies that people want. The working groups will also determine which IBM product brand will then actually do the work required.

Strategies developed from the Corporate Strategy Group are given to IBM’s Security Architecture Board, another cross-brand organization. The board is responsible for taking concepts and ensuring that they are executed.

Then there is a go-to-market team, yet another cross-IBM unit, which includes marketing and enablement people. The team develops materials that optimize IBM’s ability to tell a consistent security story.

The effort will also involve IBM massive sales force, providing them with guidance on security solution focus areas. Lovejoy noted that it’s not quite a salesperson re-training effort, but rather a “value enforcement” effort.

Then, of course, there is the money.

“As we move forward, we’ll look at the various brands and sales folks and how they are being incented to look at security sales,” Lovejoy said. “We’ll look to assure that the correct models are in place to create the synergies between the various capabilities that we have.”

IBM’s vast security undertaking isn’t necessarily an effort just to fix what end-users have been doing wrong in buying incompatible or redundant security. Instead, the company is also aiming set the market itself straight — at least, the way IBM sees it.

Lovejoy argued that customers have been reacting to the industry’s tendency to push products based on the latest and greatest security scares.

“What has been wrong is that many vendors haven’t been honest with customers about what their requirements are,” Lovejoy said. “Every vendor has the word ‘compliance’ on their site and it’s somewhat unfortunate that the fear factor has driven organizations to make investments that they, quite frankly, didn’t have to make.”

“The market is unfortunate in pressuring customers, making them afraid,” she added.

But IBM, she said, doesn’t play the fear-factor game.

“We don’t scare our customers into buying things because we have the luxury of being able to roll out capabilities when the market is ready to consume them,” Lovejoy said. “When we tell our customers they need to worry about things like botnets and coupon scams, it’s not because we want people to buy a capability. It’s because we have a cadre of researchers.”

She added that those researchers are actively engaged with law enforcement and other groups to validate and investigate threats. As a result, IBM can offer its customers a more realistic idea of the security threat landscape.

Ideally, at least. Of course, only time will tell whether buyers will follow this line of thinking, and how accurately Big Blue has pegged its customers’ needs. Both, it would seem, are needed before IBM’s immense, multibillion-dollar endeavor in security can begin paying off.

News Around the Web