Security vendors have been harping on the need for enterprise companies to adopt top-down risk management strategies to improve their overall security standing for several years, but experts at IBM claim that the trend is now finally taking hold.

Driven by the need to comply with a growing number of government and industry regulations, a wider swath of businesses are moving away from reactive IT security models and employing comprehensive risk management tactics, IBM officials maintain.

With the arrival of the PCI (payment card industry) data security standard and the need for nearly any company that processes credit or debit card transactions to begin revamping their security infrastructure, many more businesses are beginning to understand that they cannot defend themselves by merely buying new point products and responding to individual threats, said Chris Lovejoy, director of governance risk management strategy at IBM.

In response to the growing support of risk management planning, IBM announced Thursday that it has created a range of new product combinations and services offerings that aim to help customers tackle major elements of IT security and compliance project work in a more integrated fashion.

By offering broader integrated products and services, Lovejoy said, Big Blue can help large businesses take a more centralized, integrated approach to solving their security and compliance problems.

"What we're telling people is that they need to partner with somebody who has the capacity to handle the whole complex picture of security and compliance from a long-term perspective," Lovejoy said. "We know that companies cannot afford to keep buying widgets every time a new security or compliance issue arises. This is the model people have been working with, and it's not working from either a cost or complexity standpoint."

While the company's messaging around risk management may strike many people in the IT security community as nothing new as industry leaders such as Symantec and McAfee have rolled out similar strategies in recent years and IBM first detailed its plans to adopt a similar strategy in May, Lovejoy said that many businesses are just waking up to the concept.

Customers operating in heavily regulated industries, such as the financial services and health care markets, may be years into their enterprise risk management programs, but most companies outside of those segments have not been forced to employ the top-down approach until now, and thus haven't done so, said the expert.

Initial attempts to conform with the PCI mandate -- which is aimed at forcing companies such as retailers to do a better job of protecting their customers' sensitive personal information -- have opened the eyes of many other types of businesses to the need to utilize a unified approach to managing IT security and compliance efforts, Lovejoy said.

"PCI essentially represents a reasonable risk management framework, a more pragmatic way of looking at infrastructure and the interaction of people with data, and applying control at the right layers," Lovejoy said.