Piecing together IBM's security puzzle

Despite having some of the best security talent, products, and services around, IBM has no plans to become a full-on security vendor

IBM owns some of the world's leading IT security talent, products, and services, but executives with the massive company say it will likely never aim to become what people might label as a true "security vendor."

The technology giant has added high-profile security assets in the last year alone, acquiring such companies as applications testing specialist Watchfire in June 2007 and managed services and hardware giant ISS in Aug. 2006.

However, unlike rivals like Microsoft -- which has moved to stake a claim in the anti-virus, messaging, and collaboration security segments with its own products -- executives say that Big Blue is more interested in blending security further into its existing products and services than it is hopeful of becoming a more mainstream security provider.

Under IBM's control are security offerings that range from its Tivoli group's identity management and compliance software packages to the gateway appliances made by ISS and outsourcing services provided by its Global Technology Services unit.

Yet the common theme throughout the company's overarching strategy is not one that emphasizes competition in hot markets or via standalone products, executives say, but rather an approach that attempts to mix security skills into almost all of its existing business lines as a component of its larger vision.

"We're not really focused on selling a bunch of security products and services. Our drive is to embed as much security capability as possible in the platforms we have, along with our operating systems, business services, and everything else," said Stuart McIrvine, director of IBM corporate security strategy."

"Security is absolutely one of the core critical areas where IBM is focused as a corporation," he said. "But it's more about making it easier for customers to manage all these technologies that we offer and make those technologies more secure themselves."

Repeating that IBM is in the business of marketing "secure business solutions," versus selling security products, McIrvine said that the company approaches its strategy under a three-pronged approach that centers on infrastructure security, corporate risk management, and compliance automation.

All of those efforts tie back into the notion of lowering customers' security concerns either by bolstering the onboard protection of its products or fostering business controls that benefit areas like regulatory compliance, the executive said.

Case in point is the just-underway work to integrate Watchfire's applications scanning tools into IBM's own Rational software development platform. The effort is being undertaken in the name of helping businesses drive security further into their own software development efforts, a trend that is currently sweeping across that sector.

And while industry experts say that customers are only just beginning to build security testing into their software development process, IBM's move to stay ahead of the trend was validated when rival HP purchased applications scanning provider SPI Dynamics to blend into its own Mercury platform just weeks after the Watchfire deal was announced.

Along with augmenting its perimeter protection capabilities via ISS, expanding identity management tools across many of its business lines, and fostering data governance efforts to benefit issues like compliance and data leakage prevention, IBM is, however, focused on growing its presence in some burgeoning security niches.

Among those are management of encryption technologies and enterprise data discovery, which will fold accordingly into many of Big Blue's existing offerings, McIrvine said.

"Encryption key management has been around a long time, but because encryption is growing so quickly and there are so many different areas that require keys, companies are struggling with the overall process of adopting it more broadly," McIrvine said. "It's a very complex area, and admittedly we still have a lot of work to do on it ourselves, but there's an opportunity for tools and services that manage the entire encryption key lifecycle, and we're doing a lot of research and development in that area."

One of the hallmarks of companies trying to avoid data breaches and comply with state and federal data-handling regulations is that most of the organizations still have problems figuring out where all of their sensitive information is stored and how it is accessed, the executive said.

Those factors will continue to drive interest in so-called e-discovery tools, and IBM can parcel the systems into its data governance, compliance management, and managed services businesses as demand for the technology evolves, according to McIrvine.

"Discovery is an example of a less mature market that will become increasingly mainstreamed over the next two to three years and where we think it makes sense for us to invest," he said.

Industry watchers observed that it is sometimes hard to understand exactly what IBM's overarching security strategy may be, but the experts admitted that the challenge therein may lie in taking account of the diverse range of products and services that the company is adding security components in support of.

IBM will likely deal with growing pains as it works to integrate all of its security acquisitions and products, said Paul Stamp, analyst with Forrester Research. However, the company has added some compelling security assets over time, he said.

"I don't think you'll ever see IBM go out and try to buy all the pieces needed to become a true security player, as it were, but they can offer customers a significant portion of what they might need, especially in relation to their other products," Stamp said. "They have made a lot of investments; the difficult part for them will be putting everything they have together."

Stamp said that IBM will likely use security most effectively to continue to grow the margins of its massive services business.

Other experts agreed that IBM has never had a particularly clear security strategy but observed that it has added pieces that fit its corporate goals around building true "solutions" packages."

"The problem in understanding IBM's security vision is that it is scattered around so many divisions, and something like risk management is not a product that we can talk about in traditional terms," said Andrew Jaquith, analyst with Yankee Group. "I don't think we'll ever look at IBM as a security company in the pure sense, it's not in their DNA, but we will see that they provide elements of security throughout their offerings."

"I typically avoid the word 'solution' as it's usually misleading, but in this case with IBM and security is actually fits because they have hardware software and services, and they will continue to pull those packages together in a way that also includes security," the analyst said.