Piecing together IBM's security puzzle

IBM owns some of the world's leading IT security talent, products, and services, but executives with the massive company say it will likely never aim to become what people might label as a true "security vendor."

The technology giant has added high-profile security assets in the last year alone, acquiring such companies as applications testing specialist Watchfire in June 2007 and managed services and hardware giant ISS in Aug. 2006.

However, unlike rivals like Microsoft -- which has moved to stake a claim in the anti-virus, messaging, and collaboration security segments with its own products -- executives say that Big Blue is more interested in blending security further into its existing products and services than it is hopeful of becoming a more mainstream security provider.

Under IBM's control are security offerings that range from its Tivoli group's identity management and compliance software packages to the gateway appliances made by ISS and outsourcing services provided by its Global Technology Services unit.

Yet the common theme throughout the company's overarching strategy is not one that emphasizes competition in hot markets or via standalone products, executives say, but rather an approach that attempts to mix security skills into almost all of its existing business lines as a component of its larger vision.

"We're not really focused on selling a bunch of security products and services. Our drive is to embed as much security capability as possible in the platforms we have, along with our operating systems, business services, and everything else," said Stuart McIrvine, director of IBM corporate security strategy."

"Security is absolutely one of the core critical areas where IBM is focused as a corporation," he said. "But it's more about making it easier for customers to manage all these technologies that we offer and make those technologies more secure themselves."

Repeating that IBM is in the business of marketing "secure business solutions," versus selling security products, McIrvine said that the company approaches its strategy under a three-pronged approach that centers on infrastructure security, corporate risk management, and compliance automation.

All of those efforts tie back into the notion of lowering customers' security concerns either by bolstering the onboard protection of its products or fostering business controls that benefit areas like regulatory compliance, the executive said.

Case in point is the just-underway work to integrate Watchfire's applications scanning tools into IBM's own Rational software development platform. The effort is being undertaken in the name of helping businesses drive security further into their own software development efforts, a trend that is currently sweeping across that sector.

And while industry experts say that customers are only just beginning to build security testing into their software development process, IBM's move to stay ahead of the trend was validated when rival HP purchased applications scanning provider SPI Dynamics to blend into its own Mercury platform just weeks after the Watchfire deal was announced.