IBM is marshaling its hundreds of security products and thousands of consultants to enable what it calls “an enterprise free of fear." Given that an enterprise free of fear is like declaring world peace, I asked Stuart McIrvine, director of IBM’s Corporate Security Strategy, to explain the concept.
"Our approach is that security is kind of broken," McIrvine said. "Companies are leaving security in the hands of IT and operations people, looking at servers, databases and putting up firewalls and updating antivirus signatures. But they have no real view of what they are protecting from a business strategy viewpoint, understanding the core objectives and risks to meeting those objectives."
IBM's aims to engage the business side to surface key processes and systems, and from a top down to understand objectives and risk, and then to mitigate the risk with the available budget. "We are in the mitigation business, helping companies decide what risks to accept," McIrvine said.
This wholistic security risk management approach is hardly original. IBM plans to spend $1.5 billion on its security division in 2008 in its effort to soak up as much of the $100 billion security spend by corporations worldwide.
The impetus for the new security initiative is in part a rationalization of its 200 security products and recent acquisitions, including Internet Security Systems and Watchfire. It also gives IBM's small army of 3,500 security consultants (IBM has 355,766 employees worldwide) a more coherent framework for risk assessment. (Information on the new product announcements here.)
About 20 percent of corporations have done a business and risk alignment from a security perspective, McIntyre said. "One customers in the U.S. identified 550 actively managed deployed controls in place. When you look at it from a business perspective, you look at what contributes to 80 percent of the risk. We took it down to just over 50 controls. When you start to align business with IT, it can more costly to have controls than suffer the consequence of the risk."
IBM consultants conduct a number of assessments and audits, such dynamic risk quantification, peer group risk comparison, business controls optimizations and event risk calculation.
McIrvine said the IBM identified five core areas for its security framework: Infrastructure (servers, endpoints, networks), identity and access, information, applications and physical security, such as card readers and video cameras.
McIrvine agreed that an enterprise free of fear isn't realistic. "It goes back to do you really have a handle on what you are protecting, and business guys understanding and working with the IT department to identify real risks and put controls in place to mitigate those risks. It's not covering everything but you can sleep a bit better.