Podcast with IBM on Their End-to-End Security Solution - Twenty-Four Seven Security

« Is PCI to Blame for TJX? | Main | Next Generation of Smart Firewall »

November 06, 2007
Podcast with IBM on Their End-to-End Security Solution

Listen to or download the 7:02 minute podcast below:

What follows is a transcript of my podcast with Eric McNeil, Manager of IBM's Corporate Security Strategy, where we discuss IBM's announcement of having achieved an end-to-end security solution (which you can read right here), or what IBM terms the 'Holy Grail' of computer security.

Why don't you just give our listeners an overview of your announcement?

Well, IBM really is changing the game of IT security. And it's really a game that needs to be changed. Given today's complex infrastructures, given the more sophisticated attacks our clients are seeing, given the more open, collaborative business models we're trying to secure. The current approach to IT security, that is, trying to secure this technology or that, securing applications, securing the data, securing the servers, is not enough. That's a much more holistic, comprehensive view of security and that's what IBM is announcing today.

So in the announcement, you started by saying security is broken. Can you elaborate on that?

Well, as I said, you know, given all the new threats and new complexities, it's very difficult to approach security from the bottoms up, technology-specific approaches we have today. Today's security is very much siloed. It's very much driven by technology, and what we're really trying to do is provide the capabilities to have the business requirements drive security. That it's less about securing this technology or that, but it's more about securing the business processes that really have a business impact on the client.

Some analysts have said that they believe that IBM is just too big, and all of your security solutions are too distinct and separate for you to really achieve an end-to-end security solution. So how do you respond to that, or how are you able to overcome that?

I'd say that it's going to take a partner of IBM's scale to really pull off of all that this problem requires. We really are changing security in two ways: one, is really allowing people to mitigate risks across all five of the IT domains. So we look at the domains as: people, technology, information, applications and physical facilities. If you look at a business process, you can't secure that process just by securing one technology or one domain. It really will require you to look across all of those domains and look at controls on all those domains.

If you look at most of the security industry, they are focused on one domain or the other. So what IBM has done, we've made a significant amount of investments and acquisitions to develop very strong capabilities to mitigate risks across all those domains. And a great example is PCI. The PCI people were very smart. They didn't say "well, we have this data encryption challenge, so let's require some data encryption technology." What they did was look at the business process of what was happening. That is, how this customer information was coming into these firms, how it was moving around the firms, how it was touching different technologies and different people. And what they did was come up with twelve capabilities required to mitigate risk on the entire process.

What we're also now seeing is our PCI solution, which uniquely shows that IBM can cover all twelve of those capabilities.

You say that this will give companies a complete view of their security. Exactly what will this complete view of their security look like?

Well, in addition to managing risk and mitigating risk in each of the IT domains, we need to allow the company to make business decisions across all those domains. Because at the end of the day, security is much more business decision as it is a bunch of technologies. So what we're really doing is elevating security to really be risk management, allowing firms to align these IT domains and IT security with their business processes, quantifying risk and moving to a continuous process and improvement approach that allows them to optimize their business results over time.

At the end of the day, CIOs and CISOs these days are more business executives than just managers of technology. And they're expected to manage risk in their domain the same way the CFO manages risk in his domain. And that the end result needs to be what optimizes business results.

As we all know, and as IBM has proven today, technology changes faster than any other industry. So how can a true end-to-end solution keep up with all of this change? And, by that, I mean -- how are you going to incorporate technologies like virtualization or service-oriented architecture into this end-to-end solution?

One thing that we're doing here is really separating governance from operations. And you can think of it as sort of like a car. Today, we have this car which is all these security technologies that people deploy but it has no steering wheel. From a risk perspective, it's driving all over the road. Increasingly, what business executives, the new business aligned CIOs and CISOs are trying to do is drive this infrastructure. They're looking for a steering wheel that allows them to align the risks across the infrastructures and make sure they are driving the infrastructures in a way that optimizes business results.

So we have this very strong focus on the governance of all these technical capabilities as well as segmenting them into their various domains so that we can poor in the right technologies, investments and expertise into each domain to maintain currency with technology progress as well as making sure we're providing leading edge capabilities in each domain.

How can this new approach bring business value to security?

First off, there's a lot of new business models people are trying to deploy. Globally integrated enterprises, managed services, service-oriented architectures… The challenge with any of these things is they bring a lot more complexity and risk into the organization. IBM's providing much more advanced capabilities to manage the risk and threats that these new business models bring so people can enjoy the business benefits of them.

We also allow them to take out significant costs out of their infrastructure. Certainly, there are some redundancies that people can minimize. We can also think in terms of business controls. Often, as people try to deploy best practices, say, in security, they also find that there are a lot of redundant controls. They might have thousands of controls they are trying to manage.

What the audit community is saying to companies is that they really want them to take more of a risk perspective to these controls, and drive to a more efficient set that can provide deeper understanding of how these control align to the business, help them manage them better and be more responsive to effects on those controls.

People can then take out potentially millions of dollars worth of costs of how they're managing the controls today, which is through a lot of manual processes.

You say this is the first wave in this new wave of IBM security products. What can we basically expect in the second and third waves?

I think you will see IBM continue to flesh out these capabilities. Then going deeper and more comprehensively into each of the domains, and to orchestrate capabilities across domains and drive synergies among the domains. And increasingly drive security upward into the organization so that risk management could be done more automatically and more comprehensively.