IBM spells out IT governance and risk strategy

IBM today outlined its strategy towards IT governance and risk management, a phrase that security professionals use to describe the management of IT assets and processes, including enforcing security policy and ensuring business continuity.

IBM, which has been on a buying spree of companies in the risk-management arena, says the IBM Governance & Risk Management division will be providing professional services, combined with tailored product offerings, to customers seeking help in coming up with corporate plans and implementing them.

“There are basically two holes in IT governance -- how to get reliable information about current applications and architectures in order to set the direction of policies, and then where do you enforce that policy,” says Bob Madey, vice president of strategy and business development at IBM Tivoli.

During the past year, IBM has seen IT governance and risk management as a growing market, and to beef up its product portfolio, has sought out and acquired smaller vendors with specific product expertise, including Consul, FileNet, Micromuse and Internet Security Systems.

The products obtained in these acquisitions, such as the Micromuse Netcool security-information management that has been integrated into the Tivoli Business Systems Manager, are the arrows in IBM’s quiver in the effort to convince customers that it can help with their risk-management concerns.

However, Madey says it’s not necessary to be an IBM Tivoli customer to benefit from the IBM’s IT governance and risk management services.

IBM says its learning curve on the security topic has accelerated through a group it established three years ago called the Data Governance Council, which comprises 34 IBM customers and 12 IBM business partners and vendors.

Steve Adler, IBM program director of the Data Governance Council, says the group is comprised mainly of CISOs, CIOs and some CEOs. They meet regularly to discuss in private the impact that regulations such as Gramm-Leach-Bliley and numerous data-privacy regulations are having on their organizations, he says.

“There are data-use issues when companies are outsourcing application development offshore, for instance, or merchants are holding sensitive data” Adler says. “We spend the time talking about these problems. And we’ve come up with a list of best practices we see as a ‘maturity model.’”

Adler says this model of best practices identifies processes to enforce security policies in a manageable and repeatable way.

Edward Keck, vice president and lead security strategist at Key Bank based in Cleveland, Ohio, says he’s found participating in the Data Governance Council to be of help “because it gives us the perspective of our peers, the other security and governance professionals for financial services, institutions and academia.”

He says some of the best practices advocated by the Data Governance Council focus on cost-analysis calculations for security.

“If you can assign a dollar figure to a customer record, for instance, you can make clear investment and business decisions since security and privacy is very valuable,” Keck says. “The work being done on measuring risk gives me a more common understanding of the data piece.”