IBM’s security stance: underrated or overambitious?

Big Blue intensifies its push into network security

IBM isn’t known as a security company — even though it bought Internet Security Systems a year ago — but claims it’s trying to become a dominant player in the network security market. Will Big Blue succeed?

Big Blue is trying to succeed in the less familiar terrain of network and desktop security — and finding that a few high-profile moves aren’t enough to sway some skeptical analysts.


Slideshow: Five cool IBM security research projects


When IBM acquired Internet Security Systems (ISS) a year ago, the industry’s mixed reaction included that of Gartner security analyst John Pescatore, who said it doesn’t “make sense for IBM to own network-security products.”

IBM pushed forward nevertheless, striking a deal to buy Web-application security vendor Watchfire last June. In early November IBM said it will spend $1.5 billion on security in 2008, and announced several new products and services for data security and compliance with the Payment Card Industry Data Security Standard. That sum is thought to be twice as high as IBM’s previous security spending.

IBM’s latest move, announced Thursday this week, boosted its data-protection portfolio with the acquisition of Arsenal Digital Solutions, which provides services for server and PC data protection, backup and recovery, business continuity, and regulatory compliance.

Pescatore still thinks IBM should take it slow, saying that the fact IBM has expertise in providing IT infrastructure doesn’t mean it should be selling products that react to security threats.

Fraud detection and fraud management are areas that would make sense for IBM, but “the area we don’t think they should go [into] is more network security stuff, like buying a firewall company or getting into antiviral software,” Pescatore says.

IBM does provide antivirus software in IBM ISS’ desktop offering. Moreover, IBM intends to be “the dominant security player” in a market that’s ripe for consolidation, says Peter Evans, vice president of marketing at IBM ISS. A big enterprise that buys security products from dozens of vendors might have an easier time managing those tools if they all came from one vendor, or from just a few, Evans notes. Much of the $1.5 billion IBM plans to spend on security will focus on creating integrations between various security products, he says.

Hidden talent

Some analysts are wary of IBM’s increased focus on security, but others say there’s no one better at protecting IT systems than Big Blue. “I think IBM is more focused on security than anybody you would meet in the IT marketplace,” says analyst Bob Djurdjevic, president of Annex Research.

If IBM has a shortcoming, it’s that it hasn’t bragged enough about its security capabilities, Djurdjevic says. IBM is starting to market itself more aggressively now as it tackles the network security market, which is the “cool thing” these days, he says.

“They haven’t done a very good job of marketing that focus or projecting it to the outside world, especially not in this desktop environment,” Djurdjevic says. “Their home turf is the mainframe. That’s the Fort Knox of IT today, as it has been the last several decades. That’s the most secure environment you will ever find.”

IBM’s security expertise goes deeper than people might think, says Forrester analyst Geoffrey Turner. “They haven’t put security out front as one of their discrete offerings or one of their differentiators in the marketplace, because it is so well integrated with the rest of their capabilities,” he says. “They were probably the strongest early pioneers and advocates of cryptography and its application to security in the IT environment.”

Turner says IBM has briefed him on several security research projects that he considers pioneering but that he can’t discuss publicly because of nondisclosure agreements. One project he did mention has IBM researching foreign taxonomies related to people’s names, a better understanding of which might help fight online fraud originating overseas.

“They’re like an iceberg. You can only see the part that’s above the water, but they have seven times more than that below the waterline,” Turner says of IBM.

That doesn’t mean there aren’t problems with what’s above the surface, however. Gartner's Pescatore critiqued the IBM-ISS merger, saying IBM ISS is no longer “leading the market” as it did before being snatched up by IBM.

“They’re not top-of-customer-mind anymore, they’re not coming out with new features ahead of everyone else,” Pescatore says. As an example, he notes that small competitors, such as Reflex Security, have released firewall and intrusion-prevention tools specifically for virtual servers.

The ISS factor

No matter how effective IBM’s security products are, they tend to be overshadowed by the way IBM markets its wares to IT shops, says Lloyd Hession, CSO of BT Radianz in New York City, which uses IBM ISS’s intrusion-detection software.

An enterprise that selects IBM Tivoli software is getting a complete enterprise-management platform, with tools for performance-benchmarking, technology-resources management, and many other processes, Hession says. Security ends up being just one piece.

That’s not necessarily a bad strategy, Hession notes. “It’s not clear to me they necessarily have to change that. IBM is not trying to go head-to-head with a Symantec,” he says.

IBM also tries to be product-agnostic with Tivoli, so the company helps customers support a wide range of security products besides those made by IBM, Hession says. This balancing act might work for IBM, but it’s also hard to offer top-flight security products when the Tivoli platform supports security tools from other vendors, he says.

Hession, who used to work at IBM, gives Big Blue credit for keeping the ISS brand intact. The fear about such acquisitions is always that the small company will be swallowed whole by the large one, rarely to be seen again. “You have to start from a position of low expectations,” he says. “What we’ve seen with IBM and ISS is they haven’t rushed to integrate everything into Tivoli.”

Evans acknowledges that ISS customers initially were concerned some products would go away because IBM is more of a services company (in 2006, 53% of IBM revenue came from services, up from 45% in 2002, according to Nucleus Research)

Evans nonetheless says customer reaction lately has been positive, and he argues that being part of IBM has given ISS more room to grow and innovate. With IBM’s annual revenue approaching $100 billion, “there’s $100 billion of potential places to attach security to and make sure customers are compliant with regulatory mandates,” he says.

What’s more, IBM ISS has uncovered some security research that flew under the radar within IBM, Evans says. IBM researchers had developed virtualization-security technology, as well as sophisticated heuristic scanning methods designed to detect previously unknown viruses, but hadn’t put those capabilities into any products, he says.

Now IBM ISS is taking those capabilities and integrating them into its own product lines, Evans says. Across IBM, the acquisition of ISS was viewed as a “galvanizing event” to bring together all of IBM’s security features for a major run at that market, he says.

Looking ahead

So, what’s next for IBM in the world of security? Observers offer numerous suggestions.

IBM’s first priority should be upgrading security on such major products as its blade servers, Tivoli and WebSphere, Gartner's Pescatore says. One step he recommends is that IBM ISS security be integrated into the WebSphere line of software, which spans portals, application infrastructure, middleware and business process management. IBM also should take Watchfire’s Web application-security testing and compliance software and build it into the Rational software-development platform, to help customers build secure software, he says.

IBM so far has missed an opportunity in the small-to-midsize-business security market, Annex Research’s Djurdjevic says. Big Blue could rectify that with a simple-to-use offering, such as a Web-hosted security product. Small businesses “have exactly the same needs as large corporations but not as much money and not as much expertise,” he says. “It takes a different approach. That is not part of IBM’s DNA. That’s what these other companies [like McAfee and Symantec] are better at.”

IBM says its $1.5 billion wager seeks to improve “all five domains of information technology security — information security, threat and vulnerability, application security, identity and access management, and physical security.” The overall goals are to help CIOs manage risk and make security a business decision, rather than one based solely on technology, says Eric McNeil, manager of IBM’s corporate security strategy.

McNeil says to expect numerous announcements of new security products over the next year, and adds that IBM will examine the market for potential acquisitions. One recent rumor had IBM buying Secure Computing and its identity- and access-management software, but it hasn’t come to fruition, Pescatore says.

Forrester’s Turner expects IBM to pursue new security technologies aggressively through acquisitions and R&D. “Whatever people perceive [IBM’s] weaknesses to be,” he says, “I would posit those aren’t weaknesses and they’re not blindnesses on behalf of IBM.” 

Learn more about this topic

Slideshow: Five cool IBM security research projects

IBM’s $1.5 billion security push marks shift in strategy, analysts say

11/02/07

Security holes expose data stored in Tivoli system

09/24/07

IBM spells out IT governance and risk strategy

05/15/07

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.