IFSEC Report: Understanding IBM's play in security

May 14, 2008
Catching up with IBM's UK office to talk enterprise security projects

During IFSEC this week, I was able to meet with the staff from IBM's security operations in the UK and Europe to get a company update. Many people in the security industry, to be honest, have been quite surprised that IBM, which has been traditionally perceived as a computer and business software firm, is busy working on security projects.

First of all, says Andrew Hart, IBM's head of security services for the UK and Ireland, the company is very focused on networked systems, and networked systems only.

"Years ago, IBM realized that video would start to play a bigger role within companies," said Hart – noting that it was all areas of business video that could affect the business infrastructure, from conferencing all the way to surveillance. So, around 2001, the company started working on large-scale video surveillance projects, but there had to be a network element to get them interested. "If it's analog, it doesn't float our boat," said Hart.

With that in mind, Hart and his colleague Rod Allen, worldwide director of digital video solutions, have seen IBM take a role that falls somewhere between that of an enterprise-level security integrator and that of a processes management consultant. The company tends to partner with physical security installing and integrating firms, and leverages its own expertise in project architecture and the IT solutions that glue enterprise-level projects

The key for IBM is what the company brings to the table. A deep knowledge of networks, storage solutions and IT business management has positioned the company to be able to work on enterprise level projects where the scope often extends beyond security, or where the security project is so big that even some "enterprise-level" physical security management solutions start to break down.

"We're an information management company," explained Hart. "The world of security is dealing with an information challenge, because all of these sensors and cameras are rapidly spewing out data."

To that end, the company also comes to the table with the ability to leverage its existing software data technologies, including systems for filtering data and managing massive and complex storage systems. Hart and Allen note that their Tivoli system, which is designed for managing IT infrastructure, has been useful for managing physical-security related IT infrastructure, and can provide benefits like reporting on hardware failure or early-warning reports on impending failures.

But just because the company has an extensive background in IT systems doesn't mean physical security projects that tap IT infrastructure get any easier. "The language barrier between physical and logical security is colossal," said Hart, who explains that even IBM is often facing project management issues where there's a wide gap in the communications between physical security departments and the IT directors.

Allen, says that sometimes the gap even becomes bigger, with corporate security often not viewed as a priority by senior management. He relates the story of a discussion some years ago after IBM lost power to a 20-plus building corporate campus. Senior leadership was in a meeting to discuss how to get the campus running again, systems back online, and business continuing.

The question being asked among the recovery directors was what to bring back up first. After discussion, the group seemed to agree that the company's data centers was the logical answer. The security chief spoke up, however, and said it was security that should come up first. After the laughter died down in the meeting, the security chief added, "But if you don't bring up security first, how do you expect to get into the doors of those data centers to bring them back up?"

It was a incisive moment at IBM's European operations for understanding the role of physical security, said Allen, and it's part of the lesson on the overall importance of security that enterprise business needs to understand.

Additionally, said Allen, companies have traditionally approached physical security as a separate, siloed arena. "We come into business where they may already have the physical security running on the same network, but they're not managed in the core IT centers." Bringing any networked system (including video systems) into the IT core, he said, makes management easier.

And that seems to be IBM's real strength in the industry – the ability to recognize that security projects can be aligned with business IT, and that they can be deployed in line with other enterprise solutions.