IBM on Thursday announced a major security initiative encompassing products, services, and research to help businesses manage risk and keep information safe. To support the initiative, IBM said it plans to spend $1.5 billion on security-related projects in 2008.
"The way companies do security today is broken, because what companies tend to do is hand security off to the IT department," said Stuart McIrivine, director of IBM Corporate Security Strategy.
The IT department then tries to protect everything and there just isn't enough money to go around, McIrivine explained.
Basically, IBM believes that the siloed approach to information security has failed. McIrivine describes IBM's new direction in terms of risk management rather than protection. It involves looking at security as a finite set of controls that are being monitored rather than an effort to lock up everything.
IBM plans to recalibrate its compliance and security offerings to help companies manage risk through a unified strategic approach across what it calls the five domains of information technology security: Information Security, Threat and Vulnerability, Application Security, Identity and Access Management, and Physical Security.
The initiative has been developed over the past 18 months and is the largest ever undertaken by the industry, according to IBM. It involves a number of recent and past acquisitions, including Internet Security Systems and Watchfire.
"One of the biggest drivers of security spending today is compliance," said McIrivine. "When you think about compliance, usually it's compliance with regulations. But when you boil it down, these regulations are focused on how companies manage information."
IBM refers to one component of its new initiative as security risk management, which aims to provide CIOs and chief information security officers with risk management tools. SRM aims to automate the measurement and assessment of business processes, risks, and costs to make information management more effective and more efficient.
IBM clearly has defense against hackers in mind. IBM ISS plans to work with a variety of data security vendors, including Application Security, Fidelis Security Systems, PGP, and Verdasys, to better protect corporate data from external threats.
But IBM is also focused on internal information management and corporate policies. McIrivine said that customers regularly tell IBM that employees do things they know they're not supposed to do and that such actions pose a management problem.
"This is not hacking, this is people just screwing up," said McIrivine. "Companies are looking for the technology to make sure that doesn't happen."
In keeping with that goal, IBM is introducing services to meet that need, including IBM Data Security Services for Endpoint Data Protection, to help customers protect and control unauthorized use of and access to laptops and PCs, and IBM Data Security Services for Enterprise Content Protection, to help customers protect against deliberate and accidental data leaks.
Through this initiative, which will be supported by 200 IBM researchers around the world, IBM hopes to create "an enterprise free of fear."