IBM acquisition changes security game, says ISS’s Tom Noonan

IBM’s acquisition of Internet Security Systems (ISS) has “changed the rules of the game”, in the view of Tom Noonan, the President and CEO of ISS. He recently spoke to Brian McKenna, for Infosecurity about the significance of the acquisition.

At RSA you gave a bravura speech in which you railed against the hype around Cisco’s ‘self-defending network’, and, more generally, presented yourself as standing up for the IT security industry against the bigger IT players as such. How does that speech map on to where you are today, as the head of a company that has been acquired by IBM?

Yes, I wrote that RSA speech in November 2005, flying back from London. I figured that people would have had enough of power point and technology by the time I spoke [on the fourth day]. It’s a fair question.

I’ve given a lot of consideration to [our role as] an independent security vendor when thinking through IBM’s proposal, which came in around February. I feel good about this. Security is a global business in IT, and it was clear to me that our vision was significantly beyond what we could realize on a quarter by quarter basis.

We had roadmaps stretching out to 2011 on what need to do sequentially in product roll out terms. But as a publicly traded company, with new regulations and costs to take into account, what I saw looking across the horizon was that I would like to invest more into the business than I could do with that existing set of constraints.

What's the vision?

Our vision is that of the development of an end-to end-technology platform that is built and architected from the ground up, and is capable of flexible security services — simple services, like the capacity for a company to monitor its own networks 8am to 5pm, then hand over to ISS from 5pm to 8am.

And a key consideration is doing that economically. During the
first decade of internet security, technology cost was less of an issue than it is now.

What we now have is security architecture that has been developed piece-meal, bolted on in a pragmatic manner. Infrastructure providers have added features into an environment that is very heterogenous. It’s all disaggregated and it doesn’t scale well.

Voice over IP is a good example now. There is a rash of security start ups selling appliances to bolt VoIP security on to your network. Why not provide that as a service?

Why has IBM moved to acquire ISS?

IBM surveyed the security market at the end of 2005. It’s one of their five key platform areas for growth. ISS had been a partner of theirs since 1999. But that was more of a tactical partnership.

It’s about managed security services, but they also see the potential of Proventia enabling the running of flexible services.

IBM looked at other players in the market, and saw large companies built by acquisition, whereas ISS has been a security company built from the ground up. We see ourselves as doing with security what Google has done with search. We want to use the capabilities of the web to provide flexible services.

There has been some analyst comment, notably by Gartner’s John Pescatore, that the acquisition makes less sense from a managed services point of view as from a network security technology standpoint. IBM got out of that business years ago, it is being said. So why is it re-entering it with ISS’s netsec technology?

I know John Pescatore’s position, and factually the points he makes are indeed the case. IBM did minimize its exposure to the network security business. But IBM now wants to be a leader in enterprise security, and you can’t do that without a strong network security capacity. ISS brings that. So, yes, IBM got out, but we didn’t, so the critique is irrelevant. 70% of our business is in network security.

Your role will be different once installed at IBM. Can you say how you see that developing?

I will report to an IBM SVP. IBM was clear that it would not do the acquisition unless I committed to a long term contract; and I saw a chance to bring our vision to the world on a much bigger scale.

The concern would be that ISS exemplified a standalone, focused security company, and that will now be attenuated. It’s my job to ensure that that continues.

They’ve said: ‘we don’t want you to adapt to the IBM culture. We want you to be you — to be a passionate security business’. This is an acquisition of a new type for them.

Outside of Tivoli, IBM will fold the elements of their existing security business into ISS. We will be branded ISS. IBM is serious about this business. They will invest. We will be hiring. For example, we will be doubling the number of our engineers next year.

The X-force research team will expand, and we will locate researchers in each of the IBM labs.

How has your competition been reacting to the news?

CEOs who run large security oriented companies have called me to say that this is a ‘game changing move’. The top 10 security companies control only 40% of the market. This has been a highly fragmented market, and it’s changing.