Just this week, IBM closed on its latest security-related acquisition: the purchase IT security automation specialist BigFix. That brings the total number of security firms bought by IBM since 2006 to eleven.
And as Craig Smelser, VP of security development for IBM, told us, this trend is entirely intentional. He pokes fun at what he calls IBM’s “rather Byzantine-like organizational structure”, especially in security, but “a lot of thought goes into the way we do security here at IBM”, Smelser added.
Smelser maintains responsibility for security development on most IBM products, extolling the benefits of the company’s security framework program. “We work very hard to ensure that IBM security is consistent and our plans our integrated”, said the IBM executive, rather proudly.
But above the security development process itself, Smelser articulated a greater vision for IBM’s security business. “If I could sum up what IBM is trying to do with security, it’s a very complete, comprehensive portfolio”, he revealed. “Our strategy is to maintain competitiveness in our portfolio, ensure breadth in our portfolio, but really differentiate ourselves by integration.”
Thus the reason, as Smelser subsequently noted, for the strategic security acquisitions IBM has pulled off over the last several years. He then challenged anyone to find a gap in the company’s security product offerings, providing insight that Big Blue may not be done just yet on the acquisition front.
“Evaluate our capabilities”, Smelser exclaimed, adding that where IBM “comes short, we will fill the gap. We will either fill it through organic [means] or through acquisition.”
“We are not done buying companies.”
As for the future of IT security, Smelser said that IBM must confront one primary challenge: security cannot be achieved through one single product, because “the world is moving away from a parameterized security model”. He contended, as many would agree, that security is no longer about protecting that parameter but, rather, individual items – the often quoted ‘internet of things’.
IBM’s JR Rao, senior manager of security research, agrees with this assessment. He says that, in the past, “we were always thinking about an enterprise as a monolithic entity”.
The IBM researcher went on to say that this whole security approach needs rethinking. “Every time you do a merger, an acquisition, or a spin off, you are challenging your enterprise to redraw its boundaries.”
“It’s no longer defined by the brick-and-mortar walls that constitute a business. Now there is going to be a new parameter”.
That new parameter, Rao believes, is something that requires a fresh perspective, what he called the deparameterization of organizational security. He pointed to one recent study showing that about half of the sensitive data enterprises maintain actually lies on mobile end points.
“You have to think about what that means in terms of how [to] protect your critical business resources”, Rao added.
It is these changes in the nature of information security that has IBM searching for new products to maintain its relevancy, along with the novel ideas that many other smaller security vendors and their staff bring to IBM’s existing – and formidable – research capabilities.
The notion of deparameterization, said Smelser, “fundamentally changes the direction we are taking. It creates a substantial policy problem”.
Security, he asserted, becomes fundamentally altered when it is done across multiple locations. “You have got to have some way of consistent, scalable policy management, and that’s one of the reasons we bought BigFix”.
Smelser envisions that the IBM of the future, in terms of security offerings, will be a comprehensive provider of nearly all necessary security solutions, but customers will be free to pick and choose the products that best suit their needs.
“Our play is about end-to-end comprehensive capability. We will acquire to get them, they will be best of breed, and we’ll win because they will be integrated together”, he concluded, with utmost confidence.