If you were asked to think of an IT security firm perhaps IBM would not be top of the list.  However IBM has a significant set of products in this market and it manages the security of its customers’ outsourced and cloud systems, as well as that of its very large internal IT operations.  Following the acquisition of Q1 Labs late last year IBM is reorganizing to bring together all the security products under one division.  Well large companies are forever re-organizing so why does this change matter?  In short this is important because it reflects the increasing level of cyber risk and the recognition of this risk within the boardroom of the organization that are customers of IBM.

Over the past 12 months there have been a number of widely reported cyber-attacks on large organizations and these attacks have been intended to steal information of significant value or to cause commercial damage.  The organizations affected include Sony whose PlayStation Network was targeted and the details of 77 million users compromised, RSA has offered to replace the SecurID tokens following a compromise of information relating to those tokens, and according to the Verizon 2012 Data Breach Investigations Report there has been a huge rise in politically motivated attacks. Even the head of MI5, the UK’s internal security and agency, has said it is working to counter “astonishing” levels of cyber-attacks on UK industry.  The trend, identified in the Verizon report, is a large increase in data breaches stemming from external agents.  So is this a watershed for boardrooms to take an interest in cyber- security?

According to a study conducted using double blind interviews by the IBM Centre for Applied Insights with 138 security leaders, that “while many security organizations remain in crisis response mode, some security leaders have moved to take a more proactive position, taking steps to reduce future risk.”:

  • Business leaders are increasingly concerned with [IT sic] security issues.
  • Budgets are expected to increase,
  • Attention is shifting towards risk management.
  • External threats are the primary security challenge.
  • Mobile security is a major focus.
In this study security leaders rank themselves according to their organization’s maturity and ability to handle a breach and from this three types of organizations appear:
  • Influencers: those that have business influence and authority – who rank themselves highly in maturity and preparedness.
  • Protectors: who recognize the importance of information security – but who lack measurement insight and budget authority needed.
  • Responders: who do not have the resources or business influence to drive significant change.
So the challenge for IT many security organizations remains one of dispelling the idea that IT security is just another technology support function but is something that has to be designed to protect the whole enterprise.  This involves being able to communicate to the business that the cyber-threat is a real and present danger to the organization.  It is also important because many organizations are moving to outsourced IT or the Cloud and this brings additional IT security challenges.

So what about security products? Well IBM has chosen focus at the higher levels of IT security management rather than low level threat protection.  The rationale behind this is that threats to organizations are both targeted and persistent.  If the threat is blocked in one way the attacker will continue to look for other approaches that bypass the block.  Therefore behavioural analysis of what is happening around and inside the organization’s network and systems is a better indicator of an attack in progress, and this often provides the security intelligence needed to counter these threats.

The other area that IBM has focussed on is mobile security.  The increasing trend towards BYOD and the proliferation of tablets and other end user devices that can be connected to the corporate network has increased the risks of data loss.  Although people value their smartphone they are not careful with them. (According to a study by Plaxo – 19% of people reported that they had dropped their smartphone down a toilet!).  When the device is lost the data it contains is often more valuable than the device itself.  In the KuppingerCole’s opinion BYOD brings many challenges and the key to mobile security is to start from a data centric position rather than a device centric one.  Understand what data you have and then to make sure that you protect it properly.  IBM say that their strategy in this area comes from ”following the data” – if so that is good news.

So – in summary – the risk of cyber-threats to organizations is increasing, and it is clear that IT security professionals need to do a better job of explain these risks in business terms.  KuppingerCole’s view is that IT Organizations have to adapt to become much more business aware or they will fail.  This includes, but is not limited to security challenges.  It is good to see IBM is providing a lead in this area.