IBM's billion dollar security push to transform Big Blue

a key necessity for customers, Lovejoy argued. Businesses need to ensure that security capabilities are ubiquitous, existing at various layers in the enterprise — including policy, management, and reporting. With its new security push, integration also has become critical within IBM’s own corporate structure, as it melds various product groups and structures to execute on its vision. “The governance of the security portfolio has changed pretty radically within IBM,” Lovejoy said. “The way IBM is looking at its security portfolio and recognizing that it has assets that exist in multiple brands.”

As a result, Lovejoy said IBM adopted a new organization to execute on its security plans. A Security Executive Committee oversees activities of subgroups, which include Lovejoy’s Corporate Security Strategy Group. That unit itself has working groups looking at areas of practical concern for users, such as information privacy. Working groups include members of IBM product brands, who develop a strategy on how to evolve, build or buy the technologies that people want. The working groups will also determine which IBM product brand will then actually do the work required. Strategies developed from the Corporate Strategy Group are given to IBM’s Security Architecture Board, another cross-brand organization. The board is responsible for taking concepts and ensuring that they are executed.

Then there is a go-to-market team, yet another cross-IBM unit, which includes marketing and enablement people. The team develops materials that optimize IBM’s ability to tell a consistent security story. The effort will also involve IBM’s massive sales force, providing them with guidance on security solution focus areas. Lovejoy noted that it is not quite a salesperson re-training effort, but rather a “value enforcement” effort.

Now we come to the money. “As we move forward, we’ll look at the various brands and sales folks and how they are being incented to look at security sales,” Lovejoy said. “We’ll look to assure that the correct models are in place to create the synergies between the various capabilities that we have.” IBM’s vast security undertaking is not necessarily an effort just to fix what end-users have been doing wrong in buying incompatible or redundant security. Instead, the company is also aiming set the market itself straight — at least, the way IBM sees it. Lovejoy argued that customers have been reacting to the industry’s tendency to push products based on the latest and greatest security scares. “What has been wrong is that many vendors haven’t been honest with customers about what their requirements are,” Lovejoy said. “Every vendor has the word ‘compliance’ on their site and it’s somewhat unfortunate that the fear factor has driven organizations to make investments that they, quite frankly, didn’t have to make.”

“The market is unfortunate in pressuring customers, making them afraid,” she added. She said, though, that IBM does not play the fear-factor game. “We don’t scare our customers into buying things because we have the luxury of being able to roll out capabilities when the market is ready to consume them,” Lovejoy said. “When we tell our customers they need to worry about things like botnets and coupon scams, it’s not because we want people to buy a capability. It’s because we have a cadre of researchers.”

She added that those researchers are actively engaged with law enforcement and other groups to validate and investigate threats. As a result, IBM can offer its customers a more realistic idea of the security threat landscape. Ideally, at least. “Of course, only time will tell whether buyers will follow this line of thinking, and how accurately Big Blue has pegged its customers’ needs,” Kerner concludes. “Both, it would seem, are needed before IBM’s immense, multi-billion dollar endeavor in security can begin paying off.”