IBM today said it plans to continue to dive deeper into the security market, spending $1.5 billion on security research and possibly more acquisitions in 2008 to round out its security offerings.
Big Blue also announced a one-stop program addressing the Payment Card Industry Data Security Standards (PCI DSS), selling assessment services and technology to ensure businesses meet all 12 security requirements to protect consumer credit card data.
"We're suggesting a lot of new capability areas in emerging, proactive security hygiene," said Kristin Lovejoy, director of strategy for governance and risk management at IBM. Lovejoy was chief technology officer at security vendor, Consul Risk Management, which IBM acquired last year.
"In order for us to be effective, we need to provide seamless integration across all various layers of the enterprise and make sure that there aren't silos of unprotected information," she said.
Over the last several years IBM has been on a shopping spree, acquiring vendors to fill in security and identity management gaps in its offerings, adding many of the pieces to its Tivoli software division. For the most part, IBM plans to continue to leverage the $1.3 billion in services and technology it acquired from Atlanta-based ISS, which it acquired in 2006. ISS specializes in software, appliances and services that help IT shops monitor and manage network vulnerabilities. It also acquired Consul Risk Management Inc., a Delft, Netherlands, firm which filled in compliance capabilities in its portfolio. Consul software tracks employee behavior and unauthorized access of company records.
Inevitably some talent left those companies in recent months, but IBM said it has held on to most of the top talent and it plans to have about 200 IBM researchers working on its security initiative adding them in Tokyo, Zurich and India.
IBM said its ISS practice is partnering with data security vendors, including Application Security, Inc., Fidelis Security Systems, PGP Corporation and Verdasys, Inc. Some of its technology and services has been integrated with IBM Tivoli and also bolstering IBM's data security services. Big Blue added activity compliance monitoring and reporting, endpoint data protection and data loss prevention services in recent months. Some of the technology was also added from its recent acquisition of Waltham, Mass.-based Watchfire, which developed AppScan, Web application vulnerability assessment software and WebXM, to conduct Website risk assessments.
"This is the public distribution of a strategy that had been designed for some time," Lovejoy said. "There are endless requirements popping up and we want to help companies avoid duplicative control structures and silos of data."
New PCI DSS program
IBM is also introducing a one-stop PCI DSS program, mostly built out from its ISS acquisition, that it says would enable merchants to meet all 12 PCI requirements. The program also uses the IBM Global Services arm to perform security assessments and leverages its acquisitions from assessment to compliance. The service would be conducted in five phases and begin with an initial security assessment to understand areas that need remediation, a design phase to develop a blanket security strategy and determine how new hardware and software could be introduced. A management phase provides ongoing support to monitor the organization and provide augmentation services for emergency response, threat analysis and forensics in the event of a breach. An education phase would provide training and security awareness programs.
Hughes Network Systems, which provides satellite link ups at many retail outlets and gas stations for credit card transactions and internet services has been using ISS for its PCI DSS compliance and now finds itself in the hands of IBM. Doug Medina, senior director of enterprise marketing at Huges, said ISS was chosen because it had a program to take the company through all the requirements.
"We've had a long history with ISS network operations group for four our five years on securing our data center and when we were going about becoming PCI compliant, it was a natural progression to look at ISS," Medina said in an interview with SearchSecurity.com. "Now we've secured the transaction from our modem to the transaction processor interconnected to us."
Since IBM acquired ISS, Huges personnel haven't seen any major changes in their relationship with ISS.
Many businesses will see the value in going to one vendor to meet the PCI requirements, but analysts stress that an independent security assessment is the best way to get an objective review of the company's software, hardware and security policies and procedures.
"It's very valuable to have separate entities doing pre-assessment and the actual assessment," said Diana Kelley, vice president and service director at the Burton Group. "It's best to have a separation of duties."
A recent report from Mountain View, Calif.-based VeriSign Inc. suggested many companies are still struggling with the demands of PCI DSS. A review of 60 PCI audits it recently conducted found that 53% failed to meet key elements of PCI DSS and that companies were coming up short in such areas as regular testing, securing applications, logging and protecting data.
Many third party security vendors are using the interest around the PCI requirements to sell software and services. It's natural for IBM to integrate the technologies it acquired into its portfolio and use the talent to provide services for customers being forced to address PCI, Kelley said.
"When IBM bought ISS they got a lot of knowledge and skill and now they're focusing these solutions around PCI because it's a place to sell," she said.