News Stay informed about the latest enterprise technology news and product updates.

Mimic the IBM approach to security at RSA

Columnist Eric Ogren says IBM's announcements at the 2009 RSA Conference should remind security pros that security should be built into business initiatives rather than layered on as an afterthought.

SAN FRANCISCO -- IBM will make a series of security announcements at the 2009 RSA Conference this week to further what Big Blue calls its Information Security Framework. Security professionals, even those that do not use IBM products, can benefit from the framework -- which includes a foundational information security program reference model, a maturity model for self-evaluation, an assessment tool for measuring current posture and IBM-provided training -- by copying IBM's mindset to ensure security is built into new business initiatives rather than layered on as an afterthought.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
If there is one thing IBM excels at, it is going beyond simple product comparisons to position IT and security to articulate business value. For instance, it's common for a customer's technical discussion with IBM on scanning Web servers to identify vulnerabilities for Payment Card Industry Data Security Standard (PCI DSS) compliance to become a closed-loop business process discussion on how to efficiently drive corrections back to development source libraries, and then prevent known vulnerabilities from leaking forward from engineering into corporate Web applications. As IT security professionals spend the week at RSA Conference 2009 looking at new security capabilities, those evaluations will be best served by remembering three of IBM's main security themes:

  • Stay ahead of evolving threats. Prioritizing threats and proactively reducing the risk to business operations is the nuts and bolts of security programs. New threats usually involve new products to attach to the infrastructure and new vendor relationships to maintain before established vendors are sure the threats are real. Smaller vendors are usually the ones evangelizing evolving threats; it is important to understand their security issues, determine the risk to the business, and decide on a level of urgency.

  • Take advantage of new business opportunities. Every IT security team hates being looped into an IT project too late in the process to properly secure it. Use the opportunity to get ahead of business initiatives by exploring the security implications of mega-trends such as virtualization (data center and desktops), cloud computing, smartphones for the workforce, as well as other forms of wireless communication. Take advantage of the conference to learn not only about new security capabilities, but also how that research can help the company open new business opportunities so security can get ahead.

  • Pursue more efficient IT business models. Many IT organizations, especially in this economy, are charged with driving 10% or more of the annual costs out of the existing technical infrastructure. This usually translates to cost savings in labor that come from automating security processes, consolidating security into switches and multifunction security devices, virtualizing security products for concentrated server utilization and endpoint protection, and simplifying complex compliance processes. Look closely at the ability of security innovations to reduce labor costs to meet operational goals.

RSA Conference 2009

For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

A lot of this sounds like motherhood, but time and again I talk with security executives that myopically focus on the threat landscape and only get to the business benefits when it becomes time to sell their newest security proposal. IT budgets are stretched and few companies can afford to purchase products to protect against every risk, but funding can be found for security purchases that support the enterprise's ability to make money, save money, or meet legal and ethical requirements. IBM understands this better than most. Even security officers that do not do business with IBM can benefit from mimicking its approach to security.

About the author:
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric was a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to

Dig Deeper on Information security program management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.