IBM pitches risk management strategy

The company unveils a comprehensive IT risk management strategy that will help enterprises simplify -- and ease the financial burden of-- security and compliance work

IBM has unveiled a new IT governance and risk management strategy that it will market to enterprise customers as a means to weave together security and compliance projects to ease planning and help drive down related expenses.

Much as security segment leaders Symantec and McAfee have retooled their own marketing strategies in hopes of appealing to large customers who find themselves drowning in a sea of security and compliance-related work, IBM contends that it can help companies craft more intelligent top-down strategies that allow them to save time and money.

The idea behind IBM's strategy is much the same as its security rivals in that it maintains that many businesses can improve their security and compliance efforts by planning the two types of projects in closer coordination and buying technologies that can aid in both efforts.

However, unlike those companies' strategies, which revolve primarily around integrating various types of security and compliance applications, IBM is hoping to help companies shift the manner in which they think about the problems in general, company officials said.

A key element of the strategy being proposed by IBM is that customers should also be able to procure IT products and services that can be applied to multiple security and compliance issues rather than individual problems. In many cases, IBM officials said, most of the needed technologies are already in place within customers today.

Enterprise businesses have struggled to move away from projects that are focused on addressing single compliance regulations or security issues because it has been hard to create best practices that appeal to both business and IT management camps, according to the firm.

IBM maintains that through a range of products and services delivered in pre-packaged combinations, it can allow companies to begin planning projects and budgets more closely along lines of organization-wide risk and governance oversight.

"Compliance has been the top area of spending for a lot of these companies over the last several years, but there's been a backlash from IT as it struggles with a constant flow of new demands around both compliance and security," said Chris Lovejoy, director of governance risk management strategy at IBM. "CIOs are looking at this from the perspective of dealing with new threats and regulations, and there is always pressure from business to improve quality of services; IT is having a hard time prioritizing where it will focus limited resources."

Lovejoy said that IBM will specifically aid customers in creating a process-based approach -- built around multiple industry standards -- that helps businesses better prioritize projects and technology procurement aimed at carrying out multiple security and compliance efforts.

"We can make sure that these customers can understand, execute, and measure the outcomes of these types of projects in a centralized manner; it's hard for them to do this today because they don't have unified technologies and processes to get visibility into the alignment of business and IT," Lovejoy said. "Companies want to know how to do this without boiling the ocean, so when it comes to enabling effective governance and risk management you need to start with a standardized approach that allows you to reuse tools for different types of problems."

The types of standards IBM has integrated into its IT governance and risk management offerings are best practices taken from initiatives like COBIT and COSO, the executive said.

The services and technologies being touted under the new umbrella strategy address three major issues: compliance, business resilience, and service management.

Among the specific packages of technologies and services being marketed under the new strategy are those aimed at improving IT governance across organizations, including IBM's Business of IT Dashboard, a bundle of asset management services designed to help companies assess strengths and weaknesses in critical areas of IT risk management.

Based on IBM's Tivoli Netcool technology, the dashboard gives business and IT leaders a comprehensive view of their operations, and the software will be linked with the company's IT Lifecycle Management and Governance Services for Tivoli products to offer advanced reporting and measurement functions.

In the area of dealing with attacks in real time, the company is promoting use of its IBM Tivoli Security Operations Manager v4.1 security event management platform to help coordinate and analyze data across multiple security and compliance systems.

Industry analysts said that the most significant difference between IBM's governance and risk management strategy and those espoused by its largest security rivals is that IBM is aiming its efforts at a broader view of business operations and technologies.

"Both McAfee and Symantec are focused on security risks and business continuity, with IBM it's more about governance and risk management backed with real IT process and service delivery considerations," said Michael Rasmussen, analyst with Forrester Research. "IBM has done more work in aligning enterprise risk and compliance issues; the security companies are all about IT deployment, IBM is talking about how this strategy fits into enterprise business planning."

While he doesn't expect companies to latch onto the IBM vision or buy into the packages of technologies and services it is marketing overnight, the analyst said that the company should be able to drive significant interest that may someday relate into sales.

"There will definitely be skeptics who will want to see these things proven and understand the tactical short-term benefits, but these issues are dynamic and changing rapidly, so customers are actively looking for ways to bridge process management around risk and compliance," Rasmussen said. "To execute on this vision IBM has a lot of interesting challenges to make their products work together in the vision they've articulated; it might be twelve-to-eighteen months before we see that happen, but the revenue should grow over time as they move toward this more cohesive approach."