IBM Security Pushing a Good Idea with a Terrible Name

Featured Resource:

Security is broken, or at least that's the word from Stuart McIrvine, director of IBM’s Corporate Security Strategy, and IBM is going to help fix it. Judging from the limited information we have so far, IBM is on the right track. They are trying to convince business to focus on risk management and decisions based on a rational assessment of threats rather than the latest vulnerability-of-the-week knee jerk reactions. From ZDNet's Between the Lines:

“Our approach is that security is kind of broken,” McIrvine said. “Companies are leaving security in the hands of IT and operations people, looking at servers, databases and putting up firewalls and updating antivirus signatures. But they have no real view of what they are protecting from a business strategy viewpoint, understanding the core objectives and risks to meeting those objectives.”

The only problem with this pitch right now it the name or tag line Big Blue is using. This initiative is promoting "an enterprise free of fear." For a company with so many research centers, patent awards, and generally smart people, how could they undermine their own initiative with a patently unrealistic catch phrase like that? No one who is in a position to purchase IBM services would ever believe they could, or should, become "an enterprise free of fear." For some people, bringing a big consulting firm into the company is like inviting Godzilla to Tokyo. Convincing those people to adopt even a good idea from a consulting company is going to be an uphill battle any way, don't make it worse with bad marketing.

Even IT pros don't always see the big picture. Matt Assay at CNET says:

With all due respect, IBM's strategy should also attack "fear" and "risk" at one critical foundation of the problem: the code itself and how it is developed.
Without ensuring a code-level view of the products it is using to enhance security, IBM is only going halfway. Microsoft has long prided itself on the resources it was throwing at improving its security and, to its credit, its products have gotten better over time. But arguably Microsoft's products would have benefited from peer review, and not simply internal review. IBM is no different.

This kind of "fix my favorite vulnerability" approach is exactly the kind of thinking that needs repair. There are too many problems to fix without a big picture of the potential costs of risk and how to reduce those risks. We all have limited budgets, we can't fix everything so we need to maximize the benefit we can get. Picking code development, database security, or perimeter defenses out of a hat and declaring it the key to fix our security challenges is not going to work. We can probably all make good arguements why vulnerabilities in our areas of interest and expertise are the most important. Without putting them in a business context we're likely to buy the wrong product, fix less important vulnerabilities and waste time and money in the process.

Recent Posts

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net

Site Sponsor:

Now Available:

Featured Resource:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert