Original URL: https://www.theregister.co.uk/2006/08/30/ibm_buys_iss/
IBM beefs up security in global services
Good news for big business, but what about SMBs?
Comment Last week IBM announced that it was acquiring US-based Internet Security Systems (ISS) for $1.3bn.
ISS's specialty has been the proactive security for the enterprise through automation and focusing on vulnerabilities in the ever-evolving IT infrastructure.
IBM believes the acquisition, its largest since it acquired PWC, will advance IBM's strategy to use IT services, software and consulting expertise to automate labour-based processes into standardised, software-based services for its clients.
IBM also believes it will help advance its position in Managed Security Services, which addresses issues ranging from data theft to implementing regulatory requirements.
ISS is one of the largest providers of security products and managed security services in the industry, with more than 11,000 customers worldwide, including many of the largest banks, public insurance companies, and national governments. ISS will join IBM as a business unit within IBM Global Services' Security organisation.
ISS has been admired for a while for its approach to security. While many are still trying to protect objects or systems, ISS has been evolving a holistic approach that respects that the environment is ever-changing, and that looks at automating systems as the way to respond in a proactive manner.
In this respect its philosophy is close to that of IBM which has also embraced a holistic approach and has had a self-healing approach for its systems and software along with other automated capabilities for years. Both companies understand that evolving IT security requires an architectural, big-picture approach rather than a point-product, perimeter-centric approach.
In that sense, the combination of the two should bode well for both vendors' customers. IBM customers will see the inclusion of a strong security vendor's products and services beefing up IBM's offerings, which have not been as strong as those of some of its competitors.
For ISS, IBM's scope gives it access to a greater number of customers than it could have reached alone, and adds credibility to both companies' reputations as trusted corporate advisors. Customers of either company should feel secure that IBM and ISS are committed to proactive, automated security and managed security services.
Next we will be waiting to see what the company does with identity management, a hot topic on its own that is tightly connected to many other security issues.
In some ways, it is sensible for IBM to place ISS within Global Services. The product would be awkward in any other part of IBM, even if it is largely a software capability. However, that said, putting ISS within Global Services also makes us uncomfortable.
Global Services is the biggest part of IBM, and it is important, in that frequently Global Services acts like a laboratory where large customers with specific needs can work with IBM to make solutions that solve specific problems, and then that intellectual property can be shared internally within IBM to help productise it for a larger market or share it in some way with services partners who can offer it in appropriate form to the SMB market.
This is a nice idea in theory, but the problem is that we haven't really seen that happen. For many reasons, most of them quite sensible, Global Services is unable or unwilling to deal with entities smaller than roughly 1,000 employees.
In the grand scheme of IT, this leaves an awful lot of the market open. Global Services' business model is not designed to deal with the mid-market, nor should it necessarily do so, but IBM still does not have a way to capture the extensive IP it is building within Services to leverage it across the company or the market.
We fear that ISS's products and approach will continue to benefit large companies but that an awful lot of the mid-market will not have access to those capabilities. While this may not seem terrible from a near-term revenue viewpoint, from a security viewpoint it should be viewed with alarm.
Organisations interact, especially within supply chains, and partners need to be inculcated in the same methodologies, approaches, and philosophies as the larger players. IBM has a significant partner organisation although it is essentially a tactical unit for helping partners navigate IBM.
However, we strongly urge IBM to work with its product groups, Global Services, and the partner organisation to figure out ways to take the great ideas in Global Services and bring them out of the ivory towers of the consultants and academicians and down to the larger masses of IT managers worldwide.
Copyright © 2006, IT-Analysis.com