IBM Acts to Transform Risk Management for Businesses

New Services, Products and Research Aim to Manage Risk From the "Enterprise to the Edge"

Select a topic or year

ARMONK, NY - 01 Nov 2007: IBM (NYSE: IBM) today introduced new security services, products and research breakthroughs designed to help businesses more effectively manage operational and information technology risk.

IBM sees information technology security changing as more collaborative business models, sophisticated criminal attacks, and increasingly complex infrastructures emerge. As a result, today's wide array of security technologies, implemented tactically in silos, are not sufficient to deal with the new reality of risk. IBM's approach is to strategically manage risk end-to end across all five domains of information technology security -- Information Security; Threat and Vulnerability; Application Security; Identity and Access Management and Physical Security.

"For many enterprises, security is broken," said Tom Noonan, general manager IBM Internet Security Systems. "The nature of evolving threats is such that installing point solutions to 'keep the bad guys out' is no longer a viable way to secure a business. We advocate new approaches to reduce complexities, adapt to new business imperatives and enable business value versus just threat protection. The path to a more secure world begins with a risk management strategy that limits the impact of threats, improves business resilience and creates an enterprise free of fear."

Fueled by recent security business acquisitions, the company-wide initiative by IBM arrives as companies around the globe face increased regulatory and private scrutiny. The daily risk of security exposure and the cost to combat it are growing. In North America alone, companies are expected to spend almost $30 billion on governance, risk and compliance this year estimates AMR Research, Inc.(1)

The first wave of IBM security services and products tackle Information security concerns from the enterprise to the edge of companies' networks. IBM's Internet Security Systems (ISS) unit, acquired just over a year ago, is helping lead the way, teaming with IBM Research and integrating with IBM's Software and Systems businesses to deliver the world's most advanced risk management capabilities.

New Technology, Services and Software for Information Security

IBM ISS today announced new technology for information security designed to address the growing challenges of managing confidential information.

To deliver a total data protection solution throughout the information lifecycle, IBM ISS is partnering with leading data security vendors, including Application Security, Inc., Fidelis Security Systems, PGP Corporation, and Verdasys, Inc. By leveraging key technologies from these partners and IBM Tivoli, IBM ISS will offer a comprehensive set of asset-based data security services:

IBM also today introduced new data security and compliance management solutions to help businesses track, report and investigate non-compliant behavior across the data infrastructure. They include:

New Mainframe-Strength Information Security from IBM

The IBM System z mainframe helps protect data by including security mechanisms, such as secure access controls and strong audit capability, encryption solutions using highly available key-store and tamper-resistent key processing, and network security features like built in intrusion detection services and network security policy agent. Together, these elements can inhibit identity theft. Updates include:

"Whether your security initiative is part of compliance adherence or business continuity, one important step is to ensure that data integrity mechanisms are in place," said Debbie Wheeler, Chief Information Security Office at Fifth Third Bank. "We're proud to leverage IBM's 40 years of mainframe encryption technology to drive stronger customer confidence. Fifth Third Bank has formed an internal team focused on proper and effective use of cryptographic controls. That team is working closely with IBM to ensure that our emerging needs are understood, as well as developing strategic partnerships between IBM and other vendors to maximize the value of our existing and future investments."

IBM's risk management approach differs from that of vendors who sell piece parts rather than full solutions. IBM arms clients with the complete spectrum of products and services that address security compliance requirements. To that end, IBM ISS today announced the industry's first end-to-end solution to help address PCI Compliance. (See release at

PCI Compliance End-to-End

The new program from IBM provides clients with the products and services required to achieve compliance with all 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). Unlike competitive offerings, the comprehensive program is designed to take companies through the entire PCI compliance process, from assessment to compliance to certification. Leveraging IBM services and technology provided primarily by IBM ISS, Tivoli, Rational and IBM Systems and Technology Group, IBM can help clients meet PCI requirements for safeguarding customer payment card data.

Hughes Network Systems, the world's leading provider of broadband satellite networks and services, selected IBM to take its HughesNet® broadband network service through the PCI compliance process.

"As a leading managed services provider to major enterprises, Hughes strives to provide a wide range of services and applications to our customers," said Mike Cook, senior vice president, Hughes Network Systems. "PCI DSS compliance is critical to our customers' operations, and it is imperative that the network services we provide meet those requirements. IBM's comprehensive program took us successfully through the entire process, from assessment through to certification."

IBM Research Project - Security Risk Management

A key component in IBM's strategy to arm CIOs and CISOs with new risk management tools is a collaborative initiative among IBM Research, IBM Software Group, and academia called Security Risk Management (SRM).

Increasingly, Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) are focusing on securing critical business processes, not just the underlying IT assets, and translating operational metrics into business measurements. CIOs and CISOs are now using this capability to manage IT security as an operational risk.

SRM aligns security controls with critical business processes and their risk management objectives. IT executives can manage and allocate risk across all security domains to optimize business results. SRM performs critical assessments, compares business-level risks across the enterprise, quantifies the risk managed and the cost of each IT control, as well as automating control testing, to allow the firms to make significant cost savings.

SRM capabilities include:

With risk management becoming an important measure for audits and appraisals, Security Risk Management provides strong evidence of effective IT security operational risk management. The closed-loop process improvement model, from business alignment and risk quantification, helps companies optimize business results over time.

Driving Risk Management Open Standards

As a major contributor to collaborative, industry open standards, IBM took a leadership role in driving the recent acceptance of Web Services Policy 1.5 as a recommendation by W3C, the international consortium for Web standards. The Web Services Policy Framework provides an open standard for organizations to manage the policies for computer systems and users in a Web services-based system.

Implementations of the Web Services Policy Framework include different policy domains. Web Services SecurityPolicy defines security policies that fit into this framework, and policy implementations that support these standards help automate the process of managing secure user provisioning and access to systems, speeding the process with a policy and helping to reduce risk of errors if otherwise handled manually and without a defined policy.

"Customers deploying Web services-based solutions with advanced quality of service characteristics, such as security, want to avoid the need for manual exchange of configuration information," said Anthony Nadalin, chief security architect, IBM Tivoli . "The Web Services Policy specifications facilitate interaction between producers and consumers of Web services within context of a 'Quality-of-Service' policy. IBM offers support for these important standards in IBM WebSphere and Tivoli products, and helps our customers manage business policy to improve the overall capabilities of risk management."

Security for Small and Medium Sized Business Around the Globe

IBM is collaborating with innovative business partners around the globe to deliver the most advanced security solutions to small and mid-market (SMB) clients. In Germany, channel distributor Azlan has broadened its existing relationship with IBM to include the ISS portfolio of security services.

"The IBM ISS portfolio offers unique cross-selling opportunities for small and mid-market businesses. We appreciate the commitment from IBM to the channel and SMB," said Marc Muller, Managing Director of Azlan. "Together with our value add resellers (VAR) in Germany, we will follow our successful strategy in the SMB market, investing in sales, marketing and technical enablement resources at our site and in the VAR community to meet client needs in consolidation, data protection and security integration in new and existing business opportunities."

For more information on IBM's security services, software, and hardware solutions, visit

About IBM

For more information, visit

Note to Editors: Images and broadcast-quality b-roll are available for download by registered journalists at

Related XML feeds
Topics XML feeds
IBM Security
IBM solutions that help with security, risk management, and compliance
Services and solutions
Information Management, Lotus, Tivoli, Rational, WebSphere, Open standards, open source

1 AMR Research, "Market Demand for Governance, Risk Management and Compliance, 2007-2008," February 22, 2007.