The security landscape and nature of threats is far different than what it was a few years ago. The nature, extent and velocity of attacks has changed today. And with businesses moving IT infrastructure to the cloud, application security becomes even more relevant.
In this context, IBM changed its whole approach towards security. BW CIO World met Kartik Shahani, Director & Integrated Security Leader, India & South Asia, IBM to discuss the new approach. He carefully took us through the security blueprint that IBM has for enterprises.
IBM believes it is the fastest growing security provider in the world. Its security division reports annual revenue of $2.5 billion. Gartner points out that IBM’s security business is growing faster than the market.
BW: In the face of changing architectures and models, how has IBM changed its approach to security?
Kartik Shahani: Over the past decade we’ve seen cloud (computing) slowly changing to a reality. In the initially stages, organisations adopted a hybrid cloud, moving some of their applications to the cloud. It was not the core applications and people were just experimenting with the cloud. They were also busy dealing with BYOD (Bring Your Own Device) and the dissolving of the perimeter. The major concern about cloud then was security. People would ask how could we provide security as they got in and off the cloud – and also about security in the cloud.
When IBM looked at its whole (security) portfolio it realized that it had to provide more value. It had to find a differentiator. The differentiator is our Cognitive Technologies.
With Cognitive Technologies, we can span from small businesses to the largest enterprises. We also have very high-end technologies such as i2 for analytics, which is used by police and defense.
BW: Can you explain your integrated approach to security?
Kartik Shahani: Customers can either deploy discrete security products and services or they can take managed services from us. Managed services isn’t restricted only to IBM products. It can be any product that a customer needs. We have partnerships with all OEMs. The SIEM (Security Information and Event Management) can be from a particular company, because it is their global policy. We will buy and deploy that (non-IBM) product for the customer. We will also address very specific customer requirements. So we may provide the services ourselves or through our partners (ISVs, consultants).
We ask the customer about the expected outcomes. They may say they need to increase visibility by say, 40 per cent, or to improve security stance by 30 per cent, or response time in a certain defined period. We put together the best solution to address this expected outcome.
We combine security, cloud and cognitive to give the customer a new view to their entire infrastructure.
BW: What is your go-to-market security blueprint for organisations?
Kartik Shahani: We believe that there are four phases that any organization would need: The Control, Compliance, IT Risk and Business Risk phases. All companies fall into these four categories.
In Control, there are mostly startups who require anti-virus, basic firewall etc. We go to them through our SMB (channel). And we have specific products, mostly cloud driven services. Within Compliance, there are companies that are just getting into automated compliance, they are more mature and higher level SMBs. They are the Commercial segment and we go to them through partners like system integrators, and even directly if required. The next phase is IT Risk, and these are the highly regulated companies from banking, insurance, telecom and healthcare. This is the Enterprise class. We go directly to them and understand their requirement. We offer them direct solutions or managed services; on cloud or on premise. Finally, we have the ‘mega enterprises’ who are the large conglomerates like large telecom companies. We just do the fine-tuning of their solution which will make a big difference. They already have the full solution in place but it may just need a tweak. We approach them through large consultants, SIs, global SIs or even directly.
The first two phases (Control and Compliance) are more tactical. The last two (IT Risk and Business Risk) are more Strategic.
This serves as a roadmap or blueprint for organisations.
BW: What is ‘Security Posture’ all about?
Kartik Shahani: We are talking about an immunity system which an organisation should develop. Today organisations have security at different levels and we want to take organizations to the next level.
We believe that your digital transformation journey isn’t complete without a security posture transformation.
Over the years, organizations have bought different security solutions and bolted these to their infrastructure. There’s anti-virus, intrusion detection, etc that were bought as and when required. Security wasn’t really considered a business enabler in the past.
But with digital transformation, that has changed.
We urge organisations to take a look at all the security solutions they deployed over the years, and to re-evaluate it in the context of their business. They should look at how they can progress it to a different security posture that will hold good for the organization for the next five years. This effort involves consultancy, checking for vulnerabilities; it involves the infusion of technology, and it involves implementation and management of that.
Security posture is security readiness and the ongoing security status of your organisation. It is like your health posture. You have to continuously do health checkups as you age.