Dan Farber reports on IBM's $1.5 billion security push, dubbed "an enterprise free of fear." (Note to IBM: "Free from fear" would be the more direct way of saying it.) But IBM, like others, is approaching security as code an enterprise would layer on other code, and processes on top of that code, rather than something inherent in the code itself, as Stuart McIrvine, director of IBM?s Corporate Security Strategy, relates:
"Our approach is that security is kind of broken. Companies are leaving security in the hands of IT and operations people, looking at servers, databases and putting up firewalls and updating antivirus signatures. But they have no real view of what they are protecting from a business strategy viewpoint, understanding the core objectives and risks to meeting those objectives."
IBM?s aims to engage the business side to surface key processes and systems, and from a top down to understand objectives and risk, and then to mitigate the risk with the available budget. "We are in the mitigation business, helping companies decide what risks to accept."
With all due respect, IBM's strategy should also attack "fear" and "risk" at one critical foundation of the problem: the code itself and how it is developed.
Without ensuring a code-level view of the products it is using to enhance security, IBM is only going halfway. Microsoft has long prided itself on the resources it was throwing at improving its security and, to its credit, its products have gotten better over time. But arguably Microsoft's products would have benefited from peer review, and not simply internal review. IBM is no different.
If an enterprise wants to lower its risks associated with software, it should ensure it's buying into a community, and not merely some binary 1s and 0s. It should also demand that it have access to the source code to modify as needed (though yes, few will do so, those who do act as a surrogate to those who don't or or won't).
In short, IBM should take its security story one step further and provide open access to its code. Done right, it's a key way to ensure that a customer's code is closed.