The information security industry is in a state of “turmoil” having pursued an “opportunist” and wholly “unsustainable” development strategy for the past 20 years, IBM’s security chief said yesterday.

Speaking at a press conference in Atlanta on Monday, Tom Noonan, former CEO and currently general manager of Internet Security Systems (ISS), the vulnerability management provider acquired by IBM in August 2006, said that, for both pragmatic and competitive reasons, security vendors have failed to provide the best possible solutions for the marketplace.

By taking a reactive approach to the ever-growing spectrum of security threats, the security software community has fostered the proliferation of standalone point solutions, he added. This has resulted in the emergence of highly inefficient siloed enterprise security environments which are all the more vulnerable for their lack of cohesion, Noonan claimed.

“As an industry, we haven’t done a very good job. I believe part of this best of breed model is a self-preservation strategy,” said Noonan. “It’s highly inefficient and horrifically unscalable”. In effect, he continued, the security industry “throws components at customers, but we don’t give them a security system, and we leave the tough part of integrating these components to them. The security industry is now in a lot of turmoil because of the siloed model.”

The average ISS customer owns around 36 different vendor-supplied security products, and spends around 50% of their IT budget on the labour required to customise and integrate these point solutions. The overall cost of managing and maintaining these vast, disaggregated security estates is ballooning, with IT security expenditure accelerating at two to three times the rate of the broader IT budget.

This situation is rapidly becoming “unsustainable”, Noonan argued. “We can’t keep throwing stovepipes at our customers and ask them to just bolt it on.”

Noonan’s comments echo those of the controversial House of Lords Science and Technology Select Committee report published in July 2007, which heavily criticised the security industry for having effectively failed in its duty to protect businesses and consumers. A total lack of vendor-liability for security breaches, the report concluded, has created a commercial environment in which software providers have no incentive to produce high quality, robust products.

According to Noonan, however, customers have been complicit in this process and have continued to act out of tactical pragmatism when making procurement decisions, rather than acting strategically. “No risk officer has ever sat down and executed a comprehensive security model,” Noonan told Information Age.

IT chiefs have also consistently failed to hold their providers to account for poor performance, Noonan added. Under the prevailing delivery model security vendors contract to perform processes, such as patch management or vulnerability management, but they are rarely held responsible for, or measured on, the ultimate success or failure of these processes.

Moving to the managed service model, currently offered by a handful of established security vendors, including ISS, Qualys and Postini – itself recently acquired by search engine giant Google – offers a commercially compelling means of countering this costly culture of mediocrity, said Noonan.

ISS is currently pioneering the managed service security model, and claims to be the only security vendor in the marketplace that contracts to a rigorous service level agreement (SLA), mimicking the model currently applied to more generic IT service contracts. Similarly, under its SLA agreements, ISS remunerates its customers if it fails to meet agreed protection targets.

IBM, which has been on an extended security shopping spree during the past two years, recently unveiled its plans to invest a chunky $1.5 billion in building out its now formidable security division. Noonan has been tasked with overseeing the delivery of a coherent security platform that will draw on the various technologies across the infrastructure giant’s security arm.

The platform, which is still largely an aspiration as Noonan will admit, forms part of Big Blue’s aggressive push to become the leading security provider of choice for those corporations wishing to consolidate their distributed IT estates.

Noonan is bullish that, as the security industry undergoes “radical change” in the following years, IBM will be one of the few providers able to offer a truly secure integrated security suite and, as such, capitalise upon the industry’s historical failings.

Further reading

The state of security Businesses are looking at new ways to exploit the Internet. But these new practices inftorduce new security threats.

Security convergence Consolidation in the security space accelerates as the giants of IT jostle for larger slices of the expanding security pie.

Find more stories in the Security & Continuity Briefing Room