Tom Noonan, general manager of vulnerability management provider IBM Internet Security Systems (ISS), is tired. During the past year, the former CEO of ISS, who was made a multi-millionaire several times over when IBM acquired the company for $1.3 billion in August 2006, has had to work harder than ever before. So why hasn’t he simply backed out of the technology race altogether? “I’m too young to retire!” he protests. Moreover, he adds, there is important work to be done.

During the past two years, IBM has pushed aggressively into the lucrative IT security market – currently estimated to be worth upward of $30 billion, and growing. But rarely has Big Blue made its overriding security strategy explicit to market watchers. Until recently that is.

With his feet now firmly under the IBM management table, Noonan has become a mouthpiece for – as well as an architect of – IBM’s vision of the secured enterprise of the future. In many aspects, this is a response to the current failings of the IT security industry which, Noonan claims provocatively, is in a state of “turmoil”.

By taking a reactive approach to the ever-growing range of security threats, the security software community has fostered the proliferation of stand-alone point solutions. This has resulted in the emergence of siloed enterprise environments, which are “highly inefficient and horrifically unscaleable”, and all the more vulnerable for their lack of cohesion, says Noonan. For this reason, IT security spend is expanding at nearly three times the rate of the wider IT budget, a situation Noonan argues is simply “unsustainable”.

IBM, which recently unveiled plans to invest $1.5 billion in building out its already formidable security arm, promises to offer the enterprise market something new and improved: end-to-end security that is baked into business processes across the enterprise. “The simple solution for customers is building security as a platform: that is, buying systems that were developed as a whole,” argues Noonan. In this model, security should also be delivered on a pre-emptive basis. The fundamental unit that the entire model protects, says Noonan, is data, which has effectively become the “new currency”.

ISS and its zealous general manager will play the lead role in realising this strategy. Indeed, listening to Noonan, it is sometimes easy to confuse who, exactly, acquired whom. ISS “chose IBM”, he says, because Noonan strongly believed Big Blue was the only company with the resources, product mix and market presence necessary to develop a platform that can protect business processes across the enterprise in a systematic and integrated way. “Scale matters in security,” says Noonan. “Bringing ISS together with IBM created a unique security company. Hewlett-Packard, for example, didn’t bring those strengths, and it was the same with Cisco and Symantec. But IBM was a truly unique proposition.”

For IBM, the chief attraction to ISS was its unusual, if not unique, managed service model, by which ISS monitors and manages vulnerabilities found on its clients’ networks, desktops and servers. According to Noonan, ISS is one of few security providers that contracts to service-level agreements with clients, under which it remunerates customers if protection targets are not met. As such, IBM felt ISS’s mature security delivery model complemented Big Blue’s already-strong managed, professional and privacy services arms. Services, moreover, are the highest security industry growth vector, IBM notes, at 17% and rising. ISS’s ability to detect and mitigate security attacks as they happen also fitted with IBM’s vision of a pre-emptive, rather than reactive, security service. This would also be well fed by ISS’s muscular research division.

In order to realise his vision, Noonan and the ISS team have been tasked with accelerating the integration of various components of IBM’s security portfolio, some of which has been achieved in the past year. The company’s answer to the Payment Card Industry (PCI) standard is a case in point: under what it claims is the industry’s only end-to-end PCI solution platform, IBM has combined elements of its acquired ISS hardware, IBM Tivoli compliance management software and application scanning software from its Rational software development division.

“The IBM ISS portfolio and integrated services platform provides a natural launching point for expanding security capabilities along very strategic themes and focus areas,” says Tim McCormick, vice present of the IBM ISS Business Solutions Group. But the path of portfolio integration has not always run smooth. “Sometimes it’s been a case of taking two steps forward and three steps back within IBM. It’s been a tough year trying to find our footing and trying to find the value,” he adds.

Despite being the darling of the IBM security arm, the business does not enjoy total freedom, he continues. “We had, for example, a strategic partnership with HP, which,” he says elusively, “is being worked on.” Overall, he continues, some of the points of integration the company foresaw as easy wins proved as much. “And some things turned out to be a dead end.”

Teething problems aside, the IBM management is still forging ahead at full steam. Peculiarly for an acquisition target, ISS has grown by 50% during the past year, says Noonan, in order to fuel the company’s vision. And IBM has more or less committed itself to future acquisitions in a strategy that ultimately, it seems clear, aims to position IBM as the provider of choice for large enterprises wishing to consolidate their security assets.

Futher reading

IBM sounds virtual warning Virtualisation technology is not nearly as secure as its advocates have claimed.

Security convergence Consolidation in the security space accelerates as the giants of IT jostle for larger slices of the expanding security pie.

Find more stories in the Security & Continuity Briefing Room