Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


IBM, Symantec Tackle Compliance

New tools and strategies promise to cut costs, speed projects; now they have to deliver

The march of the compliance management frameworks has begun, and some of the industry's largest vendors are looking to grab the lead.

IBM today launched a broad effort to help users with IT governance, compliance, and risk management. Big Blue's framework is headed by the Business of IT Dashboard, a suite of asset-based services designed to help enterprises assess their current strengths and weaknesses in critical areas of IT governance, including security.

The new initiative harnesses many of IBM's recent acquisitions, including products from Micromuse, Internet Security Systems, Consul, FileNet, and Rational.

"These are products and services that help fill the holes between management and security tools and help bring the business and IT together," says Kris Lovejoy, director of strategy for IBM's Governance and Risk Management (GRM) unit. "We want to be the glue that brings them together."

IBM's announcements come just a day after Symantec launched an updated version of its Symantec Control Compliance Suite, which is "designed to reduce the cost and complexity of IT policy management and compliance by automating the assessment of policies against industry regulations, standards, and best practices," the company said.

"Most organizations already have the controls and processes they need to achieve compliance," says Indy Chakrabarti, group product manager at Symantec. "What they don't have is the means to look across the different tools and silos that all play a role in compliance, and the means to enforce the policies. CCS can help them do those things."

IBM and Symantec join a raft of smaller vendors that have been rolling out new compliance management tools in recent months. Agiliance, CipherTrust, LodeStar, and Blue Coat Systems are just a few of the many companies that have entered the compliance race in recent months. (See 10 Hot Security Startups and Compliance Announcements Show Breadth of Concerns.)

Analysts generally agree that enterprises need some sort of tool to track their security compliance efforts, but they are not all sold that there's a need for an enterprise-wide framework for "governing" and monitoring policies across the entire IT environment.

"I'm excited to see IBM trying to tie its efforts together with a consistent strategy, instead of going off in a lot of different directions," says Michael Rasmussen, an analyst at Forrester Research. "Standards like COBIT and ITIL only go so far, because they don't give a lot of specifics. IBM is taking IT governance more down into the weeds, putting some real products in with the concepts."

But Eric Ogren, founder of the Ogren Group, says enterprises should be wary of frameworks that promise to take all security and management data and put it into a single structure. "The idea that you're going to categorize everything and put it into some kind of IT governance 'dashboard' is just a crock," he says. "It's a fool's errand."

The most important promise that compliance management products can help fulfill is to lower the costs of compliance, Ogren says. "Companies are putting a ton of money into compliance, and they're looking for ways to generate better return," he notes. "To the extent that these products can cut costs and speed up the compliance effort, that's where their value is."

IBM's Lovejoy says the company doesn't expect most customers to deploy its entire compliance and risk management framework. "We wanted to help them with their key pain points, which are security and compliance, business resilience, and service management," she says. "We're giving them the tools to help solve those problems individually, but then they can re-use the resources we're giving them to address other issues of IT governance as well."

IBM will drill deeper into the security compliance with its next round of announcements, Lovejoy says. The company is preparing a "risk readiness" service through its ISS unit to help assess vulnerabilities and do a proactive analysis of risk, she says..

— Tim Wilson, Site Editor, Dark Reading

  • Agiliance Inc.
  • CipherTrust Inc.
  • IBM Internet Security Systems
  • Symantec Corp. (Nasdaq: SYMC)
  • IBM Corp. (NYSE: IBM)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
    PUBLISHED: 2020-02-25
    A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
    PUBLISHED: 2020-02-24
    An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
    PUBLISHED: 2020-02-24
    When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...