Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


IBM, Symantec Tackle Compliance

New tools and strategies promise to cut costs, speed projects; now they have to deliver

The march of the compliance management frameworks has begun, and some of the industry's largest vendors are looking to grab the lead.

IBM today launched a broad effort to help users with IT governance, compliance, and risk management. Big Blue's framework is headed by the Business of IT Dashboard, a suite of asset-based services designed to help enterprises assess their current strengths and weaknesses in critical areas of IT governance, including security.

The new initiative harnesses many of IBM's recent acquisitions, including products from Micromuse, Internet Security Systems, Consul, FileNet, and Rational.

"These are products and services that help fill the holes between management and security tools and help bring the business and IT together," says Kris Lovejoy, director of strategy for IBM's Governance and Risk Management (GRM) unit. "We want to be the glue that brings them together."

IBM's announcements come just a day after Symantec launched an updated version of its Symantec Control Compliance Suite, which is "designed to reduce the cost and complexity of IT policy management and compliance by automating the assessment of policies against industry regulations, standards, and best practices," the company said.

"Most organizations already have the controls and processes they need to achieve compliance," says Indy Chakrabarti, group product manager at Symantec. "What they don't have is the means to look across the different tools and silos that all play a role in compliance, and the means to enforce the policies. CCS can help them do those things."

IBM and Symantec join a raft of smaller vendors that have been rolling out new compliance management tools in recent months. Agiliance, CipherTrust, LodeStar, and Blue Coat Systems are just a few of the many companies that have entered the compliance race in recent months. (See 10 Hot Security Startups and Compliance Announcements Show Breadth of Concerns.)

Analysts generally agree that enterprises need some sort of tool to track their security compliance efforts, but they are not all sold that there's a need for an enterprise-wide framework for "governing" and monitoring policies across the entire IT environment.

"I'm excited to see IBM trying to tie its efforts together with a consistent strategy, instead of going off in a lot of different directions," says Michael Rasmussen, an analyst at Forrester Research. "Standards like COBIT and ITIL only go so far, because they don't give a lot of specifics. IBM is taking IT governance more down into the weeds, putting some real products in with the concepts."

But Eric Ogren, founder of the Ogren Group, says enterprises should be wary of frameworks that promise to take all security and management data and put it into a single structure. "The idea that you're going to categorize everything and put it into some kind of IT governance 'dashboard' is just a crock," he says. "It's a fool's errand."

The most important promise that compliance management products can help fulfill is to lower the costs of compliance, Ogren says. "Companies are putting a ton of money into compliance, and they're looking for ways to generate better return," he notes. "To the extent that these products can cut costs and speed up the compliance effort, that's where their value is."

IBM's Lovejoy says the company doesn't expect most customers to deploy its entire compliance and risk management framework. "We wanted to help them with their key pain points, which are security and compliance, business resilience, and service management," she says. "We're giving them the tools to help solve those problems individually, but then they can re-use the resources we're giving them to address other issues of IT governance as well."

IBM will drill deeper into the security compliance with its next round of announcements, Lovejoy says. The company is preparing a "risk readiness" service through its ISS unit to help assess vulnerabilities and do a proactive analysis of risk, she says..

— Tim Wilson, Site Editor, Dark Reading

  • Agiliance Inc.
  • CipherTrust Inc.
  • IBM Internet Security Systems
  • Symantec Corp. (Nasdaq: SYMC)
  • IBM Corp. (NYSE: IBM)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    For Cybersecurity to Be Proactive, Terrains Must Be Mapped
    Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-14
    JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
    PUBLISHED: 2019-10-14
    There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
    PUBLISHED: 2019-10-14
    There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
    PUBLISHED: 2019-10-14
    A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
    PUBLISHED: 2019-10-14
    The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.