Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:30 AM
Connect Directly

IBM: The Security Business 'Has No Future'

IBM executive tells RSA attendees that the security business is dead - and sustainable business is the future

SAN FRANCISCO -- RSA Conference 2008 – News flash: IBM is getting out of the security business.

“The security business has no future,” Val Rahamani, general manager of IBM ISS and of security and privacy for IBM Global Technology Services, told attendees here yesterday in a keynote address. Rahamani said the security industry as it is today is not sustainable, and that IBM is instead going into the “business of creating sustainable business.”

“The security industry is flying by the seat of its pants,” Rahamani said. “Security infrastructure has been dictated by the bad guys... as new threats arise, we put new products in place. This is an arms race we cannot win.”

Business sustainability is all about building security into systems and processes, she said. “If we really want to get ahead of the threat, we need to start thinking about re-engineering our businesses and processes. We need to make them more secure and compliant by design, and we need to move more security and compliance technologies into the fabric of our standard infrastructure and application environments."

Rahamani didn’t go into detail on IBM’s product plans for this approach, but she did say security companies must sell their customers solutions that assume “everyone is infected” so that they can safely do business, which makes a business sustainable. “It’s time to give up on the fantasy that education and antivirus will cure consumer security woes. It is not up to consumers to protect themselves. It is not their problem. It is our problem, because online commerce is not sustainable if it is not inherently secure. And the only way to make it inherently secure is to take ownership of the security problem.”

Fighting Trojans, worms, insider attacks, and outsider attacks one by one is futile, she said.

But there’s no way to stop chasing the threats, says Jeremiah Grossman, CTO of WhiteHat Security. "When you go into this room, how can you make sense of any of it? It takes a genius to bucketize it all," said Grossman outside the exhibit hall here today. "We’ll never get away from chasing the threats around."

The sustainable business approach makes sense for IBM, he says, given its existing business continuity service offerings.

IBM’s Rahamani, who recently replaced the now-retired IBM ISS co-founder Thomas Noonan, also talked about how the industry is in another transformational period, not unlike the emergence of the PC 25 years ago, and then LANs and WANs 20 years ago. “Ten years ago, it was the emergence of Internet-based computing. Today, it is the advent of secure Internet-based computing,” she said.

But Internet-based computing is not secure, she said, and is actually getting less secure all of the time. “Security is a big problem right now [with Internet-based computing], but we will innovate and solve it, just as we have in the past.”

Rahamani said that when she speaks to CSOs about threat statistics such as 7 percent of the world’s computers are infected, it doesn’t faze them. “But when I say, ‘The Storm botnet could already shut down your company if it so chose. So what are we going to do when 20 percent of the world’s computers are infected?’ they sit up in their seats.”

It’s all about putting security into the context of business operations, she said. “Parasitic threats are only a metaphor for the greater issue -- there will always be new threats to business sustainability, ranging from parasites to regulations to insiders to global politics. We cannot achieve true sustainability if we continue to focus on individual threats. We can only achieve true sustainability if we design security and continuity into our processes from the beginning.”

“The traditional security industry is simply not sustainable... We have a historic opportunity to change our mindset from IT security to secure business. We have the technology, services, and expertise available today to create truly sustainable business, even in a world where we assume everyone is infected.”

“The security industry is dead,” Rahamani said. “Long live sustainability.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • IBM Corp. (NYSE: IBM)
  • WhiteHat Security

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-07
    The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
    PUBLISHED: 2019-12-06
    In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
    PUBLISHED: 2019-12-06
    In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
    PUBLISHED: 2019-12-06
    In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
    PUBLISHED: 2019-12-06
    n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...