November 19, 2020 By Koos Lodewijkx 4 min read

To see more client stories like this, please visit

As the chief information security officer (CISO) for IBM, I’m often asked by peers and colleagues, “What do you think of Zero Trust?”

Or, perhaps more often, “What strategies are you using to keep IBM protected?”

First, many vendors in the security industry are looking at zero trust security from the wrong perspective. Security isn’t something you can just ‘do.’ Sure, you may be able to buy security tools or products. As a security professional, you might have a lot of experience at adjusting firewall or provisioning policies, or have specialized training to investigate incidents. While these things can be helpful in applying security to your organization’s business practices, they are not really advancing the business in a secure way.

That is an important distinction and provides the basis of our view of zero trust. Zero trust isn’t something you can buy or implement. It’s a philosophy and a strategy. And to be frank, at IBM, we wouldn’t even characterize zero trust as a security strategy. It’s an IT strategy done securely.

Cloud First — More than an IT Strategy

Consider this. For the last several years, our IT strategy has followed a simple rule: cloud first. Everything we build or buy — from our marketing tools to our developer technology to our collaboration applications — is delivered as a service or is available to be hosted on our public cloud. This strategy addresses two critical business objectives:

  • Enabling end-user productivity. First and foremost, end-user productivity is paramount. We need to connect our employees to the tools they need in the most fluid and cost-effective way possible. Moving everything to the cloud allows us to provide a consistent and seamless experience for our users no matter where they are or what device they use. The pandemic provided a great test of our strategy and, generally speaking, it was pretty painless. Our employees were able to continue working with little to no disruption.
  • Protecting critical data. Moving everything to the cloud also helps us from a security standpoint. Delivering employee tools and applications from the cloud allows us to be independent of our internal network. In turn, we can treat our internal network as a hostile environment. This allows us to put in more controls to help protect our most sensitive data.
If you’re looking to connect with other IBM users, please join our community.

A Deeper Dive into Securing Our Users

So how do we provide our users with seamless, fluid experience no matter where they are and protect our most critical data at the same time? Here are my areas of focus:

Identity as Essential Control Point for Authentication

Our centralized enterprise identity project is a cloud-based program that securely connects our users to the resources they need. The basic elements of this program are:

  • Providing single sign-on (SSO) to all applications using IBM Security Verify with OpenID Connect, Security Assertion Markup Language and other open standards. This helps employees limit the passwords they need to manage.
  • Deploying passwordless authentication wherever possible using FIDO2, QR codes and device trust. This makes it easy for employees to log in, while at the same time offering more security than relying solely on passwords.
  • Supporting modern verification factors using the IBM Security Verify solution for quicker, more convenient multifactor authentication (MFA) experiences with additional transaction information for users to correlate requests back to what they see on screen, reducing phishing attempts.

Device Flexibility Underpinned With Integrated Security Capabilities

A key tenet of our IT and security strategy is flexibility, so we offer our users a choice of devices to work from. This requires us to take extra steps — more integration — ensuring not only the integrity of the device, but also how it is being used.

We rely on user risk management technologies from IBM Security MaaS360, as well as endpoint visibility tools like JAMF and Intune to help us consider the risks of the endpoint at the time of access. These are a key part of our project and provide critical data to isolate endpoints in the event of a compromise.

Automation to Quickly Respond to Incidents at the Endpoint

While the practices outlined above go a long way toward insulating our most sensitive data, we know that it’s not enough. When nation-states attack, we have only minutes to respond before they move laterally from the endpoint to another area deeper within the organization.

As highlighted above, we offer our users flexibility in their devices; this translates to hundreds of thousands of endpoints to monitor. Using integrated endpoint detection and response, we can identify a threat and isolate or kill the device within minutes before the attackers have a chance to move. In addition to protection, we are using these use cases to increasingly automate the response process. This helps us intercept attacks at an earlier stage, which significantly decreases investigation time. It also allows our highly trained analysts to focus on the most significant risks.

Zero Friction, Zero Trust

At IBM, we are committed to building and maintaining trusted relationships with our customers. This trust is built on an expectation for delivering innovation, as well as protecting and safeguarding our intellectual property, customer data and employee information. For us, this requires a comprehensive IT strategy executed securely.

This requires flexibility to empower our lines of business to access and use the tools they need to create, deliver and market the innovations our customers expect. It means providing a stable, reliable environment for teams and individuals to connect to the applications and technologies they need to do their job — even in the midst of a pandemic. And perhaps most importantly, our approach is underpinned with multi-faceted security integrated tightly into the daily operations of our business, providing ambient protection of both our users and our data.

For more information on IBM’s implementation of zero trust, please reach out to your local sales representative (if a current customer) or contact us here.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today