What is your role at Tivoli?
Arvind Krishna (AK): There are two missions. There is the formal day job, which is define the strategy, make sure all the products come out on time, monitor quality and support customers. Then there is the real expectation, which is why provisioning and security are combined for my job that puts both sets of technology and products in one place. It was our intuition two years ago when we started down this path toward compliance and identity management. It's not enough to have two silos: one worried about managing people; the other worried about software delivery to machines. And there is another group just worried about putting together the infrastructure of a data centre in terms of which server has what software connected to which piece of storage. There is a linkage between all these topics. And these processes need to cross each other so IT managers can know which user gets associated with which machines that have which piece of software.
What does IBM propose to do to help customers handle those processes?
AK: IBM wants to give IT managers a place where they can go and look up that information. Our customers want to be able to find out who has access to which box and solve these problems in a way that is lighter weight and easier for an enterprise company or government agency to get this information. For example, we have a bunch of financial services customers and they have people that are completely obsessed and consumed by the identity management process. Customers also have Web services projects going on. If they are connecting their member institutions, in the financial services case, to their backend applications, it would become a lot faster if those Web services were linked to the identity management processes. You need to solve all of these problems in concert; it can't be one by one because then the projects become sequential and disintegrated from each other, which really causes both the slowness and the complexity that we see today.
So in IBM's view, systems and security management will be linked going forward?
AK: Absolutely, our recent announcements seemed more like systems management, but that was not actually our intent. We were saying that there are many processes, and identity management and security management are two of the processes among the 15 or 16 of those we identified as critical to enabling on-demand computing. Sometimes how those separate processes link into the others, which are equally important, is forgotten or ignored because we don't always say it explicitly.
IBM sees Tivoli as delivering integrated security and management products, but what does it offer in terms of security event management products?
AK: Today, to be honest, it's more that we are exploring it than me being able to point you to some of our products and declare that they are the strongest, because that's not true. We have some capabilities, but I would say it's not true that we are anywhere near as strong today as we are in the identity, directory and access side of security capabilities. At the same time, I am not sure who is.
How much R&D do you invest in, in terms of security-specific products?
AK: In a formal sense, IBM will tell me that we do not answer that question. But let me give you some hints. I would say that when I look at the direct number of people as opposed to dollars working on the R&D of products that are out in the security market, it's somewhere in the upper three digits. So it's not quite 1000, but it's more than 500. And that doesn't include anyone selling or marketing, this is just straight R&D.
When does acquisition become the more attractive option for IBM?
AK: There is a law of physics in software engineering: It will take two years. You just need a certain amount of time to develop the design, to build it correctly, to do the appropriate testing and to iterate it once or twice out in the field before it's ready. So if it's a case of something that is really important to the context of our technical strategy and it will take maybe two years to get it out there, and if there is a vendor out there that has pretty good technology that we determine integrates well enough with what we are planning, then an acquisition becomes attractive. We are always on the lookout. IBM deals with a lot of venture companies from that perspective.
Why is it important IBM take part in open standards?
AK: You need to integrate with other products, because in today's world it would be overly arrogant for anyone to presume they could provide all the answers to any customer. If you are to do that, you need to do so in a way that is easiest for everyone. I'll call it the virtue of open source. An open standard gets lots of very bright people working on it so you come out with something that people will accept as satisfying their needs. And I believe public inspection, much like in government, is a wonderful thing. It exposes mostly all the redundant, useless and wasteful elements, and forces us to improve because the embarrassment of it in public is not good. At the same time, some people will always say, 'Doesn't that give away your competitive advantage or strength?' And my response is always, 'We should make some things a common standard and then win on the basis of our superior execution and implementation, not on the basis of locking customers out of something.'
What about open source?
AK: As long as you have the correct legal protection around the licensing, and as long as there is a body of people supporting that work and technologists volunteering to support the work, then it can certainly be a good thing. I can look at a lot of what is happening as very worthwhile causes.