International Business Machines Corporation (IBM) Earnings Call Transcript & Summary

Good morning, good afternoon and good evening to our viewers around the world, and welcome to IBM Securities Webinar. Your network security is in the Cloud, welcome Secure Access Service Edge, or SASE. Before I pass it off to our speakers, I'll go over a few housekeeping items. As part of the event console, you can see a Q&A tool on the left-hand side of your screen. You can use this throughout the webinar to contact us for any technical issues or ask our speakers questions. For more information and content, you can also check out the Resources tab on the right-hand side of your console, and you can access on-demand recording using the same length that you used today. Without further ado, I'd like to pass the mic over to our speakers, Norman Dorsch and Blossom Pinheiro, Senior Product Managers for SASE. Blossom, take us away.

Hello, everyone. Thank you for joining us today. Organizations across nearly every industry are accelerating their digital transformation globally to drive innovation, gain agility and competitive advantage. Companies are evolving their digital strategies by refactoring apps to be more modular and containerized and shifting to SaaS in order to move fast and to scale. A few years ago, data was more centralized and there was a defined perimeter. Now it's everywhere. It's a shared resource moving between platforms, devices, applications between departments, partners, communities, business by using AI and analytics to find untapped value in this data. They're embracing the hybrid cloud to match the right workload to the right cloud environment. Clearly, digital transformation is essential to businesses to adapt and scale with new technological shifts, innovate, enhance their customer experience and drive revenue and profits. Due to the complexities and inherent risks and challenges associated with disappearing perimeters, disposed workforce, distributed application architecture and so on, cybersecurity is a crucial nonnegotiable component of the digital transformation strategy. Why? Because the company's digital future requires security to deliver trust, privacy, resiliency, compliance. Their customers demand it and their reputation depends on them. Security should be incorporated in these key transformation, but that can be a challenge. We start by taking a look at today's security infrastructure. What we see here is typical for a customer today when the security is tied to the data center. But with applications being hosted on the private, the public cloud, on-premises and the use of SaaS applications, with users being able to connect from anywhere, the office, their home, on the road using public Internet connections, how do you ensure that intended end users everywhere can access critical applications and data security? Today, this is typically done using outdated perimeter-based VPN technology. However, VPN was never built for scale and has a terrible user experience. And it comes with latency and potential security flaws. Unlike a VPN, which focuses exclusively on the network, ZTNA goes up a layer, effectively providing application security that is independent of the network. It is also seamless, which can significantly improve the user experience. ZTNA improves the user experience because it works transparently in the background. You can click on the app you want to access, and behind the scenes, the client does all of the heavy lifting. Secure connections are made, and security protocols and inspections are applied to ensure an optimal experience. Users don't have to worry about setting our connection and where the application is located. At the same time, half of the organizations are saying, they don't really understand what normal baseline activity looks like inside their networks. So they don't really know what's going on. And almost all of securities, all of the security specialists recognize that attackers are targeting VPN to access the network, which means that this is one of the biggest weaknesses. Per IBM Securities 2021 X-Force Insider Threat Report, 47% lack an understanding of what normal baseline traffic activity on their network looks like, compared to potential malicious activity. The 2021 Cyber Insiders VPN Risk Report shows that all the -- although 93% of companies are leveraging VPN services, 94% are aware that cyber criminals are targeting VPNs to gain access to network resources.

Blossom, you shared some really good insights into the challenge. Norman, how do enterprises even approach this dilemma? And is there a new approach?

Well, there is. Thanks for asking. And yes, luckily, there is. This is where SASE comes in. So it stands for Secure Access Service Edge. And what SASE really is, is the convergence of traditional cloud-based network security as a service technologies, like you see on the top of the gray box here, and cloud-based networking as a service technologies, like you see on the bottom end of the box. What SASE does is, it takes all these technologies and puts them into one comprehensive framework. And this is a very important point. SASE is not a new technology. It is a framework that really combines these existing cloud-based as-a-service technologies under this converged comprehensive lens. So what SASE really does is it enables us to move the network to every user, every device and every application securely and wherever that user or wherever the application is. We've heard it from Blossom earlier, you've got the users everywhere, you've got the applications everywhere. SASE connects them securely. This all comes with a set of huge benefit. So anytime, anywhere access, consistent security controls across the enterprise, reduced infrastructure costs. consolidated legacy applications, but we can keep the ones that you need. Fast and secure user experiences and an overall improved user experience. Overall, a simplified networking and security and IT operations. And also SASE is a very important part of every Zero Trust posture and is a very important first step into Zero Trust. We see this here on this slide. So -- we, IBM, and the industry in general, see Zero Trust as the way forward with security. And as we say, SASE is a key element of the Zero Trust security posture. So let's be clear on what we mean. Zero Trust is also just a SASE, not a product or a single solution. Zero Trust is also an approach. It's also a framework. And as just said, SASE is an integral part of that approach, of that framework. And you see it here in the middle of the slide, how SASE is the centralized framework that connects the users and the applications again wherever the user is or wherever that application is sitting. So yes, as I just said, SASE really moves the network to every user, to every device, to every application securely and wherever they are, but also as part of this broader Zero Trust posture, which really looks at network security as part of an end-to-end security Zero Trust posture. And what we see as part of Zero Trust are these key principles and core principles that are listed on the bottom of the slide. So it's all about insight. We -- our principle is to enable the least privileged access that's needed enforcement, never trust, always verify, and also detection and response. We assume that a breach will happen. So how to detect and how to respond. Those are the key high-level principles, and it's important to understand that SASE is part of every Zero Trust journey or every Zero Trust security posture.

So I can really see how this is an entirely new way of operating IT and security rooted in Zero Trust, and I'm sure that this isn't really a walk in the park, right? What adoption considerations are there? And how would an organization go about adopting this framework?

That's a great question. And so I mean we've heard earlier, right? It's really a convergence of existing technologies. It's a convergence of traditionally siloed technologies, like networking and security, and that's why it is challenging to that. So you've got it listed here. You've got skills and teams, strategy and technology. So it's a cultural issue that you have to overcome. There are strategic concerns that you have to overcome and also the technological ones. So yes, you traditionally have siloed teams across networking and security with separate network operation teams, security operation teams. There's often what we see in the market is that there is limited multi-domain expertise. So the security folks know their security stuff and the networking folks know networking stuff. There's also no converged strategy. So you've got 2 different product strategies, 2 different adoptive strategies that are completely running independent of each other. And so this whole large-scale transformation is not -- is often overlooked, and things are budgeted separately and strategized separately. Also on the technological side, you often have existing investments. So companies have made investments into CASB, into secure web gateways, maybe adopted a Zero Trust Network Access technology already, but not looking at the holistic picture. So there's a lot of -- a lot of potential challenges that need to be overcome and a lot of synergies that really can be leveraged when done correctly. And this is how our approach -- or what our approach is also about because what we tend to do and what we want to help with is really be that trusted adviser to help clients in their SASE journey. As just said, I mean, it is not a trivial implementation. Marc, you said it, it's not a walk in the park, right? So you've got these cultural challenges. You've got the technological challenges. You've got strategic considerations to overcome. So what we found was important for clients, where we've successfully helped adopt the SASE strategy, was these 3 key points here. So a target future state that really enables Zero Trust at scale. Secondly, the rationalization of existing tools and new investments. And then lastly, to identify the business drivers that are critical to your organization right now, but also in the long term. And so in order to achieve this, what we've been doing, what IBM Security has done is really developed a 3-phased approach, really providing the SASE solution optimized for our clients, and we got 3 steps in that. So number one, we have -- we plan your journey, leveraging a maturity road map. So we have a 5-step maturity model, which really takes you from the early foundational maturity up to an enhanced, we call it, the Level 5 maturity reduced end-to-end Zero Trust. We can help you identify where you stand today on that maturity and what your target state is. Secondly, prioritizing the business drivers that deliver positive outcomes. We're just -- we're going to hear more about this shortly in the next slide because we -- our approach is to really focus on the business drivers for our clients and look at what the SASE really help you as your organization to -- on a business driver basis. And lastly, we have to approach the transformation at the pace that suits you. It's not a rip and replace. We can leverage existing investments. It's not an overnight, overhaul of the entire infrastructure and it shouldn't be. But we can look, what's your current maturity, where do you want to be with this, and what can we leverage from your existing investments in order to get you to that level where you want be. So let's look at what we're actually offering.

All right. So this slide gives you an overview of the IBM Security Services for SASE offering and why IBM Security Services. So IBM Security Services for SASE offering takes a business driver-based approach. That is also aligned with our Zero Trust and SASE maturity model that Norman just spoke about. There are the 5 key use cases or business drivers that SASE customers typically face. You see the hybrid workforce access, third-party access, mergers and acquisitions, network transformation and 5G edge computing and IoT. This is an outcomes focused use case-oriented approach. Each business driver that you see here maps directly to a category in our SASE maturity model as well as to underlying technologies that make up the SASE architecture that we suggest. All of this is based on the core principles of Zero Trust, which is to enforce least privileged, never trust, always verify and assume that a breach is always inevitable. Next, let's talk about what services are covered with this offering. We start with understanding what the clients' needs are and designing a solution, implementing that solution that is unique to that customer and then managing that solution in steady state. With integration, we employ our use case-based approach. We work with the clients as a trusted adviser, identify their current and their target maturity, develop and advocate a solution based on the broader Zero Trust framework, and that will help them evolve their overall security strategy based on their chosen outcome at a pace that suits them. We configure and deploy the solution and additionally, define and migrate existing and new policies. We also provide managed services. Policy management, incident and service request management, troubleshooting third-party vendor coordination, health and alerting, security reporting and governance are some of the services that are offered with managed services. And lastly, we also offer tailored services for more complex deals with custom and unique requirements. We've seen that organizations, like our customer, who is a large global chemical company, or a large U.S.-based transportation provider, have required cutting-edge end-to-end SASE services. what falls into what Norman mentioned, the last maturity -- last maturity level on our SASE model. That is integrated with a broader network transformation and SD-WAN strategy. We can help with that, too. We will advocate the right SD-WAN partner for your unique solution and create a SASE design, which is integrated to the customer's network transformation approach, native SD-WAN support will be part of our strategy. You've heard from Norman that SASE is not one technology, but a framework that converges existing cloud-based networking and security technologies under a single comprehensive framework. Integration and managed services are provided for those technologies are outlined in the left-hand side. Zero Trust Network Access, DNS, CASB, secure web gateways, VLP, firewall-as-a-service, remote browser isolation and SSL encryption. SWG and ZTNA are key entry points into SASE. And often, we see clients starting out by implementing those technologies. Another key entry point is around SD-WAN, which, as I mentioned before, is at a high maturity level on our SASE maturity model. There are multiple options for the best SD-WAN solution, and SD-WAN comes with benefits, such as cost savings through Internet offloading, dynamic path selection and policy-based routing. We support integration wholly or management-only solutions depending on what the clients' requirements are. To summarize, by focusing on business outcomes rather than grappling to find the right technology, IBM can provide a comprehensive solution that enables business-driven transformation. We bring our industry-leading skills and expertise through our advisory integration, managed and tailored services, and bring with that a true steps change with our accelerators and methodologies for true end-to-end support.

Norman and Blossom, thank you so much for your insight on this revolutionary framework. We've covered a wealth of information related to SASE here today. And our security and cloud specialists are standing by to answer your questions. So feel free to add those to the Q&A module. Be sure to visit our web page at ibm.com/security/services/sase, to dive a little bit deeper into this topic. And here are some next steps for you to consider. Assess your current strengths and gaps of your current network and security environment and where you'd like to go. Think about the critical business drivers that could accelerate your SASE transformation that we talked about today, and then plan and create your adoption plan for a modernized network and network security infrastructure. Lastly, consider the strategic and tactical outcome of working with a trusted adviser and best-in-class managed security services provider, like IBM Security Services. We can definitely help you along this transformation journey. With that, we have several questions that came through for us today. [Operator Instructions]. We'll look at those, and our experts will be here to answer them for you today. Thanks so much.

Okay, everybody. Yes. So we've got a couple of questions that came through the chat today. Norman and Blossom, the first one that we wanted to cover today, which industries can readily or quickly leverage Secure Access Service Edge. Blossom, do you want to go ahead and take that one?

Sure. So any industry, any size of business, big, small, they can adopt SASE. They can start small and grow. If they already have a security or network investment made that they can benefit from, they can take that next step. This is versatile. It's scalable. It is at your pace. So that's what -- I think anyone can adopt SASE.

Great. Thanks, Blossom. The next question that we had that came through on chat. And if you're attending today, please, you can go ahead and enter your questions in our Q&A module. It should be on the right-hand side of your screen. We'd love to answer your questions. The second one that we had that came through is how does Zero Trust Network Access relate to SASE? Could you dive a little bit deeper on that. And Norman, I'll let you take that one.

Okay. So yes, how is ZTNA related, right? So ZTNA or Zero Trust Network Access is an integral part of SASE. It's one technology of that broader framework. And it is also an important starting point. So if you consider the whole SASE framework, you have multiple entry points into that. Often, we see clients using -- starting with an SD-WAN strategy. Often, we see clients starting with the secure web gateway strategy, And often, we see clients starting with the ZTNA, Zero Trust Network Access strategy. So those are great entry points into SASE, and ZTNA is an integral part of every mature SASE framework. And SASE in itself then is part of a broader zero trust security posture. So consider ZTNA part of SASE and SASE part of Zero Trust.

Great. Thanks, Norman. So the next question that we have it's kind of an interesting question. So how do we even start to go about getting our network security and network operations team to work together towards a SASE framework. I think this one hits on a couple of different areas. Blossom, do you want to touch on that?

Sure. Yes, it is a cultural change, right? So you're introducing a new technology, you have to keep it all about involving people, process and technology, having all these different teams represented as stakeholders, have a voice at the table, but that keeps it -- that makes the impact that everyone is involved and everyone has a voice, It is definitely a cultural change.

So here's another question. How do we balance existing network investments between hardware or on-premise, that's not fully amortized, as well as software contracts against an investment in SASE? I think this is a really great question. And Norman, do you want to take this one?

Yes, sure. So I think the answer is you can really leverage most of the time what is already there. So if you've got existing investments into security hardware components or software subscriptions, like if you started with a CASB, for instance, and you've done a cloud access security broker, deployment already, you can leverage that and make it part of your broader end-to-end SASE journey, same with firewall and then kind of build upon a firewall-as-a-service strategy. So I mean we've said it in the webinar, right? SASE is never a rip and replace, and we can leverage existing investments and build upon what customers have today. So no money that you spent so far is [indiscernible], but can be leveraged for a broader end-to-end SASE.

Good deal. Well, we want to be conscious of everyone's time. Norman and Blossom, thank you very much for your expertise today. Thank you for everyone for your questions that you put in the chat. And I have all of us here at IBM, we hope you enjoyed today's presentation. Have a productive and secure rest of your day. Thanks again.

Thank you all.