IBM CEO Says He Feels ‘Sorry’ For SolarWinds, Cybersecurity ‘Biggest Issue’ For Tech Industry

“You always should be paranoid, you always should be very, very careful,” said IBM CEO Arvind Krishna.


IBM CEO Arvind Krishna—who calls cybersecurity the “biggest issue” of the next two decades—said he feels “sorry” for SolarWinds, which has been hit hard by what is considered one of the most damaging cyberattacks in the history of computing.

“First of all, I feel sorry for them [SolarWinds] because it was a really sophisticated and a vicious attack; it went on over a long period of time,” he said, referring to the SolarWinds breach that took place in December and has reverberated throughout the technology landscape, including Microsoft. “So to the best of our knowledge, we were not impacted. I’ll just leave it at that.”

The lesson from the SolarWinds breach is that the technology industry has a lot of work to do, said Krishna. “You always should be paranoid, you always should be very, very careful.”

Sponsored post

It’s a “massive investment” for companies like IBM to stay secure in the current threat landscape, said Krishna. “If I took away that investment I would probably add multiple points to IBM’s bottom line. But I would be then afraid if something happens maybe the whole business goes away. It is a huge cost of doing business.”

[RELATED: IBM CEO Arvind Krishna’s 10 Boldest Statements From CRN’s Exclusive Interview]

IBM has had rigorous “secure engineering practices” for multiple decades, said Krishna. “You have got to make sure that your code supply chain is really, really secure,” he said. “Because when you are a provider to banks and governments and health-care providers, you don’t want to be the source of carrying infections and malware and all those things.”

IBM has a long history of secure engineering practices, said Krishna. “Secure engineering practices are fundamental to us,” he said. “It is how we build our mainframe. It is how we build our software. It is how we build Linux. You have got to go do that. We work very deeply, by the way, with all of the agencies, both government and private sector who do these things to try to make sure we stay ahead of the vulnerabilities.”

IBM has long established best-in-class secure engineering practices centered on “code signing” and “encryption” with regard not just to data but to how software is built, said Krishna.

That is no small matter in a software landscape where some software products have “30,000 other packages embedded in them,” said Krishna. “Now whenever something happens you have got to grab the latest version of one of those packages and put it in there. So you have got to have the discipline to make sure that you are not getting lazy and letting something filter in.”

The bad actors wait for the “one open door or window” and then use that to get access to the entire building, said Krishna. “That’s exactly what happened here [with the SolarWinds breach],” he said.

As to just how important security is going forward, Krishna said the cybersecurity wars takings place between nation states is a sign of just how valuable data and information is in the current geopolitical environment.

“The world goes through these phases around what is valuable,” he said. “So why did people fight physical wars [in the past]? You fought physical wars because you wanted their land and their factories. The land to grow crops and by the World War II time you wanted the economic benefit of the factories and the people. Today that is irrelevant. What you want is the IP and the data. So you don’t fight physical wars anymore. You fight cybersecurity wars.”

Given that paradigm shift, all businesses must “step up” to meet the cybersecurity challenge, said Krishna. “We all spend money on policing,” he said. “We all spend money on locks and gates and doors. You are going to have to spend a lot more on cybersecurity because all of that other stuff is not that important anymore.”

IBM has one of the “biggest security businesses” of any technology company considering its combined software and services security footprint, said Krishna. “We intend to keep investing in that,” he said. “I see a lot of opportunity for growth in there for us.”

John O’Shea, president of distribution behemoth Tech Data, which is partnering with IBM on hybrid cloud and AI, said he sees IBM’s security prowess as a big advantage for partners.

Tech Data, in fact, is offering IBM’s Cloud Pak for Security as part of its Cyber Range, a virtual environment for training and testing security procedures.

“The security opportunity is all around us right now, so our ability to enable more of our partners to leverage these technologies is just going to help with the adoption of hybrid cloud,” said O’Shea.

Mark Wyllie, CEO of Flagship Solutions Group, a Boca Raton, Fla.-based IBM cloud partner, is betting big on IBM’s QRadar On Cloud (QRoc) threat intelligence platform.

“A little-known fact is that IBM is the No. 1 security provider,” said Wyllie, who expects drive double-digit growth in his IBM security practice. “They need to do a better job marketing their security technology.”