IBM is aggressively expanding its security portfolio in hopes of becoming the de facto source of advice and technology for businesses looking to adopt high-level IT governance and risk management strategies -- a transformation among customers that officials at Big Blue cite as both ongoing and inevitable.

As the waves of security threats and data management regulations have washed ashore and left organizations struggling to balance perimeter and internal security concerns with mounting obligations to protect highly-valuable data, companies are being forced to take more of a top-down approach that addresses broad sets of IT-oriented risks, versus individual problems, IBM officials maintain.

And while a host of players ranging from security software makers to massive IT consultants have begun marketing themselves as those best suited to help customers embrace a governance and risk management approach, IBM executives claim that their firm's mix of technology, services and partnerships place it at the top of any list of providers capable of helping organizations prepare their security operations for the future.

"We feel that we're ahead of the curve and driving forward our ability to meet these needs, some of which that might not yet have emerged from a broad perspective," said Kris Lovejoy, IBM's director of corporate security strategy.

"We feel that we are creating security risk management capabilities and have an opportunity to commoditize them in a way that can be leveraged at large," she said. "From an overall strategic perspective, that doesn't mean that customers are ready to stand up en masse right now and require everything we've built, but we're actively trying to extend the portfolio in advance of that trend."

Industry specialists, including Symantec and McAfee, the world's two largest security software makers, have also adopted high-level product and marketing efforts meant to help customers move away from battling individual threats and compliance regulations in favor of a more generic risk management strategy, but IBM claims that it is better positioned to help customers move in that direction today.

While the traditional security vendors have long been focused on shipping products that address various elements of end-to-end security and have only moved into risk management in the last two years, Big Blue has its own products and services as well as partnerships with those very vendors and many others that give it an upper hand, IBM executives said.

"In a sense, today, security is like a car without a steering wheel, and we think we're the only vendor who has the right abilities across all the involved domains that can drive change across business processes," said Eric McNeil, manager of corporate security strategy at IBM. "These other companies touch on a lot of domains, but we're the only ones who have all the pieces that span identity, applications security, physical security, and asset lifecycle management."

With its broad array of product and services skills, the executives said that IBM is best qualified to pull together key components that will allow more organizations to manage security using analytical reporting, policy creation and enforcement, and through the use of risk analysis dashboards.

The executives cite two areas, IT service management and master data management, as tremendously important to its ability to aid customers in addressing risk. To be able to build controls to oversee change and configuration issues on the services side and help companies get their heads around the intricacies of master data management, customers will need more than the traditional security vendors can offer, said Lovejoy.

"The security companies of the future are not the companies that offer capabilities for the newest bells and whistles, it's about those things and more, including all the plumbing needed to make these strategies work," said Lovejoy. "While traditional security players that off threat management have great benefits in securing a perimeter, they're not adept at installation of basic plumbing, which actually helps in managing the majority of the risk."