Skip to main content

Chairman’s Letter

A commitment to corporate responsibility pervades IBM, from new hires to the chairman’s office. In this year’s letter, Chairman, President and Chief Executive Officer Sam Palmisano describes IBM’s long-term approach to corporate responsibility, and the IBMers that make it possible.

IBM’s Approach

Through the years, IBM has consistently expanded the definition of corporate citizenship, pushing the boundaries of what is required to be considered a responsible enterprise. In this section of IBM’s 2010 Corporate Responsibility Report, you will find more detail on our approach to corporate responsibility, and some examples of how that approach manifested itself during the past year.


At IBM we engage with communities around the world by offering our technology, services and expertise to help solve some of the world’s most complex problems. While the monetary value of these contributions is great, we eschew checkbook philanthropy whenever possible. We believe that this approach is the most efficient, effective and sustainable way to practice good corporate citizenship. And we believe it is helping to make the world work better. In this section of IBM’s 2010 Corporate Responsibility Report, you will find examples of the contributions IBM made to the global community this past year.

The IBMer

For the last 100 years, IBM has pioneered innovative approaches to hiring, managing and retaining our work force. From some of the earliest thinking on work force diversity to progressive programs for employee well-being and leadership development, this ongoing commitment to our employees is critical to the success of IBM and IBMers. And as the nature of our business changes, we will continue to apply the same innovation and creativity we use to develop products and services to our relationship with employees. In this section of IBM’s 2010 Corporate Responsibility Report, you will find examples of the commitments IBM made to its work force this past year.


IBM has long maintained an unwavering commitment to environmental protection, which was formalized by a corporate environmental policy in 1971. The policy calls for IBM to be an environmental leader across all of our business activities, from our research, operations and products to the services and solutions we provide our clients to help them be more protective of the environment. Download this section of the report (2.2MB)

Supply Chain

IBM manages a supply chain of more than 27,000 suppliers in nearly 100 different countries. We understand that managing a supply chain of this size carries with it considerable social responsibility. Even so, we are continually expanding the definition of what it means to run a responsible supply chain, challenging ourselves and our suppliers to reach ever higher standards of social and environmental compliance. In this section of IBM’s 2010 Corporate Responsibility Report, you will find examples of IBM’s supply chain responsibility efforts over the past year.

Ethics and Integrity

Both the size and nature of IBM’s business necessitate that it adhere to the highest standards of conduct. IBM employs more than 400,000 employees, and provides services and technology that support businesses, governments, schools, hospitals and highways. As such, integrity, transparency, privacy and risk management are all crucial parts of our business, and our commitment to making the world work better. In this section of IBM’s 2010 Corporate Responsibility Report, you will find examples of how IBM is setting the modern standard for business ethics.

Security and Privacy

Today’s digital society is built on the fast flow and analysis of information. The strides we make in gathering, routing and analyzing torrents of data hold the promise of an ever-brighter future, a vision we at IBM refer to as Smarter Planet. But behind these data are real people, real organizations and real concerns about privacy and security.

Balancing the potential of this modern technology with the privacy and security of our employees, our clients and their customers, and citizens in general is something we take very seriously at IBM. Our business depends on it. As a company, we are constantly evaluating these issues in the context of technological and cultural change. In doing this, we consider the role that IBM can and should play in addressing privacy and security concerns, both as a seller of information technology products and services and as a responsible corporate citizen.

We advocate an approach known as “privacy and security by design.” By that we mean that leaders responsible for the systems that serve society—systems like healthcare, transportation and utilities—should ensure that privacy and security are addressed from the start and not as afterthoughts. A holistic approach to doing so means the right policies, frameworks and technologies are put in place to facilitate ongoing security and privacy and earn the confidence of stakeholders.

In 2010 we engaged these issues in multiple ways. We have been leading developers of privacy- and security-enabling technologies. We have collaborated with business and government leaders to work toward public policies that enable both individual privacy and continued innovation. And as always, we worked to give our own employees the knowledge and reinforcement they need to champion security and privacy, both inside and outside of IBM.

Securing Data and Systems on a Smarter Planet
Securing Data and Systems on a Smarter Planet

As systems get more complex and interconnected, security needs change. These IBMers explain security by design, which builds security into systems from the earliest stages of design.

Privacy by Design

New privacy-protective technologies. A focus on innovation-friendly, business-ready privacy protection in government policy. Informed and enabled employees and consumers. These elements must work together to protect individual privacy, support economic growth and clear the path for innovative, world-changing uses of data.

Some see technology as a threat to individual privacy. But we know that technology can protect privacy as well. For decades IBM has been a leader in developing privacy-enabling technologies, or PETs. Over the course of 2010, IBM developed or refined our portfolio of critical PETs, such as homomorphic encryption, privacy-sensitive identity management, data masking and management techniques, privacy-enabled RFID and anonymization.

These technologies, and others like them, will play a critical role in protecting privacy in the digital age—as long as they are adopted and broadly applied. One way to encourage broader adoption is through collaborative standards bodies that combine public and private sector leadership. That’s why IBM joined forces with Microsoft to pilot cryptographic technologies that will enable European citizens to better protect their privacy and identities. The project, called ABC4Trust, uses privacy-enabling technology that will be piloted at a university in Greece and a secondary school in Sweden.

The four-year project will test privacy-preserving Attribute-Based Credentials (ABC) that allow the user to prove just the required information, without giving away a full identity. For example, instead of sharing the exact birthday or address, by providing a copy of an identification card users only prove that they are over 18 years of age and a student of a university or a citizen of a specific municipality, state or country. The ABC system will make use of IBM’s Identity Mixer and Microsoft’s U-Prove technologies.

In addition to the development of privacy-enabling technology, IBM has long been a leader in the field of privacy policy and practice. We were the first company to adopt a global privacy code of conduct. We were the first company in the Fortune 500 to appoint a Chief Privacy Officer. And we were the first company to adopt a genetic nondiscrimination policy.

Throughout 2010 we shared our views and experience with business partners, government leaders and not-for-profit organizations including via IBMers’ service on advisory boards for well-respected organizations like the Future of Privacy Forum, Electronic Privacy Information Center, Centre for Information Policy Leadership and the U.S. federal government’s Information Security and Privacy Advisory Board. We communicated the need for balanced commercial privacy policy frameworks that make it simple to share and analyze information responsibly, especially when it crosses borders. And we advocated the idea of industries voluntarily adopting enforceable privacy-protecting codes of conduct.

Within IBM, we mandate information security education for all employees from senior executives to recent hires, and have tailored a Privacy: What You Need to Know course for all employees who may handle personal data. We have implemented a global privacy self-assessment tool that guides employees who handle personal data.

Going forward, IBM is working with the academic community to better understand the privacy and security implications of the analytics age. In 2010, the company worked with Paul M. Schwartz, a University of California at Berkeley law professor, on a paper entitled Data Protection and the Ethical Use of Analytics. The paper was presented at an OECD conference to an audience of business and government professionals. Our hope is that it will serve as the starting point for an important conversation on the privacy implications of analytics.

Secure by Design

Security is an important aspect of the entire life cycle of a system, from design and architecture through to implementation, testing, deployment, maintenance and retirement. Systems designed and architected without security as a required attribute must be protected by other external means. But when one attempts to “bolt on” security to an existing system, the result is likely to be less effective, more expensive to maintain, harder to use and slower than desired. The resulting collection of systems may also still be vulnerable to security or reliability problems.

At IBM, we advocate a Secure by Design approach. We recognize our responsibility to shoulder our share of the technological challenge when conceiving, developing and marketing our technology solutions. But we also recognize the need for collaborating with public and private organizations that build market awareness of these issues and implement policy governing them. We understand our educative responsibility, not just our engineering responsibility.

Along these lines, in March 2010 IBM announced the formation of an Institute for Advanced Security, which helps clients, academics, partners and other businesses understand, address and mitigate the complex, multidisciplinary issues associated with securing cyberspace. Based in Washington, D.C., the Institute provides a collaborative environment for public and private sector officials worldwide to tap IBM’s vast security expertise to help them more efficiently and effectively secure and protect critical business information threatened by cyberthreats.

The global nature of information technology development today necessitates the application of secure engineering principles across the industry and across global development teams regardless of their physical location. Thus in December 2010, IBM announced its founding role in The Open Group Trusted Technology Forum (TTF), a global standards initiative that will provide a collaborative, open environment for technology companies, customers, governments and supplier organizations to create and promote guidelines for manufacturing, sourcing and integrating trusted, secure technologies. The forum’s objective is to shape global procurement strategies and best practices to help reduce threats and vulnerabilities in the global supply chain.

The TTF is a proactive response to the changing security and cyberthreat landscape and will address the mitigation of risks potentially introduced by vulnerable supply and development processes. Founding members are Boeing, Carnegie Mellon SEI, CA Technologies, Cisco, HP, IBM, Kingdee, Microsoft, MITRE, NASA, Oracle and the U.S. Department of Defense. Chaired by an IBMer, the forum will operate under the stewardship of The Open Group, an international vendor- and technology-neutral standards consortium.

In addition, IBM last year published a RedguideTM, in which we shared IBM’s Secure Engineering Framework (SEF). The Secure Engineering Framework describes IBM’s experience in creating an end-to-end approach to product delivery, with security taken into account. IBM published this Redguide in the hope that interested parties—whether they be clients, other IT companies, academics or others—can find these practices to be a useful example of the type of security practices that are increasingly a must-have for developing products and applications that run in the world’s digital infrastructure.

It includes sections on education and awareness, project planning, risk assessment and threat modeling, security requirements, secure coding, test and vulnerability assessment, documentation, and incident response. The Redguide can be downloaded here.