This month we are looking at two sides of the same coin: risk and policy management. Policies, as we know, come first when developing an information security architecture. Policy management tools allow us to translate our policies to the device configurations that will enforce them. These products might configure a few network devices or they might configure both network and endpoint devices. It all depends on what you are looking for. We had a pretty good crop of products in the lab this month, so there likely is something for everyone here.
Risk management products, on the other hand, help us measure and track our risk posture. You might think of them as the proof of performance tests for the policy management products. So, why do we care about these two, often expensive tools? After all, in years past, information systems risk management was the Rodney Dangerfield of security tools – it couldn't get no respect. Without the need to manage risk, we don't have the need to manage policies.
I'd like to think that the shift to recognition of the importance of these two tools was the result of universal enlightenment by the corporate world. Sadly, that probably isn't the case. Information security professionals have been preaching policy and risk management for decades and it has fallen mostly on deaf ears.
Then came a raft of new regulatory requirements, some of which force corporate execs to take personal responsibility for the sins of the organization. The world changed and many of us believe that it changed for the better. However, as that was happening a strange thing also happened. Organizational execs – especially those who control the purse strings – said “Gee, that's a pretty good idea. Why haven't we been doing this all along?”While it probably wasn't as simplistic as that, the fact is that the corporate world, especially, has started taking information security much more seriously, and that means that we need new tools. So vendors hauled out all those tired old tools that were sort of half automated and half manual, polished them up, started talking to potential customers about what they really needed (and were prepared actually to buy), and started tweaking. The results have been maturing over the past three or four years and the results are pretty impressive.
These tools – both types – are able to gather raw data with a minimum of human intervention, process the data intelligently, and display it so that it's actually comprehensible. In fact, I would have to say that as a genre these two product types are at the head of the pack when it comes to conveying complicated information in such a way that one actually can understand and act on it. They provide what the military folks call “actionable intelligence.”When the stakes are as high as they are today, relative to protecting organizational information and data, having this type of capability is worth a lot. A whole lot. That said, we took a pretty critical look at these products to make sure that they really did pass muster. This month we entrusted our products to the Two Mikes: Mike Stephenson took the helm on the policy management side and we passed the risk management products over to our risk specialist, Mike Lipinski. Between them, they looked at the cream of the crop in both product groups.
The result is that you should be able to get a good starting point for evaluation of both kinds of products. The tools were very different in some cases, but at the same time they covered the territory nicely. I enjoyed editing this issue because, as often happens, I get a personal update on the state of the particular markets that we are exploring. I hope it works out that way for you as well.
– Peter Stephenson, technology editor