Every year, we take a deep dive into two important types of information security management tools: policy management and risk management. Some may argue that they really are two sides of the same coin. I wouldn't debate that. Policy derives from risk analysis. We create policies to address risk, and then we apply those policies to the devices and software applications that must implement them. But, at the end of the day, all policy derives from needs posed by risks to the enterprise.
We define risk – or, at least I do, given that there are almost as many definitions as there are definers – as the probability that a threat against a vulnerability will result in an impact. That implies both threats and vulnerabilities, of course. We understand risk by understanding – and assessing – threats and vulnerabilities. It turns out that we also manage risk by managing threats and vulnerabilities. Because of this interlocking relationship between the two, we need tools that manage risk and manage policy. Ideally, they will talk to each other in some manner.
The risk environment is becoming more complicated as time goes on and criminals become more and more sophisticated. This complexity demands more sophisticated tools with which to address it. At the same time, enterprises are becoming increasingly complex. The combination is a difficult one to address, and the two groups of products this month are just the ticket for bringing the evolving risk picture under control. In fact, some of the policy management tools that we looked at actually perform some rudimentary risk analysis.
Another issue that evolves from the combination of enterprise complexity and criminal sophistication is that there are many combinations of configurations of our security tools and all of these configurations must be managed. Applying security policies consistently and effectively to a diverse, complicated suite of security tools spread across a geographically disbursed enterprise is a huge challenge. Centralized risk and policy management is the key to solving this difficult problem. In order to make this work, though, serious configuration options are a must. This year saw, in both product groups, advances in policy development and deployment.
But what about smaller enterprises? Can they benefit from these two types of tools? Surprisingly, the answer is “maybe.” A lot depends on the nature of the enterprise. Some clues are geographic disbursal, heavy reliance on policy application to control serious regulatory requirements, and a wide variety of product types in the security suite. One good example is the midsize company that is growing through acquisition.
The hallmark of such companies is that they tend to have a mish-mash of products and security controls in place. Bringing these new members of the organization's family in line with established organizational policy requires help from some centralized source. These tools are just what one needs.
In any event, what we have this month is a collection of some of the most helpful tools you'll add to your kit as you grow and manage your enterprise. They are not for the faint of heart. Although they are far easier to deploy and manage than in years past – and they can be pricey –for many enterprises they are indispensible.
Our reviewers Mike Stephenson and Mike Lipinski will lead you through the process of making your choices. This month's groups are not large – these are pretty elite market segments – but they are important and may be exactly what one needs to address complexity and compliance issues in the enterprise.