Our last category this year is the one that ties everything together: security infrastructure. Here we are talking about those things that support all of the other bits and pieces of security architecture. Just like network infrastructure, security is, essentially, the platform on which everything else rests.

There are lots of pieces to security infrastructure, and we have selected three important ones: content management, policy management and an emerging subcategory, IT governance, risk and compliance management (IT-GRC). This is a rapidly changing landscape.

Content management is an evolving subcategory in that it has become a lot more complicated over the past year. It used to be that we worried about a bit of malware sticking to our web browsing. Now the whole thing is lots more complicated and there are many more ways to use typical internet practices to infect the client-side computer and cause damage or steal sensitive data.
Policy management is, arguably, the basis for the entire security infrastructure. Policy management might be characterized a bit more clearly as management by policy. The development of clear network and security policies is the first step in ensuring that the enterprise behaves as intended. There is a lot more depth implied here than might be observed at first blush.

Finally, the new subcategory of IT-GRC is so new as to be ill-defined at present. Our innovator for this year has been in the game since before it was a game and has contributed significantly to defining this important genre. The emergence of new compliance regulations will certainly dictate a stronger compliance environment, and it seems organizations no longer are willing to spend huge amounts of money on manual compliance efforts.

Products entering this arena need to be well automated and need to address an evolving compliance environment. Organizations are beginning to bring the subject of IT risk into the boardroom, so there needs to be a way to measure and respond to changes in risk posture, including IT risk.

Given that these functions form the bedrock on which a secure enterprise is built, perhaps this final category is a good example of “the last shall be first,” at least when one considers a coherent approach to information assurance in the enterprise.