Vendors are trying to deliver complete packages of security capabilities. "We think of security policy as a complete suite, from policy creation to monitoring and enforcement," says Roberto Medrano, CEO of PoliVec Inc., a maker of security-policy automation software.

Automated-security-policy software vendors such as BindView, NetIQ, PoliVec, and Symantec also plan to enhance their products this year to help companies better enforce compliance with policies.

PoliVec's software helps companies build security polices and scan systems for settings and configurations that don't meet specifications. "You shouldn't have to worry about IT security policy; it should be transparent, just like system backups," Medrano says.

PoliVec customers are asking for more than the ability to enforce operating-system polices, Medrano says. They want to be able to enforce database-system policies and policies for passwords, such as character length and how often they're changed; control access to applications; and monitor specific security applications such as firewalls--all from a centralized policy-enforcement application. "We're going to expand into policies for applications and network devices to get to a business-level policy, so it's as easy as pushing a button to see how well you're doing," Medrano says.

NetIQ, best known for its network- and systems-management products, plans to integrate technology from its acquisitions of PentaSafe Security Technologies Inc. and Marshal Software Ltd. last year to help companies better manage information-security polices. Chris Pick, a VP for security products at NetIQ, says policy-based systems are the only answer to people's apathy toward security. "People aren't security assets today; they're security liabilities," he says.

NetIQ will take Marshal's software, which enforces E-mail, instant-messaging, and Web-surfing polices, and integrate that with PentaSafe's VigilEnt Policy Center; Marshal's software will also be sold as independent applications. VigilEnt will be able to block E-mail and instant messages containing words that indicate that the user may be discussing something confidential to the company. The software also will enforce policies on Web surfing and prevent users from visiting sports Web sites or trading on eBay during business hours (except maybe on their lunch hour). Combining the products will let NetIQ offer a more complete suite of products that cover policy creation and enforcement along with content blocking, Pick says.

In Symantec's view, automation is the only defense. Systems have become so complex and software vulnerabilities so numerous that it's impossible to manually enforce IT security policy today, chief technology officer Rob Clyde says. Symantec plans to further integrate its Enterprise Security Manager and its Incident Manager into the company's Security Management System so customers can better correlate software vulnerabilities with information about actual attacks.

Security-policy automation also is a priority for Bindview, which plans to build on its strength in asset management with its Policy Operations Center, which helps companies implement and enforce security polices. The company's asset-management software gives customers a wide range of information about their IT systems and how they're configured. BindView now wants to help customers use that information to develop appropriate security policies, says Chris Mullins, director of policy and compliance products. BindView's Policy Operations Center helps companies deploy and track policies against best-practice templates, and it offers templates to help the health-care industry comply with HIPAA rules and financial-services companies comply with the Gramm-Leach-Bliley Act.

In coming months, BindView will enhance the applications in its Policy Operations Center to help customers develop a "security score" that measures how closely their systems meet their security-policy objectives. "You'll be able to see that you're at 87% of your policy on a given day," Mullins says. Customers will be able to use information collected by BindView's BV-Control application and compare the actual settings of their systems against their security-policy goals. In the future, tighter integration of security products will turn policy enforcement into part of the normal daily business routine, Mullins predicts.

"The vision we're working toward is to make security disappear," he says. Once a company sets policies for anything from outfitting a new hire to how to handle system patches, they should become a natural part of its workflow. "When you consider everything from managing employees to managing system patches across platforms and integration of each of these efforts, it's a daunting task," Mullins says.