The Realities Of Risk Management

As security vendors build out their product portfolios and integrate various components, they paint a picture of a "holistic" approach to risk management. When you press them to define holistic management, every one of their responses boils down to this: Write a set of well-defined policies, and then put processes in place to monitor and enforce those policies. It's good advice, but it doesn't require integrated vendor suites to be successful.

"Risks may encompass multiple products from multiple vendors in a host of different areas," says Craig Shumard, chief information security officer of Cigna, one of the five largest health service providers in the United States. "There may be issues around audit trails, unauthorized access, or fine-grained authorization you need to get for a business process or regulation. That could entail seven or eight products from three or four different vendors."

Shumard himself relies on 20 or 30 security vendors to meet all of Cigna's needs. While acknowledging that Cisco, IBM, and Symantec have been on an "acquisition tear," he thinks there will always be room for niche security players "to innovate and create."

Shumard practices what he preaches. Cigna was a customer of Vontu before it was acquired by Symantec. It also uses software from Aveksa, a startup in the entitlement management market.

And even as vendors integrate products to make them easier to use, deployments can still fail. For instance, though Symantec and Sophos have added network access control capabilities to their endpoint security products, that's not enough.

"How many people have a good global inventory?" asks a security executive at a cosmetics company. "If you don't have 98% of your world known before you plug in NAC, you're going to lock out servers and printers."

This story was updated Dec. 17 to correct the spelling of Aveksa.

Return to the story:
Security Vendors Revamp Desktop Suites

Illustration By Mick McGinty