Skip to content ↓ | Skip to navigation ↓

SC Magazine just completed their annual roundup review of “Risk & Policy Management” solutions. Risk and policy can often seem like completely different animals, but the editors at SC describe it this way, which I happen to agree with heartily:

“It is not uncommon to see these types of applications in the same product. However, policy management, like risk management, is a continuous process. And, no surprise, the two – policy and risk management – are tied together because policy is intended to address risk.”
Click here to read the review (pdf)

They did a great job comparing solutions, and as PM of Tripwire Enterprise I’m both gratified and grateful they chose to give us five-out-of-five stars.

But more than the gold stars I’m excited they saw, I think for the first time in any review, that  Tripwire Enterprise is really three tools in one seamless product suite:

“We found Tripwire Enterprise to be more like three products in one, rather than just a simple system configuration management tool. It is built on three solid functions that include configuration management, file integrity monitoring and remediation. These three tools work together to provide a robust feature set. The Policy Manager function allows administrators to define policy and assess their configurations against any of more than 250 policies, standards, regulations and guidelines. Then, File Integrity Manager continually checks systems for unauthorized or unneeded changes. Finally, Remediation Manager automates remediation and maintains compliance throughout the enterprise.”

I’ve been managing various parts of Tripwire Enterprise for five years and I could not have said it any better myself. This seamless, easy integration is what we’re building towards, and it’s what we aspire to.

So what’s that got to do with “millibars”?

Meteorologist use millibars as a measure of changed atmospheric pressure that indicates, for instance, the approach of a storm.  Rapid changes in millibars can herald a hurricane.

  • In 2010 and 2011, SC Magazine’s Policy Management review included just 6-8 products
  • In 2012, the editors saw that Policy was inextricably tied to Risk, and the new “Policy & Risk” category was created
  • By 2013, this new merged category included 22 different product names

Is this a perfect storm? Maybe not.

But it’s a trend. Clearly there’s an increasing need for products that help the modern enterprise — large or small,  centralized or distributed — not only understand IT risk but codify policies to manage it, continually assess how the policy is working, and make risks real and understandable through easy-to-use visualization and reporting tools.

I think “policy and risk management,” and especially the flavor of it that integrates “security configuration management ” with “vulnerability management”, is where antivirus and anti-malware were 5 years ago.

These solutions are becoming mainstream, indispensable IT security tools. They’re the foundational controls that help define risk and align IT security policy. (Maybe that’s why they’re #3 and #4 on the SANS “greatest hits” list right behind “Know what the heck you have”.)

Where are you on this journey? Do you already have them both, and have them fully integrated?

Or are you reading SC Magazine and asking yourself “How in the world am I going to get this done with everything else that’s on  my plate?”

Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock