Chances are good that you've had at least a half dozen "security policy management" software packages pitched at you during the past few months. Chances are good that you’ve had at least a half dozen “security policy management” software packages pitched at you during the past few months. And every one of them does something completely different.“Folks have picked up on the word policy being important to senior executives, so everything becomes a ‘policy management tool’ even if all they really do is patch systems. It’s created a lot of confusion” among would-be software buyers, says Pete Lindstrom, research director for Spire Security.So how do CSOs make sense of the chaos and understand which of the countless policy tools might really address their particular needs? The simplest way to parse policy tools is to think in terms of the Little P and the Big P, according to IDC Research Director Charles Kolodgy (CSO’s publisher is a sister company to IDC). Here’s what he means: The Little P refers to more technical tools that “deal with the management of a stated machine”making sure firewalls have the correct settings, for example. This category includes tools such as those from Securify and equipment vendors such as Check Point.The Big P means higher-level policy tools that are used to examine the organization’s overall security posture in terms of regulatory compliance (HIPAA, Gramm-Leach-Bliley and Sarbanes-Oxley being famous domestic examples), or international guidelines and standards (such as ISO 17799 or its relative from the British Standards Institute, BS 7799). Such tools can also capture internal policy decisions such as “No Instant Messenger” and push that information out to the corporate firewalls. Kolodgy says no current tool completely automates that process, but that products from such vendors as BindView, NetIQ, PoliVec and Symantec are reasonably well-positioned to push to this level of functionality. Big P tools need to address not only technical vulnerabilities but also those attributable to human error, such as easily guessed passwords. Thus far, Kolodgy says, such capabilities remain beyond the software available from hardware vendors.Other products still further up the totem pole could still be considered policy management tools, according to Lindstrom, who mentions software from Archer Technologies and Cogentric. This group of products provides ultra-high-level views of the enterprise and its exposure to risk. They also go by the heading “risk management consoles” (for more on these programs, see Toolbox, December 2002, at www.csoonline.com/printlinks), but after all, what’s in a name? Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe