It's a question that business executives love to ask -- and IT people hate to answer. "What's our security status?"

If you've been around IT security for more than a week, then you know there's no definitive, empirical way to answer that question. Recently, however, some large enterprises have been getting a little closer to providing some metrics for security posture, using an emerging class of products that is coming into its own.

The technology category -- championed by vendors with names such as AlgoSec, RedSeal, Skybox, and Tufin -- has been variously referred to as "security risk management," "security life cycle management," "firewall configuration management," and "security posture management" (SPOM), among other names. At its heart, it refers to tools that track various changes made to an enterprise's network defenses -- principally firewall and router settings, as well as other security system data -- and evaluates the potential impact of proposed changes.

SPOM (let's use that term for now, since it's the shortest and goodness knows we *need* another acronym) is sometimes referred to as the "preventative" side of security monitoring because it focuses on how enterprises are enforcing their security policies --and what might happen if they change those policies. This separates SPOM from security information and event management (SIEM), which reports on security-related network activity after it occurs.

"SIEM is a useful tool, but although it's been around for years, enterprises are finding that their risk is continuing to rise," says Michelle Cobb, vice president of marketing at Skybox. "It's collecting data after the fact -- after the horse is out of the barn. What we try to do is reduce the window of risk, reducing the possibility that a bad 'event' will occur in the first place."

Unlike SIEM, SPOM enables an enterprise to set an acceptable level of risk and then tune its security systems and configurations to meet that requirement. Steve Dauber, vice president of marketing at RedSeal Systems, compared the current evolution of security management systems to the evolution of network management systems a decade ago.

"First we had element management systems that collected data from individual devices," he recalled. "Then we had enterprise network management systems that collected all the data from the element management systems into a single console, which is basically what SIEM does. After that, we saw the development of correlation engines, change management, and service-level management, which allowed you to intelligently set specific service levels for critical applications and business services. SPOM is sort of the service-level management of security -- but you're using risk as the variable, rather than network performance or uptime."

At the core of most SPOM systems is the task of firewall configuration, which is how most enterprises "tune" their level of risk. If a certain application or type of data presents a high risk, then the firewalls are configured to restrict its transmission. If another application presents little risk, then the firewalls will be configured to allow data to flow more freely.

Coordinating these policies and changes across a whole network of firewalls is no simple task, which is why Tufin's products are designed to monitor changes in real time, according to Ruvi Kitov, CEO of Tufin. "We want to be able to tell you right away if a change that was made might affect security or business continuity," he says. "More importantly, we want to tell the approver of a potential change what the effect of that change might be, so that problems can be avoided in the first place."

Firewall configuration might be a key function in the product category, but a true SPOM product goes beyond the firewall and helps monitor and tune change and configuration data in a variety of security systems -- and even routers -- in the enterprise, Dauber says. In fact, there are accounts where Tufin and RedSeal products work side by side -- Tufin is used to do firewall configuration, and RedSeal provides a broader set of "posture management" capabilities, he says.

In other cases, SPOM products might work alongside conventional vulnerability management tools, such as those offered by Qualys or nCircle, to provide a more complete picture of the potential flaws in the enterprise's security posture -- the potential risks that the enterprise faces, Dauber says. Using this data helps the enterprise evaluate its weaknesses and prioritize the vulnerabilities it wants to fix first, he states.

While the SPOM concept certainly sounds like an attractive one for enterprises that must manage policies and configurations across many firewalls and other security devices, the market for the technology remains nascent. Dauber estimates that Skybox and RedSeal, the two market leaders in the U.S., have penetrated less than a quarter of the Fortune 500 combined. Experts agree that the technology currently faces two problems: a perception of high cost and confusion over who will use it.

"I think the need for these products is real, but I suspect that many organizations are put off by the associated price tag," says Andrew Hay, senior analyst for the enterprise security practice at the 451 Group consultancy.

SPOM technology is generally targeted at large enterprises, where collecting and analyzing configuration and management data from a variety of security devices can be daunting. Implementation of the technology can run well into the hundreds of thousands of dollars.

But not all implementations are that expensive, Skybox's Cobb says. "A firewall configuration installation starts at prices as low as $5,000 to $25,000," she says. "Obviously, if you have hundreds of firewalls, that price is going to go up. But when you compare it to the cost of a breach, which may be $200,000 or more on average, it's a pretty good investment."

Perhaps a bigger problem for SPOM technology is the question of who will use it. Tufin's technology, for example, is tied tightly with IT operations processes, and its primary users are IT and security technicians. RedSeal and Skybox tools are also heavily used by operations staff, but they can also be used to create "dashboards" that allow top executives to monitor the enterprise's security posture and evaluate potential risks.

Dauber compared the current SPOM situation to the one that occurred when sales force automation technology came out in the 1990s. "The salespeople wanted to use ACT, which worked better for them out in the field, but management wanted to use Siebel, which gave them better visibility into what was happening in the sales force," he recalled. In the end, the decision on which technology to use was carried by management.

"At the end of the day, executives aren't worried about firewall configuration -- they want a measure of security effectiveness. They want to know why they spent millions of dollars on security," Dauber says. "In all of the other IT disciplines, you know whether your technology is working or not. If your network isn't working, systems go down or you get phone calls from your users. With security currently, a lot of organizations have no idea whether what they're doing is working or not. With SPOM, we're at least beginning to shed some light on that."

Hay agrees that the key play for SPOM is not among line-level technicians. "The vendors really should be leading with the compliance pitch," he says. "Being able to provide a proper audit trail to risk officers, compliance officers, and external assessors will ultimately help the company reach some of its compliance-related goals." Indeed, the notion of "continuous security monitoring" is now included in compliance guidelines set by the federal government (FISMA/CyberScope) and the utility industry (NERC/Critical Infrastructure Protection), two industries where SPOM vendors say they are making significant headway.

Another question that arises in the SPOM market is how long it will continue to be led by relatively small vendors. Hay notes that Tufin, Skybox, and AlgoSec all have top management who formerly worked at Check Point Software Technologies, a pioneer and leader of the firewall market.

"Check Point appears to have been an incubator for firewall and configuration management vendors in Israel," Hay notes. "We've often found ourselves wondering why Check Point hasn't built their own [SPOM] product, or acquired one of the existing players, to handle this obvious shortcoming. We suspect that the market will likely converge, with existing firewall players -- like Check Point, Cisco, Juniper, Fortinet, or Palo Alto Networks -- looking to wrangle some of that management money in-house."

Other vendors in the security space might also begin to take a closer look at the SPOM space as the technology becomes more widely accepted, Hay says. "Though not in direct competition, adjacent technology vendors in change/configuration management and SIEM may soon begin to look at these vendors with acquisition in their eyes," he predicts.

But Dauber says the choice of a SPOM vendor needn't be dependent on its parentage. "There's been convergence in a lot of [management tool] markets in the past, but in the end the question is really which tool will work," he says. "Look at the help desk space -- most enterprises there are still using Remedy because it works, no matter what other tools or vendors you have in place. I think this is a similar situation."