As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.

I'll be the first to admit that this first Incite is pretty self-serving. Obviously having just published a "poor man's security program," the Pragmatic CSO - I'd certainly like this to be a self-fulfilling prophesy. But let's examine why a security program is in great demand in the markets out there.

First, there is to much to do and CSOs and other security professionals are having a hard time figuring out what to do on any given day. Second, even if they know what to do - helping the rest of the organization (especially the business folks) understand the value that security brings has been problematic. Finally, the auditors show up every so often and it's usually a miserable experience for everyone.

Basically, many many CSOs are looking for a better way. I believe taking a programmatic approach to security can provide the structure and perspective needed to be successful in today's environment.

To be clear, I don't much care if it's 27001 or COBIT or any kind of program. But doing security in a hodge-podge way, basically playing whack-a-mole to eliminate the issue de jour just isn't working. So it's time to try something new.

What about that security management stuff? That's the 2nd part of the Incite and remains pretty controversial. Again, to be very clear, I don't have an issue with security management. It's necessary and critical to being a successful and Pragmatic CSO. BUT, security management has to add value. If it's so expensive and ponderous, as to actually detract value - then there is something wrong. That's where we are at today. The biggest enterprises see value, but that's about it.

I continue to be haunted by my past as a networking analyst in the early 90's. I had a front row seat as network management evolved and eventually disappeared. It's pretty operational now and dominated by the vendors that provide the networking equipment. The biggest networks in the world use stand-alone management offerings, but most folks use whatever their networking provider offers.

We've seen this movie, and security will be largely the same. First, there is the bundling thing. If you are doing a big endpoint renewal, you can bet you'll get that security management thing thrown in. Just ask. Same goes for UTM and every other major category. And reading Syslog and getting feeds from other devices just isn't that novel anymore.

That's why many Cisco customers default to MARS, even if it doesn't work as good as other offerings (just ask Bejtlich on that one). It's easy to buy and that overcomes a lot of technology and implementation issues. You know what they say, you don't get fired by buying [name your favorite big ass vendor here].

We will see more activity and more clarity about what log management does relative to SIEM this year. And we'll also see tighter partnerships between network behavior analysis (NBA) vendors and SIEM. Why? You get to look ahead of you (with NBA) and behind you (with SEM), which is actually pretty compelling.

But overall in 2007, expect security management to continue to disappoint. That's all the more reason for you to get with the PROGRAM.