Symantec moves beyond security tools

Symantec has outlined an "information integrity" strategy that users and analysts said addresses a growing need for a more holistic view of the operational and security risks facing companies.

But they added that whether the new approach succeeds will depend on how well Symantec, which is primarily known for its anti-virus tools and firewalls, can execute on its wider vision.

As part of the initiative, Symantec will deliver products and services designed to give companies a full assessment of the risks and vulnerabilities they face and then enable them to act upon that information, said Enrique Salem, the company's senior vice-president of security.

For instance, a latest version of Symantec's Enterprise Security Manager software that was released this week can help companies identify compliance issues related to regulations such as the Sarbanes-Oxley, Salem said.

Similarly, other products will let companies capture snapshots of the operational state of their servers, PCs, applications and operating systems, as well as information about their configuration settings and patch levels. Some of those capabilities are available now, but more will be added in the future.

"It's a model and a set of policies that chief information officers can use to manage their environment," Salem said. "It stresses the concept of understanding your environment, acting on the information and controlling it."

Dave Jordan, chief information security officer for the Arlington County government in Virginia, said he thinks the idea makes sense for security managers.

At one level, Symantec's new initiative is aimed at moving the company into new markets now that its core security tools business is saturated, Jordan said. But he added that the company's strategy could meet the need for a management dashboard that gives an overall view of the operational and security landscapes inside companies.

Symantec's roadmap "provides a framework to help guide us", said Shaun Catlin, a senior systems analyst at law firm Ford & Harrison. "It's something that we knew needed to be done."

The alignment of information from the operational and security sides should give companies more control over possible risks, said Cory Ferengul, an analyst at Meta Group.

"What Symantec is saying is, 'You can't secure what you can't control, and you can't control what you don't understand.' "

Other suppliers, such as IBM and Computer Associates International, are making similar pitches, according to Ferengul. But, he added, "there's a lot of maturing that has to happen" before all of the required information can be truly integrated.

Jaikumar Vijayan writes for Computerworld