Risk Assessment Does Not Equal Risk Management
Symantec announced the acquisition of 4FrontSecurity today and will absorb their product/service offerings into Symantec’s Security and Compliance Management group. The press release sadly describes the deal within the context of a very myopic view of managing risk today:
[the acquisition will]…bring new tools to capture and track procedural controls and measure them against a variety of industry best practices and standards
Put another way, "we’ll dress up compliance management by calling it Risk Management." And just to be clear, risk assessment is not the same as risk management.
4FrontSecurity is a small company that is focused on an emerging market niche that allows companies to automate the collection, processing, articulation and compliance measurements of risk assessment data. Again, that’s not the same thing as managing risk. Managing risk includes asset mapping, business impact, remediation and modeling, amongst other things. Until we are also able to factor in the human element, risk management tools will never be truly complete.
I posted last week about Skybox in particular. RedSeal Systems also has a similar product. Each of these products provides for the articulation of a company’s risk posture from a slightly different perspective. I have not had any hands-on experience with RedSeal, but I have with Skybox. I had zero visibility into 4FrontSecurity’s products, so I have no empirical way of comparing the three products.
I am frustrated to see that the trend continues as these larger security Risk Management companies (a la Symantec, McAfee, etc.) start to encapsulate this compliance-driven measurement approach within their larger "risk management" messaging while continuing to expand upon their toolset portfolios one acquisition at a time.
Recently, PatchLink acquired STAT from Harris to "…allow PatchLink to improve its vulnerability
management products to help enterprises address risk management and
policy-based compliance." Vulnerability and patch management does not equal risk management.
I’m glad to see companies using the term Risk Management, I just wish it was within the proper context and wasn’t done to perfume a pig.
/Hoff
A-freakin-men.