Symantec is launching a new assault on the challenges surrounding enterprise IT risk management.
The company is planning a new version of its Control Compliance Suite with a number of new features designed to help enterprises automate the compliance process and make IT risk assessment more scalable for Symantec customers.
“We’re also introducing new capabilities, for instance, risk assessment-the ability to quickly identify and remediate assets that are at highest risk,” said Jitesh Chanchani, director of product management for Symantec’s Compliance and Security Management business, in an interview with eWEEK. “What this does is, it lets you focus on the most critical assets based on the exposures that exist on the assets. It kind of gives you a way to prioritize how you want to fix the problem.”
The company formally announced the product, which will be available in the fall, June 11 at its Vision conference in Las Vegas. At the same time, Symantec released SIM (Security Information Manager) 4.6, which will also be a module in Compliance Control 9.0. SIM 4.6 enables organizations to collect, store and analyze log data, as well as monitor, prioritize and respond to security incidents. The idea is to help security teams monitor risk to their IT assets in real time and meet compliance requirements, company officials said.
What Symantec wasn’t able to do previously with Compliance Control is link corporate assets back to policies and rate them, said Suzanne Dickson, senior director of product marketing at Symantec.
“We’re adding more risk capabilities in the products, so for example you can do a risk assessment survey, and what that helps you to do is look at what type of controls you need … to manage risk, and from a governance perspective what that helps the customers do now is better align the business,” she said at the Vision conference.
Toss in Control Compliance
Symantec also combined Control Compliance Suite and its Enterprise Security Manager product under one architecture, allowing customers to perform scanning with or without an agent.
“The benefit is, for example, if you are an existing Enterprise Security Manager [customer] you don’t have to rip out what you have,” Dickson said. “All the agents can still collect the information, and it’s just reporting to a common, reporting structure and going into a central repository where we keep all that information.”
Even with all the advancements in IT risk technology, Gartner analyst Paul Proctor said in an interview with eWEEK prior to the conference that organizations should not forget that technology alone cannot solve all problems.
“Vendors commonly identify automation and management tools as risk management or GRC solutions, or describe them as -compliant’ with various regulations,” Proctor said. “No software or IT solution alone will manage risk or make an enterprise compliant with applicable regulations. A common framework for risk definition assessment and mapping is the starting point for identifying risks and risk events and for establishing the responsibilities of risk managers.”
Chanchani agreed, explaining many organizations lack consistency in how they view risk and compliance, leading to duplication of efforts and increased costs.
“This is not about one solution that can fix every problem, because a lot of this resides in process as it does in a tool for automation,” he said. “But what we have done in our product is taken a look, end-to-end, at the process and automated key parts of that process.”