The government and industry regulations put in place early this decade to protect data and prevent corporate scandals left businesses scrambling to comply.
"They knew they had to do something, but they didn't know what to do," said Tom Eid, a research vice president for Gartner Research.
That has changed in recent years, as most businesses have at least put policies in place to address the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA),
the Payment Card Industry Data Security Standard (PCI DSS) and other regulations. Now they're looking for more efficient ways to enforce those policies, often turning to their IT departments. And most see security automation as the best solution, experts and vendors said.
"Compliance management is driving the overall security industry right now," said Joe Anthony, program director for identity management at IBM's Tivoli Software.
Security automation provides sales and service opportunities for channel partners, said Khalid Kark, a senior analyst for Forrester Research. Some vendors focus on helping clients with the process of regulatory compliance, and others focus on the technology behind compliance, but "there isn't anybody who can effectively do both across the board," Kark said.
Eid agreed, saying, "There's not really a technology you can pick up and say, 'Now I'm doing IT (governance, risk management and compliance).'"
That's where the channel can step in and bring the two sides together to offer complete security automation. But Kark warns that those opportunities will dwindle as vendors begin to offer products and services that focus on both the process and the technology of compliance.
More than half of IBM's worldwide compliance sales go through channel partners, who can help clients determine the best policies to set and the appropriate entitlements to grant employees, Anthony said. IBM recommends that customers enlist the help of either IBM or a channel partner to deploy at least their first security automation system, because "a lot of (our partners) have very good implementation experience," Anthony said.
The company's security automation products include Tivoli Identity Manager, which allows the human resources and IT departments to set employees' access based on
their job descriptions, and Tivoli Security Compliance Manager, which keeps track of who is accessing what information to see if any policy violations have taken place.
The target customers for security automation are businesses that "are doing manual assessments or using their internal auditing systems" for compliance reasons, said Chris Pick, vice president of products and marketing for security and compliance vendor NetIQ. He and Anthony both highlighted the efficiencies that security automation can bring.
"The cost is going up if you're doing it manually, and the time frame is way too long," Anthony said.
Another benefit of security automation is the extra layer of protection it provides against abuses by users with privileged access. Products like Tivoli Security Compliance Manager and NetIQ's Security Manager 6.0 can audit the actions of employees who are supposed to be auditing everyone else.
"Policing those who have power is very much a critical factor," Pick said.
"The benefit of this is transparency," Eid said. "In the past, (the financial performance of an organization) could easily be manipulated. It is much harder now."
Let us know what you think about this story; email Colin Steele, features writer.