The most important step to securing critical infrastructure is evaluating the organization’s risk. Defining this middle ring requires identifying systems most vulnerable to attack, assessing the potential losses associated with a compromise or failed audit and weighing the costs to adequately secure each resource. Many organizations conclude they need increased security around Web servers, application servers, mail servers and databases.

CIOs tackle these risks by protecting individual assets. Advanced network products, such as those noted previously, mitigate some risk. More often than not, however, host-based products are necessary complements to adequately protect the most critical elements of the infrastructure.

Leading-edge startups are essential to meeting these security needs. Patch management, available from vendors such as Big Fix, Shavlik and Patchlink, is a logical starting point, since these products protect against known attacks. Vulnerability protection from a company such as Determina*, picks up where these products leave off by stopping targeted attacks and providing zero-day protection against unknown threats. Identity management solutions allow organizations to better restrict access to resources. Centrify*, for instance, extends Microsoft Active Directory to provide access and policy management to UNIX-based systems.

Desktops require protection as well. Anti-virus solutions from Symantec and McAfee offer a base layer of protection. Increasingly, organizations augment these products with other security solutions. Anti-spyware from Webroot* remediates and protects against the growing threat of malware. Personal firewalls from Check Point and ISS block worms and other network-based attacks. Host intrusion protection products further limit malicious activity. Taken together, these solutions protect individual computers within the organization.

 Innovation in each of these areas continues. Many of the exciting new startups coming to market bring increased security to key infrastructure assets. Much of our attention in the venture capital community over the last two years has focused on this important category of companies.

Phase 3: Protecting and Monitoring Data
The third and emerging frontier of security is characterized by solutions that protect and monitor the most sensitive information within the organization: individual applications and data. Driven in part by fear of identity theft, this era of “information security” will deliver a new class of network and host-based products aimed at further protecting this innermost ring. Much like the physical security world, this requires classifying information, establishing organizational policies and enforcing these requirements. The Department of Homeland Security coordinates such efforts for the United States; the CIO must assume the same heroic task within their company.

Information security products span audit, control, encryption and authorization. The diverse technologies share the common trait of focusing on actual data rather than protecting arbitrary networks and systems.