As an example, he points to the health care company's recent implementation of Cupertino, Calif.-based ArcSight Inc.'s Enterprise Security Manager application. The ESM package compiles and simplifies reports from firewalls, intrusion-detection systems, and antispyware and antispam software, and thus is "the next logical step," Maletic says.

And even though ArcSight has indeed helped him spend his security budget where it's needed most - especially where staffing is concerned -- Maletic is skeptical about a grand concept that claims to quantify all security risks.

He's not the only skeptic. Risk-based security, while an appealing idea, appears to demand a level of governance and cooperation with business units that's rare in the day-to-day roller derby of operational IT.

Ulfelder is a freelance writer in Southboro, Mass. Contact him at steve@ulfelder.com.

SIDEBAR