At Metricon about a third of the speakers were on about risk management in one form or another, which is a big change from a few years ago. Here’s another datapoint towards the mainstreaming of risk management in IT security:

McAfee launched a new corporate strategy on Oct. 16 aimed at helping companies integrate IT defenses used to fight external attacks and manage internal compliance, announcing a $20 million buyout of data leak prevention software maker Onigma as part of the expanded effort.

McAfee Acquires Onigma, Launches Risk Management Strategy, By Matt Hines, eweek.com< October 16, 2006

It’s not so much the Onigma purchase alone, as how it fits into McAfee’s larger strategy:

Officials with McAfee, based in Santa Clara, Calif., said customers are increasingly looking for ways to integrate technologies for preventing outside attacks from threats such as malware with tools used to maintain compliance with government and corporate security regulations.

To meet this demand, McAfee introduced a new companywide initiative to help companies simplify and centralize management of applications used for external and internal security purposes.

Seems like they’re mostly still building perimeter forts, though:

Onigma’s software tools promise to monitor corporate data usage for unusual behavior and report potential information theft or misuse to authorities to prevent confidential data from leaving companies without authorization.

But they’ve got to start somewhere.

Hm, I bet HP would have liked this stuff….

-jsq