DSm: For the guys who do it well, technology is a solution to the security policy not a driver of it. The guys who do it the other way around are like boxers punching away in the dark and will never get there. The security team needs to be involved with all the different infrastructure and application teams to make sure security is part of the design requirement from day one.

Keith Glennan, Network Box (KG): We see a surprising amount of network consulting through the gateway that isn't technically security related. If you look back a few years ago, customers needed to have a firewall or they needed to have antivirus but those technologies are now well understood. What continues to change is requirements in the network driven by applications. We talk to customers about whether they would like a better idea of what users are doing on the network. Newer social networking applications are not so black and white. It depends on the customer and a lot of them won't have a policy on it.

MJ: We need to start working out ways of making information available in layman's terms. When we talk about security you can occasionally hear the propellers spin and at that point you've lost your audience.

WN: I don't think that's a small company problem. If you go into a large, listed company it's probably a given that they've got a Net usage policy and IT security policy but it always amazes me how users fail to review its relevance and keep it up to date. They've got a security policy but it's sitting in somebody's drawer and they'll think about updating it when they are asked for specific information.

AS: We've seen a couple of customers try to retrofit security into Web-based applications. They're smart enough to know that these applications are business critical, and if they go down it could cost a serious amount of money, but haven't had the planning to build security in from the start. In one case we are writing an application development security policy and for another organisation we are trying to put technology in place to protect the website from attack. The concept of updating the security policy, or even having a look at it to see how that affects what they're trying to do from a business perspective, hasn't even dawned on them.

Scott Robertson, WatchGuard (SR): Organisations behind the hacking community are now extremely well funded and are using technology for more than trying to hack into a network. The threats are the same whether you're a large enterprise or an SMB and smaller organisations need solutions that give them a bit of control.

BC: Does separating the tasks of creating security policy and implementing it lead to disconnect?

MJ: Yes because once something is given to an engineer there's an interpretation and that's what compromises policy. There's room for resellers or professional services organisations to review what policy has defined and what's actually been implemented. If it's done internally then there's politics.

BS: I think it depends on the organisation. In some ways it's easier for an SMB because they're small enough to drive it. In larger organisations you have somebody who's written a policy, somebody else is concerned about compliance and somebody else that's focused on making the routing work. Unless you can draw it all together there can be mis-match and gaps.

JF: For example, sometimes the decision to acquire VoIP is made by the telecom area of a business, which isn't typically under the purview of data security and might not even be part of the same organisation. There are applications that come online outside of the traditional food chain that can open very large holes if they're not thought through the right way.