It’s a question that business executives love to ask — and IT people hate to answer. “What’s our security status?” It’s a question that business executives love to ask — and IT people hate to answer. If you’ve been around IT security for more than a week, then you know there’s no definitive, empirical way to answer that question. Recently, however, some large enterprises have been getting a little closer to providing some metrics for security posture, using an emerging class of products that is coming into its own. The technology category — championed by vendors with names such as AlgoSec, RedSeal, Skybox, and Tufin — has been variously referred to as “security risk management,” “security life cycle management,” “firewall configuration management,” and “security posture management” (SPOM), among other names.