I just returned from the Information Security Decisions conference, where I had many opportunities to compare notes with fellow security practitioners. Two big issues keep coming up in which conflicting interests are leaving us with nearly insoluble problems:

•  The conflict between monitoring and privacy. Two huge trends - data protection with encryption and content inspection in the network - are beginning to collide in many companies. Popular strategies include examining content as it flies across the network, looking for malware or spam, logging for regulatory reasons, watching for intrusions and keeping track of resources. But examining content depends on being able to see it. At the same time, the use of encryption in Web, e-mail, instant messaging and every other application is increasing - and if the traffic is encrypted, you can't see it.

There are a number of products and ideas about how to deal with this conflict, but nothing has bubbled up that makes any sense. Some of the suggestions are outright absurd, such as blocking all encryption. The reality is that there's no easy answer coming out of this collision between technology and politics. I hate describing problems without offering a solution, but all I can advise is to start thinking about building your own compromise between these two trends.

•  The conflict between security resources and requirements. For most companies, every dollar spent on security seems wasted. Security is often like insurance: money you spend now to avoid a much bigger and more catastrophic expense later. Unfortunately, the expensive war between malicious hackers and enterprises is escalating, and the bad guys have the advantage. Doing security well requires increasingly sophisticated staff to understand how to build a deep defense and more expensive tools to implement that defense.

The old standbys - a three-zone firewall and a copy of Snort - aren't good enough. As security guru Gregory Lebovitz says, "Swiss army knives are good for a great many things, but slicing an 80-pound wheel of Parmesan for a 500-person party is not one of them."

Even if you can afford the specialized products - and more are coming out every day - you also need to budget for training, support and most expensive of all, staff time. That's assuming you can find people who can understand, configure, manage and interpret the output from all this new hardware and software. Network access control is a good example. We didn't need it before, but we think we need it now. Lots of money, time and aggravation make sense to those of us down in the trenches, because we have to paddle faster just to stay in place, counter new threats and secure newly business-critical networks. But that doesn't make it any easier to explain to the CFO.