Protecting the secrets of a uranium enrichment plant should be enough to keep any CIO very busy. But when Sarbanes Oxley mandated even tougher controls on databases containing key financial information, David Vordick, CIO of USEC, a $1.9 billion public company that operates a gaseous diffusion plant in Paducah, Kentucky, knew he was going to get even busier.

His security defenses are complex and multi-layered; and while simplicity is generally a good thing, it's not Vordick's priority. "Our philosophy is defense in depth. That means looking at multiple (security) products from multiple vendors. We can not be dependent on any one layer," he says.

Not every CIO has the same worries as Vordick, of course. But as regulations like SOX and PCI standards place increasing demands on IT's security capabilities, more and more companies are choosing to simplify network defense by using a security appliance that combines hardware, software, and networking technologies. U.S. companies spent $3.85 billion on network security appliances in 2006, an expenditure expected to nearly double by 2011, according to market researcher IDC.

As USEC designed its security architecture, Vordick and his team had a wealth of options. They could have chosen to install one or more UTM (Compare Unified Threat Management products) appliances, devices that handle multiple threats from a single chassis, or opted for a series of single function, best of breed appliances.

USEC choose a best-of-breed database security appliance by Guardium, plus point products from other vendors, largely because the defense in depth strategy meant that the convenience of deploying and managing a single device was outweighed by the fear of creating a single point of failure, Vordick says. Moreover, USEC sought a security appliance that would serve as a check on IT employees with privileged database access who might seek to view or change data without proper authorization, an atypical function for a UTM.

The choices regarding network security appliances are complex, but your decision won't just come down to a technology issue, says John South, senior security consultant for Plexent, a Dallas-based IT service management company. "The real question is how do we get our business done and still protect the corporation?" he asks.