Last week, I examined instant messaging security from 40,000 feet, discussing the segment's potential from the broadest possible view.

This time, I'll take a look at how the market is developing for one value-added reseller. Network System Technologies (NST), based in Naperville, Ill., specializes in security and has started to see interest in shoring up IM.

Brian Philips, NST's director of technical operations and manger of the company's Security Practice Group, reports NST has two large engagements involving IM security. In both cases, customers are addressing IM security as part of a regulatory compliance project. The desire to get on the good side of Sarbanes-Oxley and Graham-Leach-Bliley—not necessarily the security weaknesses of IM—is what's motivating buyers.

Sarbanes-Oxley, for example, puts pressure on organizations to strengthen internal financial controls. Companies are scrambling to set security and retention policies for e-mail, which may contain accounting information. In that push, IM tends to get lumped under e-mail, Philips said.

And that's OK with Philips.

"If compliance is what is dragging them to the table, that's fine—as long as people are addressing it," he said.

In general, however, companies maintain a "cavalier" attitude when it comes to IM security, Philips said. It's not yet a top corporate priority. Yet IM products lack encryption, provide a means for tunneling into networks, and open a door through which trade secrets can leave the building.

But it's not just nonchalance that's delaying corporate reaction; money is also a factor. Philips said organizations that do find IM to be a security weakness may not have funds in place to fix the problem. That's one reason IM security work gets pulled under the compliance umbrella: Compliance has a budget.

Those companies attacking the IM problem will find few software tools to help them do the job, Philips said. "There are really not too many tools aimed directly at [IM security]," he said. And those that do exist tend to represent "a bleed over from something else," he added.

Some tools cover part of the IM security gap. Vericept, for example, records and filters IM traffic. But such solutions don't necessarily look for IM vulnerabilities, Philips said.

Vendors, however, are beginning to rollout IM security products. Zone Labs a few months ago began shipping an IM security module for its end-point security solution. And NFR Security plans to launch an IM solution pack for its yet-to-ship intrusion prevention appliance.

Philips said NFR has been responsive to the company's interest in greater IM security functionality. NST is a gold-level partner in NFR's channel program.

But fledgling tools, lack of corporate awareness and tight budgets aren't the only issues in IM security. As the field matures, companies will have a balancing act to perform. The trick: obtain more control over IM without subjecting employees to "Big Brother," Philips said.