I am sitting here in a presentation at the CA Industry Analyst Symposium and enjoying myself more than is perhaps healthy given the subject matter: compliance.
Toby Weiss, GM and SVP Security management, is doing a good job with a clear presentation, but a nicely humorous approach to the problems of compliance is paying dividends. Toby just said, and bear in mind this is coming from a guy whose business is security products, “The security industry’s two best salesmen- are Sarbanes and Oxley.” heh.
CA is currently building a narrative around a term that makes a lot of sense in thinking about, and trying to solve, compliance problems – that is, “Controls For Continuous Compliance”.
CA defines continuous compliance as “Creation and management of a set of processes and technology that enable effective and efficient compliance on an ongoing basis.”
Call me a sick puppy, but as you probably already know if you read monkchips regularly, continuous compliance is an area I am very interested in. RedMonk after all put forward the Creative-Commons licensed Compliance Oriented Architecture back in 2002, which covers a lot of similar ground.
Continuous compliance also has some very nice echoes with the state of the art in thinking about corporate reporting – with the move to continuous audit. So CA’s product strategy is now mapping more clearly to state of the art compliance thinking.
CA ties its continuous compliance thinking into its four step maturity model, which runs across many of its product areas. So organizations can be active (manual), efficient (automated reporting), responsive (process workflow), or business-driven (continuous compliance).
[thanks CA for permission to use this pic]
I would quarrel slightly with the maturity model, at least in as much it calls out workflow management in the responsive stage. The problem is that the obsession with workflow has blinded many enterprises to the real job they need to undertake-which is documenting their processes in order to be more effective in working with auditors or reporting to auditors. Automation is a good thing, of course, but Sarbanes-Oxley is really about documenting more than than automating business and system controls. It’s a small nit though- CA’s model is notable that reporting comes in stage one of its maturity model. Reporting needs to be according to documentation of business controls.
If you’re looking for an industry speaker to talk to security and compliance you could do a lot worse than contacting Toby- he got a warm round of applause from what can be a tough crowd. I think even the Gartner folks were giving him some props.
One area where automation is critical in SOX for controls is identity management and authentication. For example, Toby said a large financial services company I can’t name right now had 40 people on a team to identify entitlements- that is, what people at the bank have the right level of information access across the company’s acquisition portfolio. With identity management tooling from CA it should be able to radically free up this team’s time to some real work…
With this kind of automation in mind, CA is also beginning to think about the implications of driving common identities across all CA applications, which would makes a great deal of sense.
I am certainly looking forward to discussing the Compliance Oriented Architecture with Toby, and also perhaps Bob Davis, general manager of CA’s storage management business.
Why is it good to hear CA is clarifying its compliance story – not only in identity and security, but also in its information management/storage business? One reason is CA’s storage business has been underperforming according to CEO John Swainson, which means some new sales and marketing approaches are called for.
In the discussion of the what CA is calling Federated RM – Compliance Architecture Foundation, CA points out it has made a couple of recent relevant acquisitions – iLumin and XOsoft. The company is moving towards a federated architecture for managing access to any content repositories in the enterprise. They have email archiving tagged through iLumin, so it will be interesting to see how XOsoft fills in.
A quick pointer Toby. Michael Dortch from Robert Frances Group asked about a compliance workstation, and the idea appealed to you. I would counsel you to check out the Quest Compliance Portal. It’s a great idea-a free portal-based front end for compliance reporting, across any Quest products that provide information relevant to compliance. Quest offers the pane of glass for free, and then sells services that underpin it… a compliance oriented architecture, you could say.
Anyhow I could gab on about compliance all morning, when really I should be listening the closing executive Q&A. Oops – its time to break for lunch.
I should clarify – yesterday I talked about the problems of blanket NDAs. Debra Cattani, who runs CA’s AR business, and I have come to an uderstanding. I hate asking for permission to publish – but I need to be mindful that not everyone is on the radically open bandwagon.