James Governor's Monkchips

Wake Up To Continuous Compliance for Breakfast with CA

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

I am sitting here in a presentation at the CA Industry Analyst Symposium and enjoying myself more than is perhaps healthy given the subject matter: compliance.

Toby Weiss, GM and SVP Security management, is doing a good job with a clear presentation, but a nicely humorous approach to the problems of compliance is paying dividends. Toby just said, and bear in mind this is coming from a guy whose business is security products, “The security industry’s two best salesmen- are Sarbanes and Oxley.” heh.

CA is currently building a narrative around a term that makes a lot of sense in thinking about, and trying to solve, compliance problems – that is, “Controls For Continuous Compliance”.

CA defines continuous compliance as “Creation and management of a set of processes and technology that enable effective and efficient compliance on an ongoing basis.”

Call me a sick puppy, but as you probably already know if you read monkchips regularly, continuous compliance is an area I am very interested in. RedMonk after all put forward the Creative-Commons licensed Compliance Oriented Architecture back in 2002, which covers a lot of similar ground.

Continuous compliance also has some very nice echoes with the state of the art in thinking about corporate reporting – with the move to continuous audit. So CA’s product strategy is now mapping more clearly to state of the art compliance thinking.

CA ties its continuous compliance thinking into its four step maturity model, which runs across many of its product areas. So organizations can be active (manual), efficient (automated reporting), responsive (process workflow), or business-driven (continuous compliance).

[thanks CA for permission to use this pic]

I would quarrel slightly with the maturity model, at least in as much it calls out workflow management in the responsive stage. The problem is that the obsession with workflow has blinded many enterprises to the real job they need to undertake-which is documenting their processes in order to be more effective in working with auditors or reporting to auditors. Automation is a good thing, of course, but Sarbanes-Oxley is really about documenting more than than automating business and system controls. It’s a small nit though- CA’s model is notable that reporting comes in stage one of its maturity model. Reporting needs to be according to documentation of business controls.

If you’re looking for an industry speaker to talk to security and compliance you could do a lot worse than contacting Toby- he got a warm round of applause from what can be a tough crowd. I think even the Gartner folks were giving him some props. 🙂

One area where automation is critical in SOX for controls is identity management and authentication. For example, Toby said a large financial services company I can’t name right now had 40 people on a team to identify entitlements- that is, what people at the bank have the right level of information access across the company’s acquisition portfolio. With identity management tooling from CA it should be able to radically free up this team’s time to some real work…

With this kind of automation in mind, CA is also beginning to think about the implications of driving common identities across all CA applications, which would makes a great deal of sense.

I am certainly looking forward to discussing the Compliance Oriented Architecture with Toby, and also perhaps Bob Davis, general manager of CA’s storage management business.

Why is it good to hear CA is clarifying its compliance story – not only in identity and security, but also in its information management/storage business? One reason is CA’s storage business has been underperforming according to CEO John Swainson, which means some new sales and marketing approaches are called for.

In the discussion of the what CA is calling Federated RM – Compliance Architecture Foundation, CA points out it has made a couple of recent relevant acquisitions – iLumin and XOsoft. The company is moving towards a federated architecture for managing access to any content repositories in the enterprise. They have email archiving tagged through iLumin, so it will be interesting to see how XOsoft fills in.

A quick pointer Toby. Michael Dortch from Robert Frances Group asked about a compliance workstation, and the idea appealed to you. I would counsel you to check out the Quest Compliance Portal. It’s a great idea-a free portal-based front end for compliance reporting, across any Quest products that provide information relevant to compliance. Quest offers the pane of glass for free, and then sells services that underpin it… a compliance oriented architecture, you could say.

Anyhow I could gab on about compliance all morning, when really I should be listening the closing executive Q&A. Oops – its time to break for lunch.

I should clarify – yesterday I talked about the problems of blanket NDAs. Debra Cattani, who runs CA’s AR business, and I have come to an uderstanding. I hate asking for permission to publish – but I need to be mindful that not everyone is on the radically open bandwagon.


  1. James,

    Great feedback from CA. I’m happy to see that organizations of this stature are starting to understand and promote the importance of internal control improvement.

    It seems that I have been involved in this area more than I would like! In this post [ http://improving-nao.blogspot.com/2006/07/bpm-modeling-as-easy-as-spreadsheet_12.html ] I introduced a similar CMM model for internal controls that I had tried to promote. It’s a shame I don’t have the clout of CA!

    [… in a previous life I tried to convince finance groups that there was value in automating spreadsheet processes. How? Imagine there is something like the software CMM model for internal controls and processes…]


    […On explaining that every organization starts on the left and the aim is to take the most complex, highest volume or most risky processes up to the right using workflow and integration tools there were nodding heads. But the audience had little time to concentrate on the problem at any level above managing their compliance documents in a repository (the 2nd level). The best they could do was migrate a bunch of spreadsheets that represented the documentation of the whole organization’s SOX internal controls and processes to a document management system with a compliance skin on it…]

    Again, great feedback.


  2. that is right on the money. if organisations are not automating spreadsheet aggregation. its almost impossible to be compliant with ANYTHING if your approach is management by excel.

  3. James,
    I like the CA story. CA has had a tough time with complicance issues themselves, and have come a long way to fix it. They have the scars, and really understand the value of a compliant intrastructure. This gives them the cred to talk about it.

    Key though, the compliance architecture is a rock solid transaction platfrom, good old boring ERP!! I explore this a bit in my post this morning, but I think this is a topic we ought to explore further.

    Your compliance architecture paper is prescient, given when you wrote it and it remains the best analyst paper I’ve read on compliance. It is now ready for an update though. The solutions to support continuous compliance have moved on significantly in the last couple of years. The CA pitch is good evidence of this, but you need to check out

    My own view is continous risk management will become much more important than compliance. Understanding, measuring and reacting to risk is where I see the next big play. I dont mean risk in a audit sense, but risk in the sense of a portfolio risk. risk sounds a conservative word, one that inhibits innovation, but I dont believe it is. It allows you to understand better what you are letting yourself and your investors in for.

Leave a Reply

Your email address will not be published. Required fields are marked *