CAs New Reorg Keys on Security

Computer Associates is refocusing again, this time toward security. For a company with roots in mainframe and systems management software, it's a risky gambit.

ORLANDO, Fla. -- Computer Associates International Inc. is refocusing again, this time toward security. For a company with roots in mainframe and systems management software, its a risky gambit that industry insiders say will be hard to pull off.

The security strategy is the latest shift for the company, which makes 1,200 products but is well-known for reshuffling its product lines and management structure.

This time, CA is arranging products into five brand units, each with its own development, marketing and quality assurance teams, the company announced last week.

The company left little doubt about its intentions during its CA World show here last week, with its top executives sending the message that security would be the companys focus, particularly in Web services.

CEO Sanjay Kumar said CA is "very, very focused on security" going forward.

"For us to grow as a business, were absolutely focused on security," said Simon Perry, vice president of the eTrust security unit at CA, in Islandia, N.Y. "Its an evolution of something weve been doing the last few years."

To prove its commitment to the initiative, CA is moving its co-founder and resident turnaround specialist, Executive Vice President Russell Artzt, from his position running the storage unit to head the security division.

Security, however, is a dynamic, fluid market where requirements change quickly and customers stick with vendors they know well.

Indeed, some CA customers feel the company is playing catch-up.

"After 9/11, every single big vendor either bought a security group or formed one internally and stated that security [was their] first concern," said one security specialist at a large East Coast financial company who asked not to be named.

Those already in the industry, meanwhile, said it takes more than an announcement or two to make security a priority.

"To do Web services security correctly, you have to have a strong foothold in access management and extranet management," said Arvind Krishna, vice president of security products at Tivoli Systems Inc., a subsidiary of IBM, in Austin, Texas. "You can draw your own conclusions about [CAs efforts] from that. Which standards are they participating in and helping to lead? What people do they have who would be recognized as experts?"

Web services security depends on a strong authentication model, and although CA has public-key infrastructure and access management products, vendors such as IBM, Entrust Inc. and RSA Security Inc. are far more established in this area.

"All of the Web services security standards are highly dependent on the identity of the parties involved here," said Andrew Nash, director of technology and standards at RSA, in Bedford, Mass. "The fact is, unless you have a really effective authentication front end, a lot of this breaks down pretty quickly." Michael Condon, a partner at Accenture Ltd., in Reston, Va., said CA could be hampered because it lacks "a strong base in authentication and identity."

"Its all about authorization and authentication," Condon said. "There are a lot of people in this space who are trying to address security, including Microsoft [Corp.] and Sun [Microsystems Inc.]."

CA executives acknowledged these challenges but said the companys strength in managing other vendors products, as well as the immaturity of the Web services security market, gives it an opportunity to make headway.

CAs Perry cites the eTrust Repository, which can be used as a Universal Description, Discovery and Integration repository for providing Web services, as another plus for the company. As early proof of its new emphasis on security, CA last week unveiled its new eTrust 20/20 solution, which integrates data from physical and data security sources and gives customers a detailed, interactive view of their employees activities.

The company is also looking at other areas of security, including intrusion detection systems and encryption tools, officials said.

Still, it may be months before anyone knows whether the new CA strategy is paying off at all. "It takes time. You dont want to tell a story to the market and have it not be true," said IBMs Krishna.

Related stories:

  • Commentary: Security, Storage and Survival
  • Kumar Reshuffles CA Units
  • Commentary: Portals First, Web Services Second at CA World
  • CA: Talking New Wares in Hard Times
  • Interview: Kumar on CAs Battle Strategy
  • Kumar Mildly Upbeat On CA Earnings