Tuesday, June 17, 2008

CA positioning itself to be a GRC vendor that matters

I've been away for the past week on a short break (Athens and Santorini - if you haven't been to Santorini, you MUST add it to your to-do list). Naturally, that means that I've missed a whole bunch of news and have to catch up.

CA made a bunch of announcements last week regarding their line of security related products. The first about a new release of CA Identity Manager, another regarding CA Access Control, a third referring to CA GRC Manager and the last in relation to a brand new product called CA Security Compliance Manager.

I found the Identity Manager and Access Control announcements boring because they are just upgrades to existing products which almost all their competitors have. Upgrade announcements are boring because they are about new features which no one will really understand until they see them in action...and even then the competitors will all say "oh yeah we can do that too" even if they can't and just get the sales engineer to hack something together for the demo or POC that looks like it's out of the box.

I found the other 2 announcements much more interesting from a strategic standpoint...

The first thing I noticed was that they are sticking to the industry norm of using a completely boring name for new products while at the same time managing to use the same name as another vendor (e.g. all the major software vendors have a product called Identity Manager which does all the provisioning, de-provisioning, password management and account workflow related activities). In this case however, they have managed to use the same name as a product IBM has (Tivoli Security Compliance Manager) but for a completely different purpose.

The second thing I noticed was that they suddenly have 2 GRC centric products. If you are a regular reader, you'll know that I'm now doing some work in the GRC area after my year long sojourn into DLP so anything GRC related gets my attention.

Like many industry terms floating around (especially newer ones), GRC means different things to different people. It also means there are many software vendors out there claiming to solve all your GRC problems. What people don't necessarily always understand is that there are many different approaches (and drivers) for a GRC program within an organisation. Most commonly, a GRC initiative is viewed from one of the following angles:
  • Risk Management
  • Finance/Audit
  • IT Security
  • Business Controls/Operations
This is not an exhaustive list and most of the time there's a fuzzy line between each. In other words, there's always going to be overlap. I should also point out that an approach is not necessarily the same as a driver, but they can be the same thing. For example, the driver might be that the organisation needs to meet regulatory requirements. The combination of the regulatory requirements and the business areas affected will determine what approaches need to be taken. Or the driver might simply be that business controls need to be better monitored, controlled and audited to improve the bottom line. In this case, the approach is the same as the business driver.

As a result, there a lot of GRC software vendors that don't necessarily compete with each other even though at first glance you might think they do (usually because they stick the term GRC in their description). In fact, it makes sense for a lot of vendors out there to partner with each other to provide a more complete solution for organisations because none (including the large vendors) actually cover off the entire GRC solution. Whether an organisation needs the complete solution is an issue for another day.

Here's why the CA annoucement is interesting. CA GRC Manager looks to be enterprise risk management focused. They've now added CA Security Compliance Manager which looks to be IT Security focused. It's starting to look like organisations have decided that IT Security Governance needs to be centred around identities, which is why IT Security GRC is sometimes referred to as Identity Centric GRC. In my opinion, this means CA Security Compliance Manager competes directly with the likes of Sailpoint and Aveksa. Notice that I haven't mentioned any of the large vendors (e.g. IBM, Oracle, Sun, Novell, SAP) in this space. This is because they don't have anything that competes. Here's why:
  • IBM don't have a GRC product. They use a combination of IBM Tivoli Identity Manager (ITIM) and IBM Tivoli Compliance Insight Manager to do GRC-like tasks. IBM, I'm afraid nice looking reports and some ugly ITIM screens that do some level of attestation but business users can't figure out how to use doesn't cut it.
  • Oracle have a product, but it hooks into all their Finance, ERP and CRM applications. This means it's very focused on business controls.
  • Sun thinks Role Management = GRC. I have news for you Sun. Even in combination with some of the things Sun Identity Manager does, you're still not there.
  • SAP have solutions, but they all hook into...well, SAP! Just like Oracle, it's focused on business controls.
  • Novell are even worse off than the others because they are still peddling their provisioning and access control solutions as being able to solve all your governance and compliance problems.
It looks like CA is ahead of the curve in this case. Keep in mind I'm talking strategy and ability to execute and bring something to market. I'm sure all the other large vendors I've mentioned have some sort of plan. A lot of the discussion behind closed doors is probably around who they should acquire to fill the gaps. That said, the new CA Security Compliance Manager doesn't look to have some of the functionality that Sailpoint and Aveksa have, but they've essentially just released a version 1.0 of a product and they have the marketing dollars to make up for it in the initial stages. They can also claim to have integration into their GRC Manager product and their Identity and Access Management suite so that's also a leg up on Sailpoint and Aveksa because they can sell the "suite concept" instead of convincing organisations to go with a "best of breed" approach that smaller vendors have to preach.

Thinking out loud, it might make sense for CA to partner with SAP on a joint GRC marketing campaign. I seriously doubt Oracle (or CA) will agree to such a concept. Or maybe SAP should just buy CA and be done with it.


craver said...

Excellent post Ian! I'm in Toronto at Eurekify training this week, and we were talking about how CA agreed to resell Eurekify's ERM product, presumably to enhance CA Identity Manager deployments. Simply from a "check off the boxes" of product offerings (depth/breadth) in IdM/GRC/ERM from one vendor, CA has really stepped up to the plate to challenge Oracle. It will be interesting to see how potential customers view the CA portfolio.

Ian said...

Funny you should mention Eurekify. I agree that CA reselling the Eurekify Enterprise Role Manager (ERM) product makes sense. As you've said, it "checks the boxes".

One interesting dynamic that will result from the release of CA Security Compliance Manager is that Eurekify have GRC solutions other than ERM. These possibly overlap with the 2 CA GRC products somewhat. I can't say for sure because I haven't done a feature/function comparison.

I may have more about Eurekify soon but I'd be interested to hear what you think of the ERM product once you're done with the training.