Tuesday, February 10, 2009

CA continues their GRC march

I've observed in the past the CA looks to be getting serious about this whole Governance, Risk and Compliance (GRC) caper. Today, they released version 2.0 of their GRC Manager. I first found out about the impending release some time last week when CA got in touch offering a briefing, which I accepted (Aside: I usually accept these requests unless there's a conflict of interest on my part).

I spoke with Marc Camm (SVP & GM, Governance, Risk and Compliance Products), Tom McHale (VP of Product Management for CA GRC Manager) and Sumner Blount (Senior Principal Product Marketing Manager for Governance, Risk & Compliance) regarding the release. Apart from the press release, CA's also made a blog post and a video. There's even a few screen shots. All I can say is that they've gone all out to get some discussion around the release.

I won't rehash any of the stuff CA's already put out there because I really hate when others do it. What I will say is that version 2.0 is centred around what CA calls Risk IQ, which is another way of saying they want to help turn raw data into useful information that organisations can use to make better decisions around risk. This however, has always been the "holy grail" of any product with "risk" or "monitoring" as part of its features. Whether CA's Risk IQ delivers on promise remains to be seen. 2.0's features are essentially all the useful "risk bits" they didn't put into version 1.0. It's available via the standard off-the-shelf model we're all so used to, a managed services offering or the SaaS version (CA GRC On Demand).

Some other things I did pick up during the conversation:
  • CA did not deny that there would still be a sizable amount of "heavy lifting" done by organisations and implementation partners (such as PwC). GRC Manager is simply a tool to facilitate risk and compliance requirements.
  • GRC Manager leverages the IT Unified Compliance Framework as a way of attempting to implementing a core set of policies that allows for easy expansion for use with regulatory requirements (e.g. Sarbanes-Oxley, HIPAA). Note: a lot of the large vendors take a similar approach - for example, IBM Tivoli likes COBIT.
  • CA runs their GRC and Security divisions as separate business units. In other words, they will ensure they integrate nicely with the Security products but are just as happy to integrate with other Identity and Access Management suites (this is "toe the company line" speak for "we don't really care if our potential customers don't use CA's security products"). I asked them how they saw the recent acquisitions of IDFocus, Eurekify and Orchestria and they said it was great to have as additional tools for integration within the CA family, but don't have any plans for wrapping GRC Manager around them as they belong to the Security division.
  • One thing I wanted to clarify for my own understanding was whether they saw GRC Manager more as an identity-focused, operations-centric GRC tool or an enterprise GRC tool. The answer was that GRC Manager is an enterprise GRC tool, a "manager of managers" if you like. In other words, GRC Manager competes more with OpenPages than it does with SailPoint.
Relatively speaking, CA are just their GRC software journey, but I think they've got a head-start on many of the other large vendors they are usually pigeon-holed with (except for Oracle, who have a genuine claim to at least be on par, if not ahead). I'm not sure if they're quite there in terms of functionality when compared with some of the established smaller players (e.g. OpenPages) but they certainly have the ambition and company focus to get there. Once again, it'll be about execution (and perhaps the odd acquisition here and there).

1 comment:

Dorian Cougias said...

While IBM's Tivoli might use CobiT, that isn't even close to the same as the Unified Compliance Framework. The UCF has mapped over 400 authority documents into their system (http://www.unifiedcompliance.com), which includes CobiT as one of the authority documents. The UCF approach, especially within CA's GRC Manager, is a much stronger approach.