January/February Issue

Space wars: CA seeks secure future

Cath Everett

Computer Associates (CA) may not be the first vendor that springs to the mind of the average IT professional when someone mentions information security. Nevertheless, the US-based software vendor intends to dominate this area within the next five years.

Simon Perry, CA’s vice president of security strategy for Europe, the Middle East and Africa (Emea), says the company aims to be number one in identity and access management (IAM) and in security information management (SIM) with its eTrust family of products by 2008 at the latest.

This, he claims, is achievable because of the supplier’s 27-year pedigree in the related discipline of systems management. This comes courtesy of its Unicenter offering for managing large enterprises. CA has a large installed base of mainframe customers, its focus is on the entire enterprise, and it has a presence in more than 40 countries. But he acknowledges: “IBM is a player here and the one to beat, followed by Symantec in the SIM space, both of whom are entering with a heavy service-led offering.”

A key problem CA faces at the moment, however, is not so much a dearth of suitable products, but rather a lack of profile and brand recognition.

Alain Dang van Mien, a research director at Gartner, explains: “The CA brand name is strong, but eTrust isn’t. CA created it only two years ago, and three years ago it had no security products at all outside of the mainframe. It made a couple of acquisitions with Platinum and Memco and recruited people, but it still has to build up brand awareness in the general security community.”

Perry acknowledges that the supplier has work to do in this area, especially because it is competing with single-focus vendors such as Symantec, which have high brand recognition because of their traditional emphasis on the consumer market.

However, he says that over the past 12 months CA has been replicating an initiative started four years ago in the US to boost its visibility in Europe. This includes hiring key people such as Jim Darragh, head of channel sales for Emea, who are experienced enough to do the rounds of the conference and speaker circuit, and spending money on targeted advertising in public places such as airports.

But Perry also points out that CA’s entry into the security space was no quirk of fate. “It was no accident that we closed the purchase of Platinum after it had bought Memco. It was absolutely a key part of our policy to get into the security market in a big way and we’re now six years into a very deliberate strategy,” he explains.

The rationale, Perry says, was to build on the company’s systems management business and to exploit in revenue terms one of the few corners of the software market that still has relatively high annual growth rates. It was worth $3.5 billion in 2002.

Dang van Mien explains: “By 2001, Unicenter’s product licence revenues were down by about 20 per cent, and it had to find a new area to make money in. Security was the only sector last year with double digit growth and we expect it to grow by nine per cent this year. As a result, it will become increasingly important to CA.”

Perry confirms that Sanjay Kumar, the vendor’s chairman and chief executive, sees eTrust as its most important brand from a strategic growth point of view.
“Unicenter brings the most revenues into CA today, but eTrust will grow the fastest and rival it in the coming years. Over the next five years, are we going to double growth of the Unicenter brand? Perhaps, perhaps not. But eTrust will become the same size (as Unicenter) and we’ve told Wall Street it should look very closely at that,” he says.

According to Gartner, CA’s security offerings generated between 10 and 15 per cent of the company’s revenues, or $138.5 million in 2002, and it currently has a 3.9 per cent share of the overall market. It ranks sixth behind Symantec, Network Associates, IBM, Trend Micro and Check Point Software.

One of the issues for CA, however, on top of the need to boost market share, is that the security market is over-crowded and fragmented. Many different types of firm from different sub-disciplines are players.

As a result, says Carsten Casper, a research analyst at the Meta Group, CA is being squeezed by the big boys, such as IBM and Microsoft, as they move into the market, and by endless numbers of specialists, all vying for a slice of the pie.
Its situation is not helped by the fact that most enterprises still see security as a technical discipline rather than a management issue. As a result, user companies still tend to invest in “bottom up”, best-of-breed network security infrastructure-level offerings such as anti-virus (AV) and intrusion detection systems (IDS).
But this is starting to change as organisations mature security-wise. More and more appreciate the need for “top down” security administration software such as IAM to improve the often scanty return on investment from mix-and-match approaches.

Gartner’s Dang van Mien explains: “Security has to be monitored and managed, but this has not been taken into account much so far by traditional vendors, which is an advantage for CA because it’s one of the few to do so.”

This means that if data centre staff are in charge of security, they are likely not only to appreciate this message, but also to be familiar with CA as a company. This may well lead them to favour eTrust. But if security operations remain separate from the data centre, professionals will be more prone to favour vendors such as Symantec.

So what exactly does CA have to offer the IT professional in terms of product offerings?

Perry divides the company’s lines into four main categories, although he is keen to emphasise that buying one does not mean having to buy all. Instead, he says, CA’s strategy is to sell technology to customers in digestible chunks, while making it clear that they can expand to the full suite over time, if they so desire.
Its offerings comprise content management software such as anti-virus and anti-spam; vulnerability management; identity and access management, and the Security Command Center (SCC) console. This is key to its strategy of “integration management” as it can handle not only CA products, but third party ones too.

The company has spent the last four years integrating all these applications at the event and common services layer. Over the next six months it will roll out upgrades that are integrated more tightly at the graphical user interface and repository level to work under a single eTrust portal.

A lack of a key products, such as a firewall, means that there are gaps in terms of offering an end-to-end enterprise suite, especially on the network security infrastructure side. But Perry says: “It’s more important for us to manage all infrastructure software than to dominate any single product category. That said, we have strong products, but not market-leading ones by market share, within that space.”

This approach, he adds, fits entirely with the widely-held view that some of these technologies, including AV and IDS, will simply be absorbed into base operating systems or networks. Therefore, Perry says: “We’re focusing on those areas that are the most profitable and have the best chance of delivering cash flow and share price, and growing the business.”

But, interestingly, CA is not simply selling eTrust, and the SCC management console in particular, directly into its traditional FTSE 100 enterprise customer base by exploiting its existing C-level relationships. Instead, it has introduced a new compensation scheme. This rewards its sales staff most richly for sales to new customers. Next follow cross-sales to Unicenter and other customers, and lastly sales of additional licenses to existing users. Moreover, although exceptions will be made at the request of large customers, CA’s preferred fulfilment model for eTrust will be the third party channel.

Perry explains: “Medium-sized companies with 500 staff and upwards are our key target market for expansion. The issue is that if you have a number of customers and you cross-sell to them, you still only have that many, but if they are involved in a merger and acquisition situation, you actually have fewer, even if both are CA users.”

As a result, CA’s goal is to extend its reach to the second tier of medium-sized companies. “If you look at the overall IT spend in Europe, this is bigger than the FTSE 100 in total,” Perry says.

Perry explains the strategy here: “Our AV software is the beach head for us via the channel. Right now, a lot of partners are only doing AV, but they realise that they need to grow out of this over the next five years or they won’t be making any money.”

Partners such as Tolerant Systems have seen the appeal of a CA-based business plan that covers the next few years, he says. This puts forward patch management systems as the next logical step. Managed security providers such as Ubizen and Integralis, on the other hand, have likewise taken the SCC console as a means to improve their own services.

To boost its mid-market appeal, however, CA also plans to come out with various bundles of product and services by the end of February. While it has no plans to undertake either hosting or outsourcing, it intends to sell various so-called end-to-end solutions that address different security areas.

“Where the heads come from will be invisible, and whether it is from CA or hand-picked partner staff, the result is that customers will be able to buy a product and service wrap that includes product, implementation and operations,” Perry says.
It also won’t matter whether the contract is written on either CA or on partner paper, he adds. This is because one of the company’s key aims is to avoid channel conflict.

Gartner’s Dang van Mien believes that CA’s strategy has a reasonable chance of success. He thinks that the security market will hear a lot from the vendor over the next few years.

“The biggest issue is that the market is very unpredictable and it’s not always clear how future trends will pan out. It depends on global economics, particularly because security is seen to be like buying insurance. But it also depends on mergers and acquisitions and how quickly software becomes embedded, as this affects how much money can be earned, and by whom,” he says.
Dang van Mien believes the best case scenario for CA is that it becomes a market leader in user provisioning and embeds an increasing number of its security products into Unicenter, for which it charges, while continuing to build up the eTrust brand.

The worst case is that the trend towards embedding makes it harder and harder to sell its products into the enterprise, that it experiences no real growth, and that it starts to invest in a different type of technology. This would see the eTrust brand wither and the products given away for free as part of Unicenter.
“The reality will probably be somewhere in the middle. CA has a 50-50 chance of succeeding, and it’s not clear at the moment what will happen,” he concludes.
Cath Everett is an IT and business journalist who writes for titles that include: Computing, Computer Weekly, MIS, Financial Director, Red Herring, and IT Consultant.

Back to features index