CA has a compelling compliance story to tell. Like many global organisations, the company (formerly known as Computer Associates), has been impacted significantly by the tide of legislation requiring new standards of corporate governance.
But unlike others, CA is drawing on its own experience, applying compliance best practice as an antidote to a period of financial mismanagement around the turn of the decade.
Compliance efforts at CA, however, have not operated in isolation. The company’s new management team were well aware of the need to impose tighter IT controls as part of an efficiency agenda, and the compliance requirements just helped drive this through. This also segued neatly into security efforts at the company, says Bill Taub, vice president for global enterprise security at CA. Security and compliance are almost synonymous at CA, he says. “The notion is that risk is being managed, whether it’s compliance risk [or] hacker risks.”
However, the task of delivering a risk management strategy that ensured controls were put in place to oversee “every transaction” required a huge technological – and cultural – shift. For a start, as a renowned creator of packaged software, CA had historically regarded itself as capable of satisfying many of its own business applications needs in-house.
Bill Taub
Bill Taub is CA’s vice president of global enterprise security, with the remit of building sustainable, cost effective risk management across the company. Prior to working at CA, he was a founder and CTO at Internet application service provider ANT Internet, until it was acquired by CA in 1996.
Phil Stunt
Phil Stunt is international CIO for CA in EMEA and a company vice president. He is responsible for the overall management of CA’s IT infrastructure within the region. He has also been an associate partner at IT services company Accenture and spent 11 years working on supply chain systems at energy and petrochemicals giant Royal/Dutch Shell.
The result was a legacy of 1,500 bespoke applications. That needed reining in, explains Phil Stunt, international CIO for CA in Europe, the Middle-East and Africa. “Anybody going through Sarbanes-Oxley [compliance] knows that complexity is an exponential rather than a linear thing. We’ve got 1,500 applications; the case for simplification was easy to write.”
But introducing a compliance culture was not something that could be addressed overnight, explains Stunt. “We’re IT guys. It was inherently alien to us when we first got the brief. We were thinking, ‘What on earth have we to do with culture?’ Culture is the pink and fluffy stuff that the HR guys and change consultants do.”
What quickly became apparent was that a compliance culture actually entailed imposing much of the best practice already espoused by CA’s security technologies and processes, explains Stunt. However, that necessitated taking some tough decisions, including imposing a centralised governance structure. Such centralisation, he adds, is absolutely necessary to ensure good governance pervades the entire organisation, satisfying compliance requirements.
But while this is a sound theory, implementation is not straightforward, Stunt acknowledges. “You can have the aim of creating impenetrable security:if you’ve got a bunker in the desert with concrete walls, not connected to anything, you’ve got impenetrable security. Otherwise, it doesn’t exist. Instead we had to consider: What is the cost-effective approach?”
Like many others, CA was faced with an absolute deadline to meet Sarbanes-Oxley (SOX) regulations. That required spending an “inordinate amount of money” taking disparate systems, introducing controls and ensuring this could be verified, says Taub. This got CA through the initial SOX audit, but in the long term it “is madness, it requires too much money. We needed to examine how we could take a better, more sustainable approach.”
Having passed the first audit, CA’s executive team set a goal of reducing compliance spending by 50% in each subsequent year.
As part of ensuring that the risk management controls were auditable and woven into the everyday operations, automation was key, explains Taub. Through the use of its own network systems management tools, CA was able to document when incidents that potentially breached SOX occurred, and show that these were either resolved automatically or escalated. During its 2004 fiscal year CA could show its auditors that 10 million events covered by the SOX regulations had arisen; a small number required manual intervention, and only 12 were identified as exceptions that required further action outside of the security team.
This approach has enabled CA’s security team to provide an affordable and resilient strategy for managing risk. But Stunt is quick to acknowledge that it is not perfect. One of the problems he has faced is that through automating many of the risk management controls, employees can become disengaged from the secure culture he is trying to foster.
One example of this became apparent during discussions with the HR team, Stunt explains. The process of new-starter provisioning had allowed departmental heads to easily set up recruits with the necessary IT tools
on their first day. But the process of checks and approvals had become so seamless, managers were at risk of not grasping what security checks had been put in place, says Stunt.
“[We] made the process so transparent it is invisible – and that’s not good. This doesn’t constitute an environment that is aware of security: security should be visible, people need to know it is present.”
