Computer Associates (CA) may not be the first vendor that

springs to the mind of the average IT professional when

someone mentions information security. Nevertheless, the US-

based software vendor intends to dominate this area within the

next five years.

Simon Perry, CA’s vice president of security strategy for Europe,

the Middle East and Africa (Emea), says the company aims to be

number one in identity and access management (IAM) and in

security information management (SIM) with its eTrust family of

products by 2008 at the latest.

This, he claims, is achievable because of the supplier’s 27-year

pedigree in the related discipline of systems management. This

comes courtesy of its Unicenter offering for managing large

enterprises. CA has a large installed base of mainframe customers,

its focus is on the entire enterprise, and it has a presence in more

than 40 countries. But he acknowledges: “IBM is a player here and

the one to beat, followed by Symantec in the SIM space, both of

whom are entering with a heavy service-led offering.”

A key problem CA faces at the moment, however, is not so much

a dearth of suitable products, but rather a lack of profile and

brand recognition.

Alain Dang van Mien, a research director at Gartner, explains:

“The CA brand name is strong, but eTrust isn’t. CA created it only

two years ago, and three years ago it had no security products at

all outside of the mainframe. It made a couple of acquisitions with

Platinum and Memco and recruited people, but it still has to build

up brand awareness in the general security community.”

Perry acknowledges that the supplier has work to do in this area,

especially because it is competing with single-focus vendors such

as Symantec, which have high brand recognition because of their

traditional emphasis on the consumer market.

However, he says that over the past 12 months CA has been

replicating an initiative started four years ago in the US to boost its

visibility in Europe. This includes hiring key people such as Jim

Darragh, head of channel sales for Emea, who are experienced

enough to do the rounds of the conference and speaker circuit, and

spending money on targeted advertising in public places such as

airports.

But Perry also points out that CA’s entry into the security space

was no quirk of fate. “It was no accident that we closed the

purchase of Platinum after it had bought Memco. It was absolutely

a key part of our policy to get into the security market in a big way

and we’re now six years into a very deliberate strategy,” he

explains.

The rationale, Perry says, was to build on the company’s systems

management business and to exploit in revenue terms one of the

few corners of the software market that still has relatively high

annual growth rates. It was worth $3.5 billion in 2002.

Dang van Mien explains: “By 2001, Unicenter’s product licence

revenues were down by about 20 per cent, and it had to find a new

area to make money in. Security was the only sector last year with

tr

ac

ke

r16

Info

security To

day

January/February 2004

Space wars: CA seeks secure future

Meta Group’s Casper: CA is being squeezed.

By Cath Everett catheverett@hotmail.com

CA has a five year plan to win hearts and plug gaps. Will it be enough?

1742-6847/04 ©2004 Elsevier Ltd. All rights reserved.

double digit growth and we expect it to grow by nine per cent this

year. As a result, it will become increasingly important to CA.”

Perry confirms that Sanjay Kumar, the vendor’s chairman and

chief executive, sees eTrust as its most important brand from a

strategic growth point of view.

“Unicenter brings the most revenues into CA today, but eTrust

will grow the fastest and rival it in the coming years. Over the next

five years, are we going to double growth of the Unicenter brand?

Perhaps, perhaps not. But eTrust will become the same size (as

Unicenter) and we’ve told Wall Street it should look very closely at

that,” he says.

According to Gartner, CA’s security offerings generated between

10 and 15 per cent of the company’s revenues, or $138.5 million in

2002, and it currently has a 3.9 per cent share of the overall market.

It ranks sixth behind Symantec, Network Associates, IBM, Trend

Micro and Check Point Software.

One of the issues for CA, however, on top of the need to boost

market share, is that the security market is over-crowded and

fragmented. Many different types of firm from different sub-

disciplines are players.

As a result, says Carsten Casper, a research analyst at the Meta

Group, CA is being squeezed by the big boys, such as IBM and

Microsoft, as they move into the market, and by endless numbers

of specialists, all vying for a slice of the pie.

Its situation is not helped by the fact that most enterprises still

see security as a technical discipline rather than a management

issue. As a result, user companies still tend to invest in “bottom

up”, best-of-breed network security infrastructure-level offerings

such as anti-virus (AV) and intrusion detection systems (IDS).

But this is starting to change as organisations mature security-

wise. More and more appreciate the need for “top down” security

administration software such as IAM to improve the often scanty

return on investment from mix-and-match approaches.

Gartner’s Dang van Mien explains: “Security has to be

monitored and managed, but this has not been taken into account

much so far by traditional vendors, which is an advantage for CA

because it’s one of the few to do so.”

This means that if data centre staff are in charge of security,

they are likely not only to appreciate this message, but also to be

familiar with CA as a company. This may well lead them to favour

eTrust. But if security operations remain separate from the data

centre, professionals will be more prone to favour vendors such as

Symantec.

So what exactly does CA have to offer the IT professional in

terms of product offerings?

Perry divides the company’s lines into four main categories,

although he is keen to emphasise that buying one does not mean

having to buy all. Instead, he says, CA’s strategy is to sell

technology to customers in digestible chunks, while making it

clear that they can expand to the full suite over time, if they so

desire.

Its offerings comprise content management software such as

anti-virus and anti-spam; vulnerability management; identity

and access management, and the Security Command Center

(SCC) console. This is key to its strategy of “integration

management” as it can handle

not only CA products, but third

party ones too.

The company has spent

the last four years

integrating all these

applications at the event

and common services

layer. Over the next six

months it will roll out

upgrades that are

integrated more tightly at

the graphical user

interface and repository

level to work under a single

eTrust portal.

tr

ac

ke

r17

Info

security To

day

January/February 2004

CA’s Perry: We want to benumber one by 2008.

A lack of a key products, such as a firewall, means that there are

gaps in terms of offering an end-to-end enterprise suite, especially

on the network security infrastructure side. But Perry says: “It’s

more important for us to manage all infrastructure software

than to dominate any single product category. That said, we have

strong products, but not market-leading ones by market share,

within that space.”

This approach, he adds, fits entirely with the widely-held view

that some of these technologies, including AV and IDS, will simply

be absorbed into base operating systems or networks. Therefore,

Perry says: “We’re focusing on those areas that are the most

profitable and have the best chance of delivering cash flow and

share price, and growing the business.”

But, interestingly, CA is not simply selling eTrust, and the SCC

management console in particular, directly into its traditional

FTSE 100 enterprise customer base by exploiting its existing C-

level relationships. Instead, it has introduced a new

compensation scheme. This rewards its sales staff most richly for

sales to new customers. Next follow cross-sales to Unicenter and

other customers, and lastly sales of additional licenses to existing

users. Moreover, although exceptions will be

made at the request of large customers,

CA’s preferred fulfilment model for

eTrust will be the third party

channel.

Perry explains: “Medium-

sized companies with 500 staff

and upwards are our key target

market for expansion. The issue

is that if you have a number of

customers and you cross-sell to

them, you still only have that many,

but if they are involved in a merger

and acquisition situation,

you actually have

fewer, even if both

are CA users.”

As a result,

CA’s goal is to

extend its reach to

the second tier of

m e d i u m - s i z e d

companies. “If

you look at the

overall IT spend in Europe, this is bigger than the FTSE 100 in

total,” Perry says.

Perry explains the strategy here: “Our AV software is the beach

head for us via the channel. Right now, a lot of partners are only

doing AV, but they realise that they need to grow out of this over

the next five years or they won’t be making any money.”

Partners such as Tolerant Systems have seen the appeal of a CA-

based business plan that covers the next few years, he says. This

puts forward patch management systems as the next logical step.

Managed security providers such as Ubizen and Integralis, on the

other hand, have likewise taken the SCC console as a means to

improve their own services.

To boost its mid-market appeal, however, CA also plans to come

out with various bundles of product and services by the end of

February. While it has no plans to undertake either hosting or

outsourcing, it intends to sell various so-called end-to-end

solutions that address different security areas.

“Where the heads come from will be invisible, and whether it is

from CA or hand-picked partner staff, the result is that customers

will be able to buy a product and service wrap that includes product,

implementation and operations,” Perry says.

tr

ac

ke

r18

Info

security To

day

January/February 2004

CA’s strategy at a glanceKey aim

To have its eTrust security products take the number one slot in identity andaccess management and security information management by 2008.

On the plus side:

• Sanjay Kumar, CA’s chairman and chief executive, is backing eTrustheavily and sees it as the company’s most important brand from astrategic growth perspective

• CA is six years in to a carefully thought-out strategy to penetrate thesecurity market

• Strong management background, courtesy of its flagship Unicentersystems management offering

• CA is well known by data centre staff and has high levels of brandrecognition here

• CA is broadening its traditional model of selling directly to Fortune500/FTSE 100 companies and is now also targeting mid-sized companiesvia the third party channel

On the down side:

• Lack of profile and brand recognition in the security market and amongsecurity professionals

• Ranked only number six in the overall market in 2002 with a 3.9 per centmarket share compared to the leader Symantec with 19.4 per centGartner)

• CA could be squeezed if big players such as IBM and Microsoft enter themarket and by large numbers of specialist players

• Most organisations still see security as a technical discipline rather than amanagement issue

• CA must plug gaps in the network security infrastructure side if it is tocreate an end-to-end security product suite

Gartner’s Dang van Mien:A 50-50 chance of success.

It also won’t matter whether the contract is written on either CA

or on partner paper, he adds. This is because one of the company’s

key aims is to avoid channel conflict.

Gartner’s Dang van Mien believes that CA’s strategy has a

reasonable chance of success. He thinks that the security market

will hear a lot from the vendor over the next few years.

“The biggest issue is that the market is very unpredictable and

it’s not always clear how future trends will pan out. It depends on

global economics, particularly because security is seen to be like

buying insurance. But it also depends on mergers and acquisitions

and how quickly software becomes embedded, as this affects how

much money can be earned, and by whom,” he says.

Dang van Mien believes the best case scenario for CA is that it

becomes a market leader in user provisioning and embeds an

increasing number of its security products into Unicenter, for

which it charges, while continuing to build up the eTrust brand.

The worst case is that the trend towards embedding makes it

harder and harder to sell its products into the enterprise, that it

experiences no real growth, and that it starts to invest in a different

type of technology. This would see the eTrust brand wither and the

products given away for free as part of Unicenter.

“The reality will probably be somewhere in the middle. CA has

a 50-50 chance of succeeding, and it’s not clear at the moment

what will happen,” he concludes.

Cath Everett is an IT and business journalist who writes for titlesthat include: Computing, Computer Weekly, MIS, Financial

Director, Red Herring, and IT Consultant.

tr

ac

ke

r20

Info

security To

day

January/February 2004