IN THE BOARDROOM™ with...
Mr. Toby Weiss
Senior Vice President and General Manager
CA Security Management
Computer Associates (NYSE: CA)
SecuritySolutionsWatch.com:
Thanks for joining us today, Toby. Please tell us about your
background and your role at CA.
Toby Weiss: Sure. I’m senior vice president and general
manager for CA’s Security Management business unit. I’m
responsible for our extensive line of security management
solutions which encompass Identity and Access Management, Threat
Management, and Security Information Management. Our solutions
address virtually every aspect of an organization’s IT security,
and can operate with our customer’s existing security
infrastructure. Earlier, I was senior vice president for CA Japan
and country manager for CA Korea. I joined CA in 1993 and have a
bachelor’s degree in computer science from the University of
Michigan.
SecuritySolutionsWatch.com: One will read on CA.com that,
“Effective security management cannot exist in isolation. It
should be viewed as part of an overall IT infrastructure that
covers many disciplines. Enterprise IT Management (EITM) is CA’s
vision for enabling a new level of management control across the
enterprise.” Please give our audience an overview of EITM.
Toby Weiss: The focus of Enterprise IT Management (EITM) is
to manage and secure across all aspects of the IT environment —
from IT assets and IT users to the application environments that
bring them together, and finally to the IT services and the
business processes that use them. By managing all of IT in an
integrated way, our customers can unify and simplify the
management and security of IT so that it can be continually
optimized in support of business needs.
It’s important to note that security can’t be done in
isolation. It needs to be an integral part of aligning IT services
with business requirements. There are some 700 different vendors
offering individual, or point, security solutions to enterprises,
and the burden of integrating that technology falls on the
shoulders of customers. The problem with point solutions is that
they don’t tie back to the business.
CA’s approach is different. We start with the services that IT
provides to the business. We automate the process of ensuring that
the right users have access to the services they need--and that
the wrong users don’t. We then look at the IT assets that make
up those services and make sure we reduce risk by eliminating
threats and closing vulnerabilities.
Our solutions are integrated to work with each other to reduce
complexity and costs---whether it’s leveraging common data or
common workflows or providing a common audit trail across all of
the systems. The biggest benefit we’re seeing these days,
however, is that this integration allows organizations to address
business issues such as regulatory compliance.
SecuritySolutionsWatch.com: EITM obviously begins with Identity
and Access Management. Please elaborate on CA’s authentication
and authorization solutions.
Toby Weiss: Sure. Many organizations weren’t originally
structured for the kind of access we need today. In the past
they’ve often relied on a disjointed collection of point
solutions to address specific identity and access problems. Today,
companies are deploying an increasing number of applications with
incompatible security models, inconsistent management of
identities and different auditing mechanisms. This increases
inefficiency and risk and makes it even tougher to manage users
and identities.
Organizations should easily be able to answer the question “who
has access to what?” But many can’t. This is really the
cornerstone of what our solutions do. They automatically identify
and remove obsolete, unused and rogue user IDs and access rights.
They enforce access levels on all of the applications and systems
an organization uses, and audit the access and the approvals of
access. We put an entitlement management and reporting process
around all of this, so organizations can continuously review their
security access levels and comply with regulations.
SecuritySolutionsWatch.com: Let’s talk about some success
stories. In the enterprise verticals of Finance and Healthcare is
there a “win” or two in each of these verticals you’d like
to mention?
Toby Weiss: Of course. Banca CR Firenze, a leading group of
financial services companies that offers a wide range of
personalized banking, financial, insurance and consumer credit
solutions through its member companies, uses CA Identity and
Access Management solutions to manage extranet and intranet
authentication. They’ve been able to improve reliability, make
their resources easier to use, and increase user satisfaction and
productivity. They’ve also drastically reduced the number of
calls to their help desk, enabling their employees to focus on
other business critical issues.
In healthcare, Franciscan Missionaries of Our Lady Health Systems
is using CA’s IAM solutions to streamline and standardize the
process of managing users and automating key identity processes.
And Hartford Hospital, one of the largest medical centers in New
England, is using CA Integrated Threat Management r8 to reduce
operational costs by more than 10 percent while protecting their
critical systems. Instead of needing multiple solutions and
several technicians to combat viruses and spyware, a single staff
member manages its entire 5000+ user network.
SecuritySolutionsWatch.com: What about the US Government
market? Without giving away any trade secrets or confidential
information, can you give us an overview of CA’s involvement
with DISA?
Toby Weiss: As you can imagine, governments around the
world are particularly sensitive about disclosing their security
practices. However, last year CA announced it is working with the
Defense Information System Agency, which provides IT services to
the nation’s war fighters, to provide our eTrust PestPatrol
AntiSpyware throughout the Department of Defense. This is part of
the agency’s Spyware Detection, Eradication and Protection
Initiative. Some four million active military personnel received
our AntiSpyware product for free to download on their personal
PCs.
This is just one example of CA’s work in the federal Government.
More than 95 percent of U.S. federal agencies use our software
including the Federal Aviation Administration (FAA), Patrick Air
Force Base and Walter Reed Army Medical Center to name just a few.
SecuritySolutionsWatch.com: What about a success story at the
State Government level?
Toby Weiss: Our products are also widely used in state and
local governments. One example is the City of Austin. The city was
planning to provide the public with direct, online access to
information and needed a solution that provided granular
separation of data. For some data, confidentiality was essential.
For other data, such as emergency medical services, accessibility
was more essential. The City selected our z/series Identity and
Access Management to protect confidential data while still
allowing the public access to what they need. They have had great
success with this initiative.
SecuritySolutionsWatch.com: Any International projects you care to
mention – the Torino Olympics perhaps?
Toby Weiss: Atos-Origin, the Worldwide Information
Technology (IT) partner for the Olympic Games, successfully
leveraged CA’s Security Information Management solutions at the
Torino 2006 Olympic Winter Games to help ensure the integrity of
data within the protected perimeter, including thousands of
individual athletes’ results across hundreds of events.
eTrust Security Command Center and eTrust Vulnerability Manager
were implemented at the Athens 2004 Summer Olympics and again at
the Torino 2006 Winter Games as part of Atos-Origin’s
centralized, real-time security monitoring and vulnerability
assessment services.
SecuritySolutionsWatch.com: We know that various Government
mandates such as the Health Insurance Portability and
Accountability Act (HIPAA) and Homeland Security Policy Directive
12 (HSPD12), and Sarbanes Oxley among others, are market drivers
for security solutions. Please tell us about these Government
mandates. What’s your perspective on other market drivers right
now for CA solutions.
Toby Weiss: Compliance efforts are now boardroom
discussions with CIOs and CSOs, who need to mitigate risks while
reducing costs.
The key requirement of virtually all security-related regulations
involves the creation of strong internal controls and the ability
to report on these controls. This means that all users must be
uniquely identified, access to protected resources must be tightly
controlled, and access to these resources must be based on a
defined security policy. In addition, all access and security
events must be easily and fully auditable. These requirements are
at the heart of regulatory compliance, and are precisely the
capabilities that an integrated identity and access management
platform can provide.
SecuritySolutionsWatch.com: “Phishing” threats are becoming
more sophisticated yet many end-users are still unaware of how
“Phishing” can lead directly to identity theft or damage a
company’s brand. Please tell our audience about “Phishing”
and what individuals and enterprises can do to protect themselves.
Toby Weiss: You’re absolutely right. Phishing is really a
symptom of a crime, not the crime itself. Like a carpenter using a
hammer, identity thieves use phishing. It's not a single technique
but a collection of techniques to dupe innocent Internet users
into giving up what they shouldn't. You could say that phishers
are glorified conmen hiding behind an Internet server, email and
fake services.
We offer anti-spam tools to help flag suspicious emails, Web sites
and the like and prevent consumers and business people from being
victimized. But the best defense is to be aware of what’s out
there not to be lulled into a false sense of security. A few rules
to keep in mind are-don't respond to requests to log into accounts
from emails, don't give up your username, password and or "PII"
(Personally Identifiable Information), such as your Social
Security number.
SecuritySolutionsWatch.com: Toby, we’re aware of CA’s
strategic relationship with Deloitte & Touche. May we have an
overview?
Toby Weiss: We have partnerships with many large systems
integrators who are excellent at helping customers derive the
maximum benefits from our management solutions to help them
resolve their business problems. Deloitte is one example of such a
partnership, and they have some of the industry’s most talented
people. They can help organizations use technology for competitive
advantage and develop best practices for an accelerated return on
investment. In particular, we work closely with them in the
Identity and Access Management space. Together, we offer a
holistic IAM solution encompassing automated user provisioning,
access management, single sign-on, and directory services.
SecuritySolutionsWatch.com: Please tell us about CA’s
involvement with the Cyber Security Industry Alliance.
Toby Weiss: CA is a founding member of the CSIA, which is
an advocacy group based in Washington, DC, that was formed to
enhance cyber security through public policy initiatives, public
sector partnerships, corporate outreach, academic programs,
alignment behind emerging industry technology standards and public
education. CA is actively involved with the CSIA in helping ensure
that the public and private sectors work closely to achieve
sophistication with respect to both technology and functional
coordination. One of the CSIA’s recent initiatives has been
petitioning Congress for data breach legislation.
SecuritySolutionsWatch.com: What resources such as case
studies, webinars, and white papers, are available at www.CA.com
for end-users?
Toby Weiss: When users visit CA.com they have immediate
access to CA's Security Advisor team that researches and responds
to global threats via a network of rapid response centers around
the world, delivering the most comprehensive validated virus and
vulnerability databases in the industry; clean-up utilities,
detection signature files and remediation instructions for
threats; and documentation on complete threat protection. The
Security Advisor website has daily threat level monitoring and a
listing of the latest threats. The website is http://ca.com/securityadvisor.
Security Webinars, podcasts, case studies, whitepapers, analyst
information and even an ROI calculator that enables users to
figure out their Return on Investment with CA Security Management
Solutions can all be found under the Security Management page: www3.ca.com/Solutions
SecuritySolutionsWatch.com: Any particular product awards or
press mentions you’d like to tell our audience about?
Toby Weiss: Yes, I think it is important to note that
several independent leading analyst firms have recognized CA as a
market leader in all the security management areas we focus on.
IDC, for example has named CA the worldwide market leader in
Identity and Access Management (IAM) software for five consecutive
years. And Gartner has recognized CA as leading the market in
Security Information and Event Management. Our eTrust Security
Command Center, which helps organizations manage and respond to
security events across the enterprise, has been positioned in the
"Leaders" quadrant in Gartner, Inc.'s Security
Information and Event Management Magic Quadrant for the first half
of 2006. In addition, our anti-spyware and antivirus solutions
have been awarded Checkmark certifications by West Coast Labs and
have been rated highly by publications like eWeek and InfoWorld.
SecuritySolutionsWatch.com: Thank you very much for your time
today, Toby. Is there any other subject you would like to talk
about?
Toby Weiss: I’d like to thank you too and just add that
CA’s decades of experience in solving complicated IT problems
with our IT management software serves more than 98% of Fortune
1000 companies, as well as government entities, educational
institutions and thousands of other companies around the world
today. Security is such a critical part of all these entities and
in fact, everything we do, that I think it would be remiss of me
to not remind everyone that security depends on an ongoing set of
processes and practices that must be embedded into the daily
operations of any organization and reviewed regularly. We all need
to make sure that no one treats security as something you buy and
install, but rather something you do and make a way of life.
|