IN THE BOARDROOM™ with...
Mr. Toby Weiss
Senior Vice President and General Manager
CA Security Management
Computer Associates (NYSE: CA)

SecuritySolutionsWatch.com: Thanks for joining us today, Toby. Please tell us about your background and your role at CA.

Toby Weiss: Sure. I’m senior vice president and general manager for CA’s Security Management business unit. I’m responsible for our extensive line of security management solutions which encompass Identity and Access Management, Threat Management, and Security Information Management. Our solutions address virtually every aspect of an organization’s IT security, and can operate with our customer’s existing security infrastructure. Earlier, I was senior vice president for CA Japan and country manager for CA Korea. I joined CA in 1993 and have a bachelor’s degree in computer science from the University of Michigan.

SecuritySolutionsWatch.com: One will read on CA.com that, “Effective security management cannot exist in isolation. It should be viewed as part of an overall IT infrastructure that covers many disciplines. Enterprise IT Management (EITM) is CA’s vision for enabling a new level of management control across the enterprise.” Please give our audience an overview of EITM.

Toby Weiss: The focus of Enterprise IT Management (EITM) is to manage and secure across all aspects of the IT environment — from IT assets and IT users to the application environments that bring them together, and finally to the IT services and the business processes that use them. By managing all of IT in an integrated way, our customers can unify and simplify the management and security of IT so that it can be continually optimized in support of business needs.

It’s important to note that security can’t be done in isolation. It needs to be an integral part of aligning IT services with business requirements. There are some 700 different vendors offering individual, or point, security solutions to enterprises, and the burden of integrating that technology falls on the shoulders of customers. The problem with point solutions is that they don’t tie back to the business.

CA’s approach is different. We start with the services that IT provides to the business. We automate the process of ensuring that the right users have access to the services they need--and that the wrong users don’t. We then look at the IT assets that make up those services and make sure we reduce risk by eliminating threats and closing vulnerabilities.

Our solutions are integrated to work with each other to reduce complexity and costs---whether it’s leveraging common data or common workflows or providing a common audit trail across all of the systems. The biggest benefit we’re seeing these days, however, is that this integration allows organizations to address business issues such as regulatory compliance.

SecuritySolutionsWatch.com: EITM obviously begins with Identity and Access Management. Please elaborate on CA’s authentication and authorization solutions.

Toby Weiss: Sure. Many organizations weren’t originally structured for the kind of access we need today. In the past they’ve often relied on a disjointed collection of point solutions to address specific identity and access problems. Today, companies are deploying an increasing number of applications with incompatible security models, inconsistent management of identities and different auditing mechanisms. This increases inefficiency and risk and makes it even tougher to manage users and identities.

Organizations should easily be able to answer the question “who has access to what?” But many can’t. This is really the cornerstone of what our solutions do. They automatically identify and remove obsolete, unused and rogue user IDs and access rights. They enforce access levels on all of the applications and systems an organization uses, and audit the access and the approvals of access. We put an entitlement management and reporting process around all of this, so organizations can continuously review their security access levels and comply with regulations.

SecuritySolutionsWatch.com: Let’s talk about some success stories. In the enterprise verticals of Finance and Healthcare is there a “win” or two in each of these verticals you’d like to mention?

Toby Weiss: Of course. Banca CR Firenze, a leading group of financial services companies that offers a wide range of personalized banking, financial, insurance and consumer credit solutions through its member companies, uses CA Identity and Access Management solutions to manage extranet and intranet authentication. They’ve been able to improve reliability, make their resources easier to use, and increase user satisfaction and productivity. They’ve also drastically reduced the number of calls to their help desk, enabling their employees to focus on other business critical issues.

In healthcare, Franciscan Missionaries of Our Lady Health Systems is using CA’s IAM solutions to streamline and standardize the process of managing users and automating key identity processes. And Hartford Hospital, one of the largest medical centers in New England, is using CA Integrated Threat Management r8 to reduce operational costs by more than 10 percent while protecting their critical systems. Instead of needing multiple solutions and several technicians to combat viruses and spyware, a single staff member manages its entire 5000+ user network.

SecuritySolutionsWatch.com: What about the US Government market? Without giving away any trade secrets or confidential information, can you give us an overview of CA’s involvement with DISA?

Toby Weiss: As you can imagine, governments around the world are particularly sensitive about disclosing their security practices. However, last year CA announced it is working with the Defense Information System Agency, which provides IT services to the nation’s war fighters, to provide our eTrust PestPatrol AntiSpyware throughout the Department of Defense. This is part of the agency’s Spyware Detection, Eradication and Protection Initiative. Some four million active military personnel received our AntiSpyware product for free to download on their personal PCs.

This is just one example of CA’s work in the federal Government. More than 95 percent of U.S. federal agencies use our software including the Federal Aviation Administration (FAA), Patrick Air Force Base and Walter Reed Army Medical Center to name just a few.

SecuritySolutionsWatch.com: What about a success story at the State Government level?

Toby Weiss: Our products are also widely used in state and local governments. One example is the City of Austin. The city was planning to provide the public with direct, online access to information and needed a solution that provided granular separation of data. For some data, confidentiality was essential. For other data, such as emergency medical services, accessibility was more essential. The City selected our z/series Identity and Access Management to protect confidential data while still allowing the public access to what they need. They have had great success with this initiative.

SecuritySolutionsWatch.com: Any International projects you care to mention – the Torino Olympics perhaps?

Toby Weiss: Atos-Origin, the Worldwide Information Technology (IT) partner for the Olympic Games, successfully leveraged CA’s Security Information Management solutions at the Torino 2006 Olympic Winter Games to help ensure the integrity of data within the protected perimeter, including thousands of individual athletes’ results across hundreds of events.

eTrust Security Command Center and eTrust Vulnerability Manager were implemented at the Athens 2004 Summer Olympics and again at the Torino 2006 Winter Games as part of Atos-Origin’s centralized, real-time security monitoring and vulnerability assessment services.

SecuritySolutionsWatch.com: We know that various Government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) and Homeland Security Policy Directive 12 (HSPD12), and Sarbanes Oxley among others, are market drivers for security solutions. Please tell us about these Government mandates. What’s your perspective on other market drivers right now for CA solutions.

Toby Weiss: Compliance efforts are now boardroom discussions with CIOs and CSOs, who need to mitigate risks while reducing costs.

The key requirement of virtually all security-related regulations involves the creation of strong internal controls and the ability to report on these controls. This means that all users must be uniquely identified, access to protected resources must be tightly controlled, and access to these resources must be based on a defined security policy. In addition, all access and security events must be easily and fully auditable. These requirements are at the heart of regulatory compliance, and are precisely the capabilities that an integrated identity and access management platform can provide.

SecuritySolutionsWatch.com: “Phishing” threats are becoming more sophisticated yet many end-users are still unaware of how “Phishing” can lead directly to identity theft or damage a company’s brand. Please tell our audience about “Phishing” and what individuals and enterprises can do to protect themselves.

Toby Weiss: You’re absolutely right. Phishing is really a symptom of a crime, not the crime itself. Like a carpenter using a hammer, identity thieves use phishing. It's not a single technique but a collection of techniques to dupe innocent Internet users into giving up what they shouldn't. You could say that phishers are glorified conmen hiding behind an Internet server, email and fake services.

We offer anti-spam tools to help flag suspicious emails, Web sites and the like and prevent consumers and business people from being victimized. But the best defense is to be aware of what’s out there not to be lulled into a false sense of security. A few rules to keep in mind are-don't respond to requests to log into accounts from emails, don't give up your username, password and or "PII" (Personally Identifiable Information), such as your Social Security number.

SecuritySolutionsWatch.com: Toby, we’re aware of CA’s strategic relationship with Deloitte & Touche. May we have an overview?

Toby Weiss: We have partnerships with many large systems integrators who are excellent at helping customers derive the maximum benefits from our management solutions to help them resolve their business problems. Deloitte is one example of such a partnership, and they have some of the industry’s most talented people. They can help organizations use technology for competitive advantage and develop best practices for an accelerated return on investment. In particular, we work closely with them in the Identity and Access Management space. Together, we offer a holistic IAM solution encompassing automated user provisioning, access management, single sign-on, and directory services.


SecuritySolutionsWatch.com: Please tell us about CA’s involvement with the Cyber Security Industry Alliance.

Toby Weiss: CA is a founding member of the CSIA, which is an advocacy group based in Washington, DC, that was formed to enhance cyber security through public policy initiatives, public sector partnerships, corporate outreach, academic programs, alignment behind emerging industry technology standards and public education. CA is actively involved with the CSIA in helping ensure that the public and private sectors work closely to achieve sophistication with respect to both technology and functional coordination. One of the CSIA’s recent initiatives has been petitioning Congress for data breach legislation.

SecuritySolutionsWatch.com: What resources such as case studies, webinars, and white papers, are available at www.CA.com for end-users?

Toby Weiss: When users visit CA.com they have immediate access to CA's Security Advisor team that researches and responds to global threats via a network of rapid response centers around the world, delivering the most comprehensive validated virus and vulnerability databases in the industry; clean-up utilities, detection signature files and remediation instructions for threats; and documentation on complete threat protection. The Security Advisor website has daily threat level monitoring and a listing of the latest threats. The website is http://ca.com/securityadvisor. Security Webinars, podcasts, case studies, whitepapers, analyst information and even an ROI calculator that enables users to figure out their Return on Investment with CA Security Management Solutions can all be found under the Security Management page: www3.ca.com/Solutions


SecuritySolutionsWatch.com: Any particular product awards or press mentions you’d like to tell our audience about?

Toby Weiss: Yes, I think it is important to note that several independent leading analyst firms have recognized CA as a market leader in all the security management areas we focus on. IDC, for example has named CA the worldwide market leader in Identity and Access Management (IAM) software for five consecutive years. And Gartner has recognized CA as leading the market in Security Information and Event Management. Our eTrust Security Command Center, which helps organizations manage and respond to security events across the enterprise, has been positioned in the "Leaders" quadrant in Gartner, Inc.'s Security Information and Event Management Magic Quadrant for the first half of 2006. In addition, our anti-spyware and antivirus solutions have been awarded Checkmark certifications by West Coast Labs and have been rated highly by publications like eWeek and InfoWorld.

SecuritySolutionsWatch.com: Thank you very much for your time today, Toby. Is there any other subject you would like to talk about?

Toby Weiss: I’d like to thank you too and just add that CA’s decades of experience in solving complicated IT problems with our IT management software serves more than 98% of Fortune 1000 companies, as well as government entities, educational institutions and thousands of other companies around the world today. Security is such a critical part of all these entities and in fact, everything we do, that I think it would be remiss of me to not remind everyone that security depends on an ongoing set of processes and practices that must be embedded into the daily operations of any organization and reviewed regularly. We all need to make sure that no one treats security as something you buy and install, but rather something you do and make a way of life.