When Ron Moritz agreed to head up Computer Associates International's (CA's) newly reorganized eTrust security products unit he knew he was taking on a big job. Well known for its Unicenter systems management product, CA's profile in the security market was considerably lower.
Nevertheless, CA's years of ravenous acquisition left a wealth of security products in its portfolio, ranging from desktop antivirus software right through to security products for mainframes.
The problem was that there no consistent message or plan that tied its various offerings together.
As in other areas of their business, CA also suffered from a reputation an opaque customer service organization and a customer base frustrated by CA's predilection for long-term and inflexible licensing arrangements.
Since taking over as CA's Senior Vice President & Chief Security Strategist in September 2002, Moritz has steered the company's security business towards simplification, grouping its hodgepodge of products into three core areas: identity management, access management and threat management, and realigning development efforts to meet customer demands.
Under Moritz's leadership, the company also began work on the eTrust Security Command Center, a centralized console that would let administrators manage heterogeneous products across their network. CA announced the product in September, 2002, and unveiled it Tuesday at this week's CA World Conference in Las Vegas.
A security industry veteran, Moritz worked at Israeli security software vendor Finjan Software Ltd. and served as a vice president and CTO of CA rival Symantec. Immediately before joining CA, Moritz ran his own security consulting company, Moritz Technology Corp.
In this edited interview, Moritz talks about the challenges of building CA's security business over the past year, and about why he thinks CA is well positioned to play with the big boys when it comes to security.
Q: What have been the biggest challenges since you came on board at CA?
Ron Moritz: One most obvious challenges was that, more than any company I've ever been involved with, CA is an engineering-driven organization.
On the one hand, its marvellous to see --watching engineers rise to a challenge and solve problems is marvellous, and if you scratch the surface of Ron Moritz, you'll find an engineer.
But you need a market relationship to what you're selling and you have to understand what your customer needs.
What I saw immediately (at CA) was that we needed to create a better bridge in security between the technology we were developing -- including our skunkworks projects -- and customer needs.
It was a classic case of having a lot of bright engineers thinking about problems in security and driving solutions forward, but not necessarily speaking with customers and the marketplace and getting a good understanding of what the market was asking us to do.
So a key challenge was finding the type of people who could do that -- who can talk to the customer and understand what they're looking, then translate those requirements back to the engineering department so they can be focused on solving those problems rather than solving cool and neat problems that market doesn't want.
For example, (at this week's CA World conference in Las Vegas) we're going to launch the idea of vulnerability management. I now have somebody who can stand up on stage and say 'I own this product'-- somebody who will get rewards for a successful product and if not, take ownership and take hits.
Q: You recently announced a deal to market a new security appliance...
R.M.: Right, with SteelCloud (Inc.). [See "CA, SteelCloud partner for new security appliance," June 24.] And don't expect that to be the last. It's an important strategy. There's been a lot of discussion within the industry about security appliances and we're supportive of that.
But at the same time, we understand that CA's strength is as a software company and not a hardware company. Don't expect to see hardware engineers -- ASIC (Application Specific Integrated Circuit) developers -- walking around wearing CA badges. We want to have relationships with companies that understand hardware and know how to move software onto hardware platforms.
We want to partner with the SteelClouds of the world and with vendors who will be aggressive about taking that hardware and placing it in enterprises.
Q: Where do you see the IT security market heading?
I think that in the mid-1990s you had an inflection point in the security industry. You had the acceleration of the Internet and the introduction of base line security solutions such as firewalls and so on. It was an emerging market with a lot of point solutions, "best of breed" technologies and a lot of entrepreneurs coming forward. And that's how the security industry was driven from 1995 until 2002.
Then in the beginning of 2002, I think you had another inflection point where you had three major technology companies focusing on the security issue. That expressed itself at Microsoft with Bill Gates' Trustworthy Computing initiative. Then John Chambers at Cisco (Systems Inc.) said that security was going to be Cisco's next billion dollar business unit. Finally, (CA Chairman and CEO) Sanjay Kumar ] at CA World 2002 said that security would be a key driver for moving CA forward, so much so that he asked Russ Artzt to step up to the plate and take leadership of the (eTrust) business unit.
In the case of CA, our strategy is around identity management, access management and threat management. I think we've got a great opportunity to take advantage of the market for solutions in identity and access management, secure content management and secure information management. We've now got three product families, which is a nice morphing of the model created in September when we launched the new eTrust vision.
Q: CA has earmarked security as a key growth area. What are your plans in this area over the next year?
R.M.: In the vulnerability management space, we'll be talking about an appliance relationship with Dell Computer Corp. Dell manufactures a blade appliance that will be running CA's vulnerability management software.
What we're trying to do is relate the vulnerabilities that are out there to a common language. Translating them into English so the people who interact with the system can understand what's going on -- can understand when there's a vulnerability on (Microsoft Corp.'s) IIS (Web server) or Windows XP or Windows 2000 operating system, know exactly where those machines are and tie it into a ticketing system.
We know that the guys monitoring the network are not necessarily the guys who can touch and change configurations and policy. You have geographically dispersed enterprises with security guys in Idaho and offices in Paris or Tokyo. They're receiving information about a new vulnerability and they need to know 'Where on the network are we at risk?' It must be visualized.
The strength of CA with Unicenter, when applied to security management, is the understanding of what assets are out there and what applications are running on those assets. We've got a better understanding and visualization and can prioritize the preventative actions and remediation we need to take.
Management issues traditionally have not been applied to security. Those who practiced in the space have traditionally been treated like crafts people -- artisans. Maybe the (security) manager didn't have a strong understanding of what people were doing. This system is more holistic. Managers are able to understand what's in the system and which people are responsible then make sure the systems are properly managed in compliance with a company's regulations or business rules.
This is exactly what we are hearing from customers. The challenge has been put forward by industry. CA is happy to step forward and say 'Here's how its done.'
Q: What is CA's unique value in this area?
As you interact with CSOs and CIOs, there is a keen message that all our customers deliver to us today. They would prefer to buy secure software over security software. There's a subtle language difference there. They don't have confidence any longer in niche solutions. Look at the way the software is engineered and delivered from most companies. They don't have confidence that it is engineered to do what it's supposed to do. At CA, we have 1.5 QA (quality assurance) engineers for every one software developer, compared with one QA engineer to every five software engineers at smaller companies.
So if the marketplace between 1995 and 2002 was about best of breed companies, and we're looking forward to companies like Cisco, CA and Microsoft, customers will be thinking about the quality of products that come out of these companies. CA is the only company that's ISO 9001 and 9002 certified. Quality is in our engineering and software development methodologies. The idea of quality is culturally part of CA's thinking.
Q: But security still accounts for just a small slice of CA's business, do you see that changing?
R.M.: Security is 11 percent of CA's business. It's an area that has to grow and will grow for CA, but you won't catch me making predictions about what percentage of the business it will be. If look at Unicenter - it's 40 percent of our business. About US $1 billion.
Does eTrust have the ability to become 40 percent of CA's business? I don't know, because we expect Unicenter to grow as well. But in the spending environment that we're in, there's the possibility that security has a greater opportunity to grow than other technologies.
Q: You've said that CSOs need to take a more important role in corporations - be the point people for integrated, enterprise wide security. Could you explain that vision?
R.M.: Part of it is the idea that security is moving from a containment model. Ten years ago, if you asked a corporate security officer "Should I engage users in our information processes?," the answer would have been "No way."Security has to be in a glass tower. Employees now access information and security is becoming everybody's business. Also, because of September 11, 2001, the specific idea that cybersecurity and physical security systems are converging. You have cyber and CIOs and physical security guys who do badge systems. Culturally, those are different areas.
My crystal ball prediction is that the CSO position will go the same way as the top human resources executive a decade ago. Back then, most organizations operated without top human resources executives sitting at the CEO's table, now they do. In ten years, you will see most security executives with ownership of business security, physical security, continuity and cybersecurity will sit at CEO table. It will be driven by regulations and new responsibilities. CEO getting engaged. Security is not just about blocking but also about accountability and business enablement.