A few years ago, CA had not centrally managed system of risk controls, no common view of governance for IT processes, and compliance costs were high. Clearly, this was not sustainable.
As a business, CA has some 2,755 controls that need monitoring on a daily basis. This places considerable demands on an IT department that is already supporting 27,000 PCs, 1,300 servers and four mainframes. Moreover, as CA rolls SAP out across its global operations, it also has to maintain two core business systems, as well as plan new projects that can help CA grow its main business.
"It is easy to upgrade a mainframe or add more storage. There is not a day that goes by when someone says that their application isn't running fast enough, or they are having a problem with their BlackBerry," says Dave Hansen, who has been CIO at CA for just over six months. "But aligning IT investment with business goals is the real challenge."
Day-to-day operational issues take up more of Hansen's time than he would like. But as "CA's best reference customer" he also has more incentive than most to keep a tight reign on IT management and governance, given the importance of these tools in CA's product line up.
"Managing risk and compliance is one of the largest areas CIOs are involved in, but often the CIO doesn't have the tools," explains Hansen. "And the CFO will be asking for this to be done, with a lower budget every year."
Repositioning the company
Key tools for CA's internal IT department include Clarity for risk and control management as well as IT project management, as well as Siteminder for identity and access management and Service Desk for incident management.
Today, CA runs over 600 business applications. As the company's IT systems have become more sophisticated, and complex, the number of infrastructure events has risen to over 1.8m "infrastructure events" each day: way more than an IT staff of 600 people could handle. Automation brings this number down to 3000 correlated critical events.
Of these, around 500 are solved automatically within five minutes; a further 1500 are escalated to support staff. Even where the automated systems can fix a fault, however, it is logged in the Service Desk system so that the IT department can work on ways to prevent failures in the future.
"Day-to-day IT management is something I simply have to do well," says Hansen. "Having tools to automate that is critical, as is having ITIL for standard processes around how we do things."
Automating key processes
"There is a value to spending money on investing in operations, in order to take costs out," he explains. "When it comes to non-discretionary, operational expenditure versus discretionary expenditure, we recognise that we need to invest more in our systems. Our budget is larger this year than last year."
CA has found, too, that bottom-line IT costs have risen, as a direct result of the company's efforts to drive top-line growth in the business. Acquisitions, for example, have brought with them more legacy applications, hardware and people. The central IT department is quick to wind down legacy mainframes, for example. And Hansen says there is little point in taking on additional hardware. "We do try to absorb the people, however," he says.
And EITM is a key tool to support the quick integration of acquired businesses, as well as for setting up new operations. "It can take time to move business processes on to SAP or to take over legacy systems, but for something like email we can integrate an acquisition in two or three days," explains Hansen. "We outsource activities, not people, and integral to that is providing EITM training to everyone in IT."
