Nowadays, if you write about governance in IT, it’s best to define what you mean. There’s compliance, where organizations try to obey the regulatory diktats that they owe allegiance to, under law. Such things depend on geography, IT is usually part of it all and the primary motivation is to satisfy the powers that be, so that you do not risk legal action, fines, blackballing, etc.

Luckily, in most ways external IT compliance demands mitigate in favor of sensible internal IT governance. I believe this to be partly coincidental, but also a good thing, because IT governance has been a mess since Pontius was a Pilate. It got to be even more of a mess when the population of both clients and servers exploded in a big way, circa 2000. The reality is that few sites were equipped to “govern” IT:

• from a people perspective – because of a lack of skills and organizational flexibility.
• from a technology perspective – because of a lack of infrastructure management technology that worked well.
• or from a process perspective – because of a lack of formal governance processes.

Internally, IT governance can be thought of as “the ability to implement sane and sound operational policies for IT”. It’s a top-down thing. Organizations would like to define policies in respect of change management, server management, IT security, etc. and be confident that they get implemented in an efficient and effective manner. Implementing them is a matter of getting the people, processes and technology firing on all cylinders – and right now, there are probably no IT sites that can do that. Even if they’ve got the people and processes part squared away – which would be rare indeed – there’s a whole set of technology pieces that need to fall into place.

The commercial contest in this area is between IBM, CA, BMC, Hewlett-Packard and new market entrants such as EMC, Microsoft, Oracle (and I suspect Symantec, given time).

So I was briefed by CA recently on its IT GRC solution. CA divides IT governance between aligning IT with the business (ITG) and compliance, either external or internal (ITGRC – where the GRC stands for Governance and Risk Control). CA has thus named its compliance product, IT GRC. The product is an evolution of the Clarity product, which CA acquired in 2005.

This is what it does:

• It identifies, categorizes, analyzes and prioritizes IT risks
• It project manages ITGCR projects
• It automates IT controls

In fact, it does what Clarity it did before CA acquired it, plus CA has added much more instrumentation in the IT controls area, first catering for its own management products (Unicenter et al), but also enabling interfaces to other products. It has then logically linked these controls to a wide variety of regulations and standards (over 280, apparently).

Clearly, implementing IT GRC is not an over-the-weekend job. CA is partnering with the major management consultancy/SIs on this, as you’d expect, since they rule the word “compliance”. However, consultancy is not required because the technology needs much specialization. In areas where IT compliance requirements are well known, such as SOX, most of the implementation of IT GRC can be done in a fill-in-the-box manner. But, there are usually organizational issues and process issues that have to be addressed in parallel to putting the technology in place, which is where consultancy can ease the pain.

In summary, these are the business benefits CA claims for IT GRC:

• reduce total cost (or optimize IT investment returns)
• manage and govern compliance activity (both for external and internal requirements)
• streamline IT processes
• reduce operational complexity
• improve resource utilization
• provide transparency and visibility (including an enterprise view for execs)

What interests me particularly about this product is that – as far as I can tell – it’s ahead of the field in addressing the increasing pains of compliance, and it also has a strategic edge to it. If you own the product at the top of the infrastructure management stack, everything else is a plug-in to your technology.

You’re sitting in the catbird seat.