EMC Makes Bold Move into ‘GRC’ Market With Archer Acquisition…But Is It the Last?

1/5/10Follow @wroush

It turns out regulation and government mandates aren’t always bad for business.

A generation of new software companies is emerging to serve businesses who need to comply with a skein of regulations put in place over the last decade to fight financial and accounting fraud, prevent database breaches, and generally make businesses more transparent and accountable. These software companies are offering big businesses more efficient ways to keep track of governance, risk management, and compliance—a set of mandates that’s come to be known as “GRC.”

Boston is home to a major cluster of GRC companies, with names like eIQ Networks, Lumigent, and OpenPages leading the list. But Hopkinton, MA-based EMC, one of the leaders in data storage, has decided to reach well beyond the local area—all the way to Overland Park, KS, in fact—to acquire enterprise GRC specialist Archer Technologies.

The acquisition, which was announced Monday and is expected to be completed before April, will turn privately owned Archer into a part of RSA, EMC’s security division. It’s a sensible pairing, since many of RSA’s products, such as technologies for authenticating computer network users and documenting security incidents, generate reams of reporting data that Archer’s metrics, analytics, and documentation software can make more comprehensible.

Many customers use both companies’ systems, and the software will presumably now be integrated in a way that makes it unnecessary to, for example, manually cut and paste information from RSA’s enVision, a security log management system, into Archer applications. Todd Graham, a senior technologist in the office of the chief technology officer at RSA, cited this practice in a blog post Monday explaining how the Archer acquisition willl help RSA customers.

According to Graham’s post, the Archer acquisition is the outcome of a two-year effort within RSA to define how the division should help customers manage their IT-related GRC needs—everything from defining policies for dealing with hacker attacks to tracking how computer passwords are issued and revoked to demonstrating compliance with privacy and accounting regulations. RSA apparently concluded that Archer’s tools for documenting company policies, tracking incidents, and the like—which are already used by one-fourth of the Fortune 100 companies—are better than anything EMC has built internally. And when EMC lacks a technology in-house, it’s well known for its willingness to acquire it.

The fact that Archer is landing inside RSA, rather than some other part of EMC, brings more clarity to EMC’s overall GRC strategy. Back in June, when I asked RSA president Art Coviello whether he viewed GRC software as an important market for EMC, he sounded somewhat dismissive of the category. “It’s a big, amorphous term that could mean anything to anyone,” he said. “You could stick a ham sandwich under the umbrella of GRC.”

It was so amorphous, in fact, that different divisions of EMC were vying to be known as the company’s main providers of GRC software and services. “Even within EMC, you’ve got our resource management group saying, ‘We are the GRC of EMC,’ and you’ve got the content management and archiving group saying, ‘No, we’re the GRC of EMC,’” Coviello said.

Well, it turns out that RSA is going to be the GRC of EMC. Coviello hinted in that June interview that “we have a unifying story that we are actually taking to market in the next quarter.” It’s likely that the Archer acquisition is part of what he was talking about.

But there may be more as well. Interestingly, Coviello stressed in the interview that he felt many companies stop with the C in GRC—merely demonstrating compliance with the letter of financial regulations like the Sarbanes-Oxley Act of 2002 or data privacy regulations that will go into effect in Massachusetts this spring, without adopting processes with real teeth that will actually prevent problems.

“As much as everyone hates regulation, they will take the regulations and say, ‘Tick, tick, tick-I’m complying so I can ignore the governance and risk part,’” Coviello said then. “So that’s why you get people who pass the PCI [payment card industry] audits and then wonder why they have breaches of their credit-card databases. That doesn’t mean that the companies that focus on compliance and reporting aren’t helpful, but that ought to be the means by which you prove out what you’re doing on governance and risk.”

In light of those remarks, it’s reasonable to wonder whether the Archer acquisition is just part of an even larger GRC strategy at RSA and EMC. After all, the focus of Archer’s technology is on compliance and reporting. It’s really about helping customers visualize what IT-related security policies they have in place, for example, and documenting that they’re being followed.

“You can’t manage what you can’t see,” Coviello said in today’s acquisition announcement. Archer’s technology, he said, “not only offers the visibility into risk and compliance that customers need,” but it helps them “better manage their security programs and prove compliance across both physical and virtual infrastructures.”

So if, as Coviello says, compliance and reporting software are simply the means by which companies demonstrate that have responsible governance policies and risk management procedures in place, then there could be another chapter coming in the GRC story at EMC. The Archer deal could be the prelude, for example, to the introduction (or acquisition) of more technologies that help companies with the G and the R in GRC.

The financial terms of the Archer acquisition were not disclosed. EMC said that Archer will remain in Overland Park, a suburb of Kansas City.

Wade Roush is a contributing editor at Xconomy. Follow @wroush

By posting a comment, you agree to our terms and conditions.