Today's acquisition announcement of Archer Technologies is likely a harbinger of what we'll see from EMC during 2010 -- swift execution around strategic themes that we've already discussed.
The first order of business -- a hearty "welcome aboard" to Jon Darbyshire and his world-class team. We're proud and excited to have you as the latest member of the RSA and EMC family!
And, for the everyone else, I'd like to share a bit of the story behind the story ...
It's All About (Enterprise) GRC
That's "governance, risk and compliance" if you're not familiar. Good GRC is primarily about having good process, which good technology can enable.In a nutshell, Archer provides the frameworks, the solutions and the services to help enterprises identify and manage different forms of risk.
If you're thinking "IT risk", you're only partially right. Archer's capabilities are designed to help enterprises manage all forms of enterprise risk -- and not just IT-related ones.
So, in one sense, enterprise GRC is a business application in the same sense as ERP or enterprise email or perhaps enterprise content management.
However, it's also fair to say that most business activities involve IT, so much of Archer's focus has to do with enterprise systems and information.
The Rationale(s) Of The DealFirst, if you're an industry watcher in general, and an EMC watcher in detail, some of the first-level synergies should be pretty easy to spot.
Enterprise GRC is a growing application market that has direct executive-level and board-level engagement. That's good, for starters. And I think most people can spot that RSA's existing assets in DLP (data loss prevention) and SEIM (security event information management via enVision) are highly complementary.
But there's more if you go looking.
For example, Ionix' ability to discover application and infrastructure relationships is a powerful asset in this space, not to mention our existing capabilities for IT GRC compliance which now complement a broader enterprise GRC discussion. There's a healthy synergy between Archer's solutions and EMC's traditional backup, recovery, archiving and business continuity capabilities. And, of course, EMC's Documentum portfolio is frequently used in multiple GRC-related contexts.
If you'd prefer to instead think in terms of industry themes, this acquisition is clearly an example of the increasing value of discovering and orchestrating things, rather than the things themselves.
But I think there's even a deeper strategic synergy ...It's About (Private) Clouds ... Again
Ask any 10 large enterprise IT users as to why they won't use external service providers (e.g. cloud), and they'll usually talk about things like security, regulations, risks, compliance, etc. -- essentially, a GRC-related discussion.
And ask any 10 large service providers about their #1 obstacle to getting more business, and they'll inevitably cite the exact same customer concerns about security, regulations, risks, compliance, etc. -- the exact same GRC-related discussion.
The thinking is simple: without an enterprise GRC framework, their isn't likely going to be widespread adoption of cloud-based services by larger enterprises. Enterprise GRC frameworks will be an important enterprise cloud enabler.
As is security (RSA), management (Ionix), storage, and -- of course -- virtualization.
The Bottom Line
The good people at Archer can help make the case as to why enterprise GRC is an important topic, and why their framework-based approach is the best one.
Talk to EMC and RSA field people, and they can likely extend the picture even further, and show how Archer extends the value of other EMC capabilities, and how these other EMC capabilities make the Archer approach even more compelling than before.
And, if you talk to someone like me about it (or perhaps Yo Delmar) you'll find us taking the rather esoteric and controversial perspective that enterprise GRC will likely be mandatory in tomorrow's world of enterprise cloud computing.
Chuck, in general, I agree with your thinking regarding GRC; in particular, your definition of the GRC components is among the most concise I've encountered ("GRC Thinking From An IT Perspective," January 15, 2009) -- kudos to you for that.
But I'm not entirely aligned with you on the relationship of a GRC framework to the reluctance of large enterprise IT users to migrate to cloud computing. I submit that if you "ask any 10 large enterprise IT users as to why they won't use external service providers (e.g. cloud)," their primary concerns are security of their information -- a given -- and *integration* with their internal/legacy processes.
Any number of individual applications, processes, and component suites (e.g. ERP, CRM, etc.) can be and have been successfully replicated in external "managed services" models over the past 10+ years. But many large enterprises have invested an incredible amount of time, effort, and resources in "hooking things together" to serve their particular business needs. *That's* the stuff that's daunting when it comes to considering migrating to cloud computing -- i.e., how to unwind (or even understand) the years of "spaghetti code" and middleware connections that have been built up over time.
That said, do *I* think that EMC/RSA's acquisition of Archer makes sense? ABSOLUTELY! I've known Jon Darbyshire and his team for many years and led the implementation of Archer's framework for one of their earliest, largest, and longest customers. I, personally, encouraged Archer several years ago to expand from its earlier Information Security-centric model and incorporate GRC functions; because it was obvious that the outstanding work they had done with Policy Management, Risk Assessment, and other modules and their role-based access controls could be applied effectively to other operational risk domains (Vendor Management, BCP, etc.). And, in my view, Archer's Compliance Management and Audit Management modules are a master stroke of genius that puts them in a category by themselves as a GRC suite. Having the Archer product in your toolkit along with EMC/RSA's other products I see as a significant advantage -- both for you and for Archer's existing and future customer (for whom it effectively deflates the "but they're such a small company" argument). The most exciting element of this acquisition to me will be watching how the Archer platform becomes integrated with some of the other EMC/RSA apps. If you're ever in need of an experienced and forward-thinking Archer evangelist, give me a shout.
Posted by: Bill Ender | January 07, 2010 at 02:18 PM
Hi Bill -- good to hear from you!
We're both right -- there's plenty of interrelated spaghetti in most IT environments, and simply carving off free-standing pieces may not be practical, nor interesting for many.
However, as a counterexample, consider Microsoft Exchange -- not usually the case that it's as interwoven as many apps, so the "security, SLA, compliance" concerns get more play.
A similar rationale often comes into play when discussing self-service computing environments for knowledge workers. That stuff ain't entangled too much, so you get the red herring.
Glad to know that you're a big fan of Archer, and see the rationale of the deal. And, if you'd like to consider maybe exploring opportunities at EMC, well, we could talk about that!
Thanks so much for the detailed and thoughtful comment!
-- Chuck
Posted by: Chuck Hollis | January 07, 2010 at 03:32 PM
just kicking off an analysis looking at some related tools so i have pinged your AR folks about a demo and briefing. we nailed Compliance Oriented Architecture as a model in 2004 so its great to see this stuff coming to pass. looks like a good acquisition....
http://redmonk.com/public/COA_final.pdf
James Governor, RedMonk aka @monkchips
Posted by: Monkchips | July 07, 2010 at 11:49 AM