Overview

With the new decade only five days old, EMC is already busy acquiring companies and expanding its business prospects.  EMC just announced its plans to purchase Archer Technologies, a privately-held provider of governance, risk, and compliance software located in Overland Park, Kansas.  Terms of the deal were not made public, but the rumor mill on Wall Street indicated that the price tag was somewhere in the neighborhood of $100 million.

While not exactly a high tech name brand, Archer is a small but recognized leader in the GRC management space with customers such as American Express, Bank of America, Northwest Airlines, and Proctor & Gamble.  What’s unique about Archer?   Unlike its competitors’ canned solutions, Archer’s solution is based upon the Archer SmartSuite Framework, which offers common services for things like workflow, reports and dashboard, notifications, access control, etc.  By providing a services-foundation, the SmartSuite Framework enables rapid development of GRC applications customized to specific customer needs.  Furthermore, customers can participate in the Archer community, share applications, and collaborate on best practices. Archer also offers professional services to help customers assess needs, align business and compliance goals, and build applications.

Upon completion of this deal, Archer will be rolled into EMC’s RSA Security division, reporting to CEO Art Coviello.

RSA and Archer:  The Additive Effect

Clearly, EMC/RSA gain a GRC software industry leader with Archer, but there is far more to this deal than meets the eye.   As Archer is amalgamated into the RSA division, the company can gain an incremental market advantage because:

• Security and compliance remain top IT priorities. While the financial future is still a bit murky, enterprise organizations appear more bullish about IT spending in 2010 than they were in 2009.  According to recent ESG Research, 52% of organizations say that IT spending will increase in 2010 as opposed to 43% last year.[1] Interestingly, large organizations also believe that two of the top four business initiatives with the greatest impact on IT spending in 2010 will be security/risk management initiatives and regulatory compliance.  It is also noteworthy that the percentage of organizations citing these two areas increased from 2009 to 2010 (see Figure 1).   With its purchase of Archer, RSA becomes a market leader in each of these strategic and potentially lucrative areas.
• Archer/RSA takes the company from security operations to the corner office. Large organizations are eschewing security point tools in favor of integrated risk management/compliance suites that span the entire enterprise.  With its leading authentication, encryption, DLP, and security management suites, RSA was already piecing together an enterprise-class security portfolio.  Add Archer to the stew, and RSA has all of the ingredients for an end-to-end GRC/security solution.  In this way, RSA can direct its sales people toward business managers and the CIO, not just the CISO and the security team.

• Archer + RSA = enterprise architecture. With Archer and enVision, RSA has analysis and reporting engines for both security and GRC.  Look for RSA to turn these products into a broader risk management architecture by anchoring both with a distributed log management infrastructure and adding further analysis capabilities for other IT and business activities.

These product and market synergies will give RSA a broad portfolio of products and services to build upon.  The next logical step is to apply this foundation to specific vertical industry solutions.  For example, RSA recently hired former US-Cert director Mischel Kwon to lead a professional services business unit focused on the public sector.  With the Archer/RSA architecture, Kwon’s team can build value-added applications and services targeting Federal government agencies for cybersecurity initiatives like FISMA 2.0 or new NIST 800 series guidelines.

Finally, this acquisition will bring RSA instant street credibility as Archer CEO Jon Darbyshire joins its management team.  Darbyshire is a security and risk management veteran with past experience at companies like Ernst & Young, PWC, and as CISO of First Data Corp.  Like Kwon in the public sector, Darbyshire can help RSA gain GRC momentum in the financial services industry.

Beyond RSA:  The EMC Master Plan?

The acquisition of Archer was an absolute no-brainer as it brings immediate and expanded value to RSA.  That said, there may be an additional strategic plan for Archer past RSA.  As RSA builds and sells a security/compliance architecture in the future, it could create a growing bridge to several EMC lines-of-business because:

• Remediating security and compliance issues demand IT service management automation. What happens when a security or compliance management system detects a problem?  Oftentimes, this type of event triggers a number of manual processes where security, compliance, and IT operations teams exchange data, review CMDB activities, patch systems, or change configuration settings.  By integrating Archer, RSA, and EMC Ionix, EMC could help automate these processes by instantly exchanging data for event detection, problem isolation, reporting, and even patch management.  This could help nip compliance control problems in the bud or streamline CERT activities.
• Archer, RSA, and EMC Ionix integration aligns with growing use of IT Management frameworks. According to ESG Research, many large enterprise organizations make use of or plan to use IT standards or best practices such as ITIL V2 and V3 (see Figure 2).  This plays to EMC’s strength with products like Ionix Service Management, which deliver ITIL compatibility in areas such as incident management, problem management, change management, and Service Level Management.  Tight integration between Archer, RSA, and Ionix should open product and services opportunities that start with security, compliance, and IT operations groups and then lead all the way to the CIO’s office.

• Archer adds business continuity and disaster recovery management to EMC storage. EMC storage systems like CLARiiON and Symmetrix have long been BC/DR staples.  By adding Archer software for BC/DR planning and crisis management to its leading storage platforms, EMC can create new comprehensive BC/DR services, approach existing storage customers with Archer software capabilities, or push storage to Archer customers and channel partners.
• EMC can use its piece parts to create an IT data warehouse. EMC is collecting IT data everywhere: SNMP alerts in Smarts, log data with enVision, configuration data with Ionix Service Manager CMDB, etc.  What if all of this data were somehow aggregated, normalized, and available for business and IT queries?  This type of IT data warehouse is certainly coming down the pike and EMC now has most of the technology piece parts to build it first and trump would-be competitors.

Given its global presence, marquis install base, and aggressive sales force, EMC should be able to find creative ways to build upon Archer, create a GRC/ITSM architecture, and develop new professional services.  These opportunities will be especially pronounced over the next few years as large organizations consolidate data centers, build new Internet-facing applications, roll out virtual data centers, and explore cloud opportunities.  If EMC adds virtualization/cloud intelligence to the Archer/RSA/EMC mix, it will be extremely well positioned to take advantage of these rapidly changing technologies and IT governance requirements.

The Bigger Truth

The Archer acquisition seems like a great move for both RSA and EMC.  In the short term, it balances the RSA portfolio with a GRC leader, helping to align its product portfolio with customer business requirements and make RSA an even more strategic vendor.  Over time, EMC will likely integrate its ITSM and other management products with the Archer/RSA security/compliance architecture, create an IT data warehouse, and automate IT processes to improve service management while lowering cost: a very attractive value proposition.

Could EMC fail?  Yes, if it fails to execute in several areas.  To avoid this trap, EMC should:

• Communicate its roadmap. If, as ESG believes, EMC plans to create an Archer/RSA security/compliance architecture and then integrate Archer/RSA with EMC Ionix, it should articulate the scope and timing of this plan to the market as soon as possible. This demands that product groups come together and decide on the definitive messages, communications tools, sales strategies, and development schedules. Ultimately, the strategy should be communicated to executive IT and business managers so the story will need details, metrics, and plenty of polish.  By clearly presenting its plan, EMC can help customers, SIs, and cloud service providers plan their own investment and deployment strategies.
• Lead with services. Security/compliance architectures, ITSM integration, and industry solutions may be too big for some organizations to swallow.   Rather than walk away, EMC should either create strategic business/IT services around these initiatives or partner with SIs like Accenture, CSC, and Unisys capable of doing so.
• Remain open to third-parties. To maximize its market and industry opportunities, EMC should open its security/compliance/ITSM architecture to third-party partners and software developers.  In this way, EMC could establish itself as a next-generation IT management platform, not just a products and services company.

If EMC executes in these areas, it could makes its acquisition money back by the end of 2011 and build several IT franchises in the process.