It turns out regulation and government mandates aren’t always bad for business.
A generation of new software companies is emerging to serve businesses who need to comply with a skein of regulations put in place over the last decade to fight financial and accounting fraud, prevent database breaches, and generally make businesses more transparent and accountable. These software companies are offering big businesses more efficient ways to keep track of governance, risk management, and compliance—a set of mandates that’s come to be known as “GRC.”
Boston is home to a major cluster of GRC companies, with names like eIQ Networks, Lumigent, and OpenPages leading the list. But Hopkinton, MA-based EMC, one of the leaders in data storage, has decided to reach well beyond the local area—all the way to Overland Park, KS, in fact—to acquire enterprise GRC specialist Archer Technologies.
The acquisition, which was announced Monday and is expected to be completed before April, will turn privately owned Archer into a part of RSA, EMC’s security division. It’s a sensible pairing, since many of RSA’s products, such as technologies for authenticating computer network users and documenting security incidents, generate reams of reporting data that Archer’s metrics, analytics, and documentation software can make more comprehensible.
Many customers use both companies’ systems, and the software will presumably now be integrated in a way that makes it unnecessary to, for example, manually cut and paste information from RSA’s enVision, a security log management system, into Archer applications. Todd Graham, a senior technologist in the office of the chief technology officer at RSA, cited this practice in a blog post Monday explaining how the Archer acquisition willl help RSA customers.
According to Graham’s post, the Archer acquisition is the outcome of a two-year effort within RSA to define how the division should help customers manage their IT-related GRC needs—everything from defining policies for dealing with hacker attacks to tracking how computer passwords are issued and revoked to demonstrating compliance with privacy and accounting regulations. RSA apparently concluded that Archer’s tools for documenting company policies, tracking incidents, and the like—which are already used by one-fourth of the Fortune 100 companies—are better than anything EMC has built internally. And when EMC lacks a technology in-house, it’s well known for its willingness to acquire it.
The fact that Archer is landing inside RSA, rather than some other part of EMC, brings more clarity to EMC’s overall GRC strategy. Back in June, when I asked RSA president Art Coviello whether he viewed GRC software as an important market for EMC, he sounded somewhat dismissive of the category. “It’s a big, amorphous term that could mean anything to anyone,” he said. “You could stick a ham sandwich under the umbrella of GRC.”
It was so amorphous, in fact, that different divisions of EMC were vying to be known as the company’s main providers of GRC software and services. “Even within EMC, you’ve got our resource management group saying, ‘We are the GRC of EMC,’ and you’ve got the content management and archiving group saying, ‘No, we’re the GRC of EMC,'” Coviello said.
Well, it turns out that RSA is going to be the GRC of EMC. Coviello hinted in that June interview that
