A number of people have wondered why we have been silent on EMC’s intent to purchase Archer Technologies. Well, we’ve been waiting to see what kind of vector this story developed over the coming days. Having followed Jon Darbyshire and Archer since the beginning, we wanted to take the time to look past the press releases and dig a little deeper into how this acquisition might play out for all parties involved, and specifically, what Bain Capital Venture‘s involvement may spell for the future.

A Timeline of Events

Back in early 2005, Bain Capital Ventures and Castile Ventures joined existing investors in an oversubscribed C round for Network Intelligence. The $12 million injection brought the total invested up to the $25 million mark. As part of the deal, Bain’s Benjamin Nye joined the board. Just over a year later, in June of 2006, EMC announces a definitive agreement to buy RSA for around $2 billion, which RSA shareholders approve on September 14, 2006. Two days later, on September 16th, EMC announces (in the same press release!) that they had a definitive agreement to purchase Network Intelligence and expected to close in the next 2 days.

Fast forward a year and we find Ben Nye taking another board seat, this time at Rapid7, after Bain Capital Ventures tosses them $7 million in growth funding on September 17th. Ben Holzman, also of BCV, joined the board as well. On September 8th, Jon Darbyshire also secures a place at the big boy’s table. A month later, in a what appears to be a growing trend for open source security tools, Rapid7 swoops in and buys Metasploit, effectively underwriting its continued development.

By the second week of November we see Bain Capital Ventures form a “strategic partnership with Archer Technologies which includes an estimated $29 million infusion (we’ve heard numbers as high as $42 million), netting them a 40% stake in the Overland Park, KS firm. As part of the deal, Ben Nye secures a seat on Archer’s board. Shortly after the ink on the deal dries, Archer announces that they are taking out ailing  PwC spin-off and GRC player Brabeion at a fire sale price (around the $10 million invested by Longworth and Fairhaven), closing the deal on January 22nd, 2009. This deal is largely seen as a content play by Archer to roll Braebion’s ESAS-based controls library into the SmartSuite Framework. Braebion CEO Julian Waits, along with about 25% of his employees, joins Archer. Interestingly, Yo Delmar, Braebion’s CMO, doesn’t take the bait and moves on to EMC within a few months as their Director of Strategic Offer Marketing.

By the end of the quarter, Archer announces that Rapid7 has joined as an integration partner, further deepening the ties between the two organizations. At around the same time, Network Frontiers and Archer announce the integration of the Unified Compliance Framework into the SmartSuite Framework, which leads us to question Archer’s content strategy as they are still struggling to choke down the 6000+ controls they inherited in the Brabeion deal.

By May of 2009, EMC has announced the purchase of Configuresoft. Configuresoft had hitched their wagon to the virtualization engine prior to the acquisition,  a smart move as traditional configuration management vendors began to follow suit. Configuresoft was then folded into the Resource Management Software Group at EMC, quite a distance from the RSA side of the house, firmly ensconcing the products in the management, not security and compliance, side of the business.

Still nursing a hangover from the 2010 New Year and we see EMC’s announcement to buy Archer. While we knew that this was brewing for a while, we thought the hurdles that EMC had placed in front of Archer would cause the deal to drag out a bit longer. Rumor has it that the deal was supposed to be announced and closed prior to the 2009 year end. Obviously, this is one of the facets of the deal that points to the “definitive agreement to acquire” as opposed to an outright acquisition announcement but is a press relations tactic employed by EMC regularly so is of little insight on its own.

What Does All of This This Mean?

We think that EMC/RSA might have difficulty with this acquisition. By placing the Configuresoft product line where they did, we think the silos in a company of their size will make any hope of integration between those products and the Archer SmartSuite Framework more difficult, if not impossible (depiste what Chuck Hollis says). This is further exacerbated by the existing relationships that Archer has with security configuration (nCircle and NetIQ) and vulnerability scanning vendors (Qualys and rapid7 to name just a couple)  where integration has already happened.

The ITGRC space has seen it’s fair share of acquisitions that bring together state-based security and IT GRC reporting, much as we have seen the SEIM market do with event-based security. We saw McAfee pick-up Preventsys (R.I.P.), an integration partner of Foundstone’s when they closed that deal and we have watched Symantec’s Control Compliance Suite do a reasonable job of making good on their BindView acquisition. Most recently, we watched Lumension climb up the stack by acquiring Dallas-based Security Works to layer onto their vulnerability and endpoint solutions.

Another contributing factor in the hot mess of post-acquisition integration is around Documentum. A number of large organizations are still storing audit testing and controls information in document-centric systems such as SharePoint or even the purpose built solutions such as those from Paisley (now ThompsonReuters) and OpenPages (built on PwC’s Internal Controls Workbench) which have historically shown little to no integration with compliance automation products.

Considering the deep involvement of Bain Capital Ventures in this deal, along with the cross-pollination of board seats and personal/professional history among the players, it would come as no surprise to see RSA pick up Rapid7 in a wired deal to accelerate the automation of state-based device compliance reporting while they figure out the rest of the integration story.

We also agree with the guys over at Rook that this might mark a bit of a thaw in security deals. The  price tag (rumored to be anywhere from $120 million to $225 million) has woken the sleeping VC giants which have started sniffing around this space for interesting start-ups to fund. Specifically, Thomas Weisel Venture Partners, who has a good bit wrapped up in BigFix could arrange a marriage with an up-and-coming IT GRC player or maybe even an established one such as Agiliance who already has an integration story. Speaking of Agiliance, with their partnership with McAfee, and McAfee’s churn around IT GRC we think that their integration story holds some weight in the context of state-based security and compliance management and could be picked up fairly easily. A start-up in the space that bears mention is Lockpath. Founded by two early members of the Archer team, Chris Caldwell and Chris Goodwin have deep experience in this market and were recently named Microsoft Start-up of the Day.

From the client side of the equation, you rest assured that this has put a chilling effect on burgeoning integration Symantec was working on whereby they were pumping CCS data into the Archer SmartSuite Platform, bypassing their own dashboard. We also think that Archer’s fragmented content strategy will create some issues as RSA figures out how and what to pile into the platform which could drive some simplification in the long term but some pain in the here and now.

Be Sociable, Share!

• 

Related articles:

1. Details on BlueLane Acquisition While Hoff called this one on October 10th, by linking out to the Virtualization.com’s coverage , we still get some...