Please join Brightfly’s Managing Director of Research, Brandon Dunlap, as he moderates the latest in (ISC)²‘s ThinkT@nk series: “State of Cybersecurity from the Federal CISOs-A New Perspective.” This one hour online roundtable, based on the findings of (ISC)²‘s latest survey of the Government CISO community promises to be an enlightening event.

The live webcast is being held Thursday, May 6th, 2010 at 12:00pm EST/9:00am PST, and includes the following security luminaries on the panel:

• Greg Garcia, President of Garcia Strategies, LLC
• W. Hord Tipton, Executive Director & member of the Board of Directors (ISC)²
• John N. Stewart, Vice President and Chief Security Officer, Cisco
• Michael Castagna, Vice President of Corporate Information Security, Sallie Mae

To learn more about this event and to register your attendance, just click the button below.

Related articles:

1. Brightfly Welcomes John Petruzzi
2. e-Symposium: Implementing a DLP Solution
3. (ISC)2 Secure Chicago 2010

Thankfully, via The Fraud Files Blog, Tracy has pointed us to a recent piece by Professor David Albrecht on how the push to IFRS is being driven by the Big 4 (and the lesser firms as well). His hypothesis is that since the only organizations embracing the move seem to be the large audit firms, and that they stand in  the best position to profit from the move, that it their greed that propels this change. He goes on to quote Arthur R. Wyatt’s analysis of Arthur Andersen’s implosion as one fueled by greed, and as a canary in the coal mine perhaps, for the future for this industry. A great read, and one that lays many of pieces out in the open for deeper inspection.

Thanks Tracy! Keep up the good work.

Related articles:

1. AICPA Comes out in Favor of IFRS
2. IFRS: The New Cash Cow
3. Grant Thornton Survey says CFOs don’t like IFRS

A Timeline of Events

Back in early 2005, Bain Capital Ventures and Castile Ventures joined existing investors in an oversubscribed C round for Network Intelligence. The $12 million injection brought the total invested up to the $25 million mark. As part of the deal, Bain’s Benjamin Nye joined the board. Just over a year later, in June of 2006, EMC announces a definitive agreement to buy RSA for around $2 billion, which RSA shareholders approve on September 14, 2006. Two days later, on September 16th, EMC announces (in the same press release!) that they had a definitive agreement to purchase Network Intelligence and expected to close in the next 2 days.

Fast forward a year and we find Ben Nye taking another board seat, this time at Rapid7, after Bain Capital Ventures tosses them $7 million in growth funding on September 17th. Ben Holzman, also of BCV, joined the board as well. On September 8th, Jon Darbyshire also secures a place at the big boy’s table. A month later, in a what appears to be a growing trend for open source security tools, Rapid7 swoops in and buys Metasploit, effectively underwriting its continued development.

By the second week of November we see Bain Capital Ventures form a “strategic partnership with Archer Technologies which includes an estimated $29 million infusion (we’ve heard numbers as high as $42 million), netting them a 40% stake in the Overland Park, KS firm. As part of the deal, Ben Nye secures a seat on Archer’s board. Shortly after the ink on the deal dries, Archer announces that they are taking out ailing  PwC spin-off and GRC player Brabeion at a fire sale price (around the $10 million invested by Longworth and Fairhaven), closing the deal on January 22nd, 2009. This deal is largely seen as a content play by Archer to roll Braebion’s ESAS-based controls library into the SmartSuite Framework. Braebion CEO Julian Waits, along with about 25% of his employees, joins Archer. Interestingly, Yo Delmar, Braebion’s CMO, doesn’t take the bait and moves on to EMC within a few months as their Director of Strategic Offer Marketing.

By the end of the quarter, Archer announces that Rapid7 has joined as an integration partner, further deepening the ties between the two organizations. At around the same time, Network Frontiers and Archer announce the integration of the Unified Compliance Framework into the SmartSuite Framework, which leads us to question Archer’s content strategy as they are still struggling to choke down the 6000+ controls they inherited in the Brabeion deal.

By May of 2009, EMC has announced the purchase of Configuresoft. Configuresoft had hitched their wagon to the virtualization engine prior to the acquisition,  a smart move as traditional configuration management vendors began to follow suit. Configuresoft was then folded into the Resource Management Software Group at EMC, quite a distance from the RSA side of the house, firmly ensconcing the products in the management, not security and compliance, side of the business.

Still nursing a hangover from the 2010 New Year and we see EMC’s announcement to buy Archer. While we knew that this was brewing for a while, we thought the hurdles that EMC had placed in front of Archer would cause the deal to drag out a bit longer. Rumor has it that the deal was supposed to be announced and closed prior to the 2009 year end. Obviously, this is one of the facets of the deal that points to the “definitive agreement to acquire” as opposed to an outright acquisition announcement but is a press relations tactic employed by EMC regularly so is of little insight on its own.

What Does All of This This Mean?

We think that EMC/RSA might have difficulty with this acquisition. By placing the Configuresoft product line where they did, we think the silos in a company of their size will make any hope of integration between those products and the Archer SmartSuite Framework more difficult, if not impossible (depiste what Chuck Hollis says). This is further exacerbated by the existing relationships that Archer has with security configuration (nCircle and NetIQ) and vulnerability scanning vendors (Qualys and rapid7 to name just a couple)  where integration has already happened.

The ITGRC space has seen it’s fair share of acquisitions that bring together state-based security and IT GRC reporting, much as we have seen the SEIM market do with event-based security. We saw McAfee pick-up Preventsys (R.I.P.), an integration partner of Foundstone’s when they closed that deal and we have watched Symantec’s Control Compliance Suite do a reasonable job of making good on their BindView acquisition. Most recently, we watched Lumension climb up the stack by acquiring Dallas-based Security Works to layer onto their vulnerability and endpoint solutions.

Another contributing factor in the hot mess of post-acquisition integration is around Documentum. A number of large organizations are still storing audit testing and controls information in document-centric systems such as SharePoint or even the purpose built solutions such as those from Paisley (now ThompsonReuters) and OpenPages (built on PwC’s Internal Controls Workbench) which have historically shown little to no integration with compliance automation products.

Considering the deep involvement of Bain Capital Ventures in this deal, along with the cross-pollination of board seats and personal/professional history among the players, it would come as no surprise to see RSA pick up Rapid7 in a wired deal to accelerate the automation of state-based device compliance reporting while they figure out the rest of the integration story.

We also agree with the guys over at Rook that this might mark a bit of a thaw in security deals. The  price tag (rumored to be anywhere from $120 million to $225 million) has woken the sleeping VC giants which have started sniffing around this space for interesting start-ups to fund. Specifically, Thomas Weisel Venture Partners, who has a good bit wrapped up in BigFix could arrange a marriage with an up-and-coming IT GRC player or maybe even an established one such as Agiliance who already has an integration story. Speaking of Agiliance, with their partnership with McAfee, and McAfee’s churn around IT GRC we think that their integration story holds some weight in the context of state-based security and compliance management and could be picked up fairly easily. A start-up in the space that bears mention is Lockpath. Founded by two early members of the Archer team, Chris Caldwell and Chris Goodwin have deep experience in this market and were recently named Microsoft Start-up of the Day.

From the client side of the equation, you rest assured that this has put a chilling effect on burgeoning integration Symantec was working on whereby they were pumping CCS data into the Archer SmartSuite Platform, bypassing their own dashboard. We also think that Archer’s fragmented content strategy will create some issues as RSA figures out how and what to pile into the platform which could drive some simplification in the long term but some pain in the here and now.

Related articles:

1. LogRhythm Takes Down $3million B Round
2. Choosing a Controls Framework – UK vs. US Perspective
3. WhiteHat Security Gets $7M 4th Round

What is particularly alarming about this whole affair (other than the openness of the mudslinging), is the size of the drop in OSTK’s value on Friday the 30th. Gapping up on Monday the 23rd and hitting a high that day of $16.37, it has since given up over $2.00 in two sharp drops. The first was in the early hours of trading on Tuesday (from $16.18 to $15.50), after Mr. Byrne’s press release hit the wires. Just before the markets closed for the Thanksgiving holiday, OSTK was at $15.30. However, on Friday, the 27th, it opened down at $14.42 and has continued to hover below $14.50 today. Black Friday will forever mean something else within the walls of Overstock.com I suspect. All of this, despite their marketing engine churning out multiple releases regarding holiday promotions.

Perhaps airing your audit issues so openly, and through press releases, should be reconsidered as a strategy.

Related articles:

1. Grant Thornton Survey says CFOs don’t like IFRS

Related articles:

1. 8th Annual Cornerstones of Trust Conference
2. Interview With Presensoft

Related articles:

1. The True Cost of Compliance
2. The Tao of Security or: How I learned to stop worrying and love GRC (part 2 of 2)
3. Choosing a Controls Framework – UK vs. US Perspective

Related articles:

1. Reducing Your Audit Tax Part 2
2. Reducing Your Audit Tax Part 3
3. Reducing Your Audit Tax Part 1

Related articles:

1. Reducing Your Audit Tax Part 4
2. Reducing Your Audit Tax Part 2
3. Reducing Your Audit Tax Part 1

Related articles:

1. Reducing Your Audit Tax Part 4
2. Reducing Your Audit Tax Part 3
3. Reducing Your Audit Tax Part 1

Related articles:

1. Reducing Your Audit Tax Part 2
2. Reducing Your Audit Tax Part 3
3. Reducing Your Audit Tax Part 4