IT GRC company Archer Technologies LLC has acquired competitor Brabeion Software Corp. in a cash deal, underscoring analyst predictions of convergence in the governance, risk management and compliance (GRC) market.
To get security news and tips delivered to your inbox,
Archer said the prime drivers for the deal were Brabeion's rich content libraries of technical compliance baselines and controls, and its small but high-profile customer base, which includes several Fortune 500 companies, including American Airlines, Chevron, Citigroup Inc., Northwest Airlines Corp., McKesson Corp., DirecTV and Guardian Life Insurance.
Brabeion's content was originally developed for PriceWaterhouseCoopers' Enterprise Security Architecture System (ESAS) in 1998.
"We looked at the synergy, with more than 130 technical baselines, different levels of domain expertise linking policies and 30 industry standards," said Archer President and CEO Jon Darbyshire. "Bringing them together, we would have one of the most robust knowledge bases in the industry."
GRC Tools Help Manage Regulations: We look at three GRC products and the distinct ways these tools can help organizations navigate the complicated regulatory game.
Panel: IT governance, risk and compliance program helps reduce expenses: Panelists at the Symantec Vision 2008 conference said a well implemented IT governance, risk and compliance (GRC) program boosts revenue and cuts costs.
ESAS lead developer Steve Schlarman became Brabeion's chief compliance strategist and joins Archer as part of the deal to head its IT GRC product efforts. Brabeion president and CEO Julian Waits moves over as vice president of business development. Overland Park, Kan.-based Archer will maintain Brabeion's Reston, Va. Headquarters as its East Coast offices. Archer retained several sales representatives, sales engineers and two core developers. Ties with offshore developers were severed.
"Brabeion's content will be the almost immediate benefit to Archer customers while Brabeion customers will benefit from Archer's platform, which has a substantially larger set of capabilities," said Forrester Research analyst Chris McClean.
Darbyshire said that importing Brabeion's content into Archers SmartSuite Framework will be relatively straightforward. The libraries could be available to Archer customers as early as next week.
Brabeion's flagship product, Pathfinder, and second offering, Navigator, correspond to Archer's Policy Management and Risk Management products, respectively. Archer will support Brabeion's products until 2010. He said Brabeion's customers present a market opportunity for Archer's other products, all based on the SmartSuite Framework: Threat Management, Asset Management, Business Continuity, Incident Management, Vendor Management and Compliance Management.
However, analysts caution that Brabeion customers should be wary of higher maintenance costs, because Archer products are more expensive.
There were other suitors for Brabeion, but Archer was able to move swiftly by offering cash for Brabeion's assets rather than an equity deal, said Archer President and CEO Jon Darbyshire. Archer's gain is the competition's loss.
"They accomplished taking a competitor out who would have been a kick start for a much more substantial competitor," said Gartner analyst Paul Proctor. "If they didn't buy them they would have fiercer competition from someone else who would by them."
Analysts predict convergence in the GRC market, as enterprise GRC vendors start to develop IT GRC capabilities and/or acquire them. Forrester's McClean expects more acquisitions in 2009.
"Still little tough to say how quickly this will happen," McClean said. "Expect to see more of this type of deal both within GRC. Enterprise and IT GRC are getting closer together through mergers and close partnerships. Outside the GRC space, larger IT vendors can find value in either acquiring or closely partnering with some of these GRC vendors."
Gartner's Proctor said that financial, IT and operational GRC will converge over three to five years.
"Now, no vendor does a good job with all three of those," he said. "On the other hand, if you look at the readiness of organizations, a lot of them are talking about combining these, but we have no examples of anyone actually deploying anything that uses one product to manage all three."
The market outlook appears pretty good despite the grim economy. Darbyshire said Archer experienced 55% growth in 2008, considerably exceeding expectations. Most of that growth came in the third and fourth quarters.
Analysts say this is not an isolated case. They expect that IT GRC will remain relatively strong, not only in spite of, but perhaps partly because of last fall's economic disasters and the ongoing recession.
"Consider the nature of the recession," said McClean. "A lot of the economic problems we're seeing are because of poor compliance, poor internal controls around finance and poor risk management decisions. A lot of regulators are coming under fire, so expect to see a lot tighter regulation that would be a driver for GRC."