It’s that time of year again: Inc. Magazine has published its 500|5000 list. Arguably, a company that Inc. ranks third in its industry (software), first in its region (San Jose) and 39th overall has some bragging rights. It doesn’t hurt to have a three-year growth rate of 4,909% and revenues in excess of $6 million, either. But there are still 38 more companies to surpass on the road to first place.
Founded in late 2005, San Jose, California–based Agiliance is an independent provider of operational and security risk management solutions for governance, risk, and compliance (GRC) programs. The company’s RiskVision provides a unified view of organizations’ risk posture, combining policy, compliance, and incident and threat or vulnerability management applications in one platform. The flexible, scalable automation is designed to enable organizations to deliver closed-loop risk management and continuous compliance and thus make better investment decisions.
The security risk environment saw the birth of advanced cyber attacks and sophisticated insider leaks in late 2005. Today, these are commonplace with recent catastrophic at Epsilon, RSA Security, and Sony of America. Six years ago, organizations were not equipped to make these risks visible to their IT organizations, let alone qualify and quantify their effects. Their GRC programs were focused on financial and legal risk controls. Agiliance aimed to fill that void with a solution focused on operations and IT risk controls, which today is known as IT GRC or security risk management (SRM).
The SRM market was not well defined in 2005. Competition was from internally-built spreadsheets that tried to piecemeal security monitoring tools’ outputs against operational goals. These were inaccurate and noncontinuous. Missing was the ability to model and manage business risk-based security, which meant tying operational goals, IT controls, and making risks visible, measureable, and actionable in real time while providing a platform to manage continuous compliance.
Agiliance’s competitors included Symantec with a partial solution named ‘CCS’ using its Bindview acquisition, and Archer Technologies, which started as a consulting organization and later built a development environment. Archer, now part of EMC, can be programmed to perform security compliance audits but cannot model and manage security compliance and risk for the business either continuously or in real time. Business risk management, security threats, and compliance mandates are an increasing concern for companies in all industries as regulations rapidly grow in number and complexity and virtualized operations scale in the cloud.
Prior to founding Agiliance, Pravin Kothari co-founded ArcSight, a security information and event management (SIEM) software business that he sold to HP in 2010 for $1.5 billion. While ArcSight successfully focused on security and compliance from an IT event level, Kothari saw the opportunity to build a new business with a risk-based view of security for business units and missions across the private and public sectors.
Joe Fantuzzi, who has 24 years’ experience in the software industry, replaced Kothari as the company’s CEO in January 2010. Before joining Agiliance, Fantuzzi spent five years as CEO for WorkShare, a UK-based content security company. He also co-founded and served as CEO for Net Dialog, a Saas CRM company that he sold to Kana for $100 million in 1999.
The Agiliance management team is complete with the exception of a business development executive. A diverse group, the team members’ nationalities include Indian, German, English, Chinese, and American. Four of the company’s six executives have founded their own companies at one time.
Agiliance RiskVision is an integrated GRC platform offers a modular approach to managing enterprise risk. RiskVision comprises six key GRC applications including Policy Manager, Compliance Manager, Enterprise Risk Manager, Vendor Risk Manager, Incident Manager, and Threat and Vulnerability Manager. The company believes that its differentiators are automation via more than 30 IT and security tool connectors that provide continuous and correlated data feeds; scalability to manage compliance and risk assessments across hundreds of thousands of assets, applications and people; and time-to-value to deploy and maintain a platform with the lowest cost of ownership available. Agiliance’s business model is also differentiated by its OpenGRC community that embraces advisory service, system service, technology, and content providers in a unified approach. This community accelerates time-to-value and gives customers sustainability to manage GRC programs.
In 2009, AMR Research estimated the total available market for GRC programs to be nearly $17 billion. That estimate included internal efforts, external consultants, and technology software and services. In 2010, Forrester Research estimated the addressable market for technology and software services, and financial and legal GRC capabilities to be $900 million. Further, according to Gartner Research, in 2011, the direct bottom-up competition for the emerging IT GRC/SRM segment targeting the G2000 and large public sector is about $150 million.
The top buying segments for SRM are energy, financial services, healthcare, public sector, retail, media and technology since they all have high-valued information assets and a distributed organizational footprint. Agiliance’s cumulative business is about 29% in financial services, 25% in public sector, 17% in healthcare, and between 5% and 10% each in the other three segments.
Early market penetration was done with a direct sales organization. Agiliance’s beachhead was acquiring early adopters such as State Street Bank, Army Socom, Blue Shield of California, and Safeway Stores led to larger customers over time. The current go-to-market strategy is to capitalize on the OpenGRC resellers who market the company’s solution to their customers and OpenGRC service providers who give the company’s sales organization leads. Agiliance also offers specific cloud services marketed via ISP and OEM channels.
Agiliance is in a true expansion stage. The revenue run rate is between $10 million and $15 million with about 85% from licenses and the remainder from services. The company’s profitability is an accounting number based on many factors, including a mix of subscription and perpetual licenses, VSOE attainment, and services delivery timing.
Agiliance has about 100 customers. About 15% took delivery on demand, a mode that is growing quickly. According to internal records, as of December 2010, 97% of the company’s customers consisted of renewals, 70% owned multiple applications, and 38% were repeat buyers.
Pricing models carry fees for applications, connectors, and assets managed. The RiskVision platform and content, which are part of any application purchased, are at no fee for customers under subscription or maintenance. Pricing starts at $25,000 per application per year with cumulative volume discounts for all applications, connectors, and managed assets purchased.
Agiliance has received three rounds of equity financing and carries a comfortable A/R line (accounts receivable line of credit) as well. In 2005, the company received $2.5 million from SVIC. Two years later, SVIC was joined by Walden, IntelCap and RedRock for an $8 million series A. Castile and previous investors pooled their resources for a $10 million series B. The company received a $2 million A/R line from Silicon Valley Bank in 2011, the majority of which, the company says, remains undrawn. Agiliance is beginning to consider a series C round for the middle of 2012.
Growth for Agiliance is driven by three major go-to-market strategies: enterprise sales to central information security officers; functional group sales to business unit information security officers; and cloud service provider sales. All three strategies leverage indirect channels.
Agiliance’s board has established a model to grow the business beyond a $30 million run rate. With venture capital equity, Agiliance is focused on revenue growth, yet is keeping an open mind about other options.
This segment is a part in the series : 1Mby1M Deal Radar 2011