Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured sessions here.
Global mergers and acquisitions (M&A) reached a record $5.1 trillion in 2021, and with economic headwinds leaving acquisition as the only viable exit for many startups, further market consolidation is inevitable. As recent M&A transactions like Amazon/One Medical and JetBlue/Spirit Airlines continue to make headlines, security, IT and business leaders should be prepared for the technical challenges of integrating the digital assets of companies seeking to combine their operations.
From reviewing the acquiree’s financial records to scrutinizing its product roadmaps, companies assessing an acquisition target must identify business opportunities while accounting for a multitude of cybersecurity risks. During this effort, the acquiring organization needs to review the other company’s data and systems to determine how — and sometimes whether — to merge IT and security operations. This isn’t easy, given the variety of technologies, data locations, and processes in modern organizations.
As IT environments continue to grow more complex, M&A transactions are becoming increasingly technically challenging. There are a few crucial things to keep in mind that will increase the strength of a post-merger security program.
Start with the business needs
Security professionals tend to evaluate M&A from a purely technical standpoint. Understandably, we worry about inheriting vulnerable or, worse yet, compromised IT assets and weak security practices. We also think about integrating the acquired company’s security and IT technologies into the acquirer’s program and security frameworks.
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
This is a reasonable starting point. Yet, focusing solely on technological aspects of the M&A transaction can lead to missing the opportunity to offer additional value to the organization. M&A serves a specific business purpose, and taking the time to understand the driving force behind the transaction makes it possible to align technological projects in support of the business goals. This increases the chances that the companies’ IT and security programs will merge in a way that supports, rather than hinders, the transaction.
For instance, if the goal of the acquisition is integrating business operations, the companies will likely need to bring together IT and security platforms. However, the timeline of this integration will determine how aggressively the IT and security organizations will need to support it. More time means more planning and more opportunities for the two technology teams to understand each other. In addition, the time will offer a better chance to determine which company’s IT systems and applications to keep in support of the business vision for the integrated entity.
In contrast, if the acquired company will operate as a separate business unit — at least for a fairly long term — some technologies will remain separate and require coordination for security oversight and risk governance. You’ll also need to understand which IT and security components might still be integrated to derive economies of scale or to strengthen the overall IT and security program.
You will need to determine whether the acquired company expands the scope of the combined entity’s security compliance program. You might need to learn and accommodate new regulatory requirements and contractual commitments related to IT and security.
Get the lay of the land
Once you’re clear on the business objectives and timelines behind the M&A transaction, it’s time to understand the state of the technology you’re inheriting, along with the associated people and processes that power the acquired organization. This often begins with a comprehensive IT asset inventory.
Start by learning about the organization’s IT assets, the nature of the data that flows through them, and the associated users and business purposes. Capture this information from multiple data sources: network scans, identity systems, cloud orchestration platforms, device management tools and any other IT and security systems that might have visibility into the existence and state of the assets. Account for on-prem, cloud and remote networks (including employees’ homes) and don’t forget to inventory the SaaS applications.
Next, gather information about the role the identified assets play in the acquired company’s business activities. Who uses them and for what purpose? Who is responsible for their lifecycle and day-to-day operations? This context will be helpful for not only deciding how, when and whether to integrate these assets with the acquirer’s but also in assisting with risk management.
An accurate IT asset inventory will act as the foundation for identifying risks and devising an approach to integrating IT and security programs in support of the business objectives.
While getting the lay of the land, get to know the acquired company’s people. How are they organized? What’s their expertise? What motivates them to do their best work? What are their concerns about the M&A transaction? Start developing a sense of how the teams and the individuals from the two organizations will work together.
Identify the M&A risks and opportunities
After gathering IT asset data and understanding how these systems and applications — and the associated people and processes — contribute to the company’s business, it’s time to assess the firm’s security posture. Some good questions to start with include:
- How are end-users’ identities managed?
- How many endpoints are missing security agents?
- How many systems are not being scanned for vulnerabilities?
- Which cloud-hosted workloads are accessible from the internet?
- What mechanisms exist to identify and investigate security events?
- Which of the acquired company’s assets might be vulnerable or already compromised?
Asking and answering these questions will lead to discussions with key personnel to understand the related processes — for example, the way the company authenticates its users, secures endpoints, and handles vulnerability management. Through this effort, you’ll start identifying key risks and begin understanding how the acquiree’s security program compares to the acquirer’s.
Depending on the security and business context, you might decide to keep the technologies and practices that work well while replacing others. Chances are, you’ll have to support multiple overlapping technologies at least for some time, so you’ll need to decide on the ways of supporting such coexistence. In some cases, you’ll be able to use the merger as an opportunity to decommission unwanted or unmanaged infrastructure within one organization, especially when a better alternative exists within the other.
Combine your understanding of people from your organization with what you learned when assessing the acquired company. Will the cultures clash? Will people feel valued and respected? Look for opportunities to bring people together, especially when their skillsets and backgrounds supplement each other as part of a unified company. Also, consider where there might be overlap in responsibilities and how the structure of the teams might need to be adjusted in line with the business goals of the M&A transaction.
Maximize the value with the right approach
Security and IT leaders have to make a strong impact on the business objectives of M&A transactions. This involves understanding what organizations seek to achieve when combining two companies and the role that technology teams, technologies and processes can play in that process. Understand the context, ask questions to learn about the current state, and then identify the risks and opportunities to increase the value that both companies get from the transaction. As we continue to see more consolidation across different markets, expect to see more conversations around the technical side of M&A and the special considerations that it warrants.
Lenny Zeltser is CISO at Axonius.