Register now in your free digital move to the Low-Code/No-Code Summit this November 9. Hear from executives from Service Now, Credit score Karma, Sew Repair, Appian, and extra. Study extra.
International mergers and acquisitions (M&A) reached a document $5.1 trillion in 2021, and with financial headwinds leaving acquisition as the one viable exit for a lot of startups, additional market consolidation is inevitable. As current M&A transactions like Amazon/One Medical and JetBlue/Spirit Airways proceed to make headlines, safety, IT and enterprise leaders must be ready for the technical challenges of integrating the digital belongings of corporations looking for to mix their operations.
From reviewing the acquiree’s monetary data to scrutinizing its product roadmaps, corporations assessing an acquisition goal should determine enterprise alternatives whereas accounting for a mess of cybersecurity dangers. Throughout this effort, the buying group must evaluation the opposite firm’s knowledge and programs to find out how — and typically whether or not — to merge IT and safety operations. This isn’t simple, given the number of applied sciences, knowledge areas, and processes in trendy organizations.
As IT environments proceed to develop extra complicated, M&A transactions have gotten more and more technically difficult. There are a number of essential issues to take into account that will improve the energy of a post-merger safety program.
Begin with the enterprise wants
Safety professionals have a tendency to judge M&A from a purely technical standpoint. Understandably, we fear about inheriting susceptible or, worse but, compromised IT belongings and weak safety practices. We additionally take into consideration integrating the acquired firm’s safety and IT applied sciences into the acquirer’s program and safety frameworks.
Occasion
Low-Code/No-Code Summit
Be a part of right now’s main executives on the Low-Code/No-Code Summit just about on November 9. Register in your free move right now.
Register Right here
It is a affordable start line. But, focusing solely on technological points of the M&A transaction can result in lacking the chance to supply extra worth to the group. M&A serves a selected enterprise objective, and taking the time to know the driving drive behind the transaction makes it doable to align technological tasks in help of the enterprise targets. This will increase the possibilities that the businesses’ IT and safety packages will merge in a means that helps, fairly than hinders, the transaction.
As an illustration, if the aim of the acquisition is integrating enterprise operations, the businesses will possible have to deliver collectively IT and safety platforms. Nonetheless, the timeline of this integration will decide how aggressively the IT and safety organizations might want to help it. Extra time means extra planning and extra alternatives for the 2 expertise groups to know one another. As well as, the time will supply a greater likelihood to find out which firm’s IT programs and functions to maintain in help of the enterprise imaginative and prescient for the built-in entity.
In distinction, if the acquired firm will function as a separate enterprise unit — a minimum of for a reasonably long run — some applied sciences will stay separate and require coordination for safety oversight and threat governance. You’ll additionally want to know which IT and safety parts may nonetheless be built-in to derive economies of scale or to strengthen the general IT and safety program.
You will want to find out whether or not the acquired firm expands the scope of the mixed entity’s safety compliance program. You may have to study and accommodate new regulatory necessities and contractual commitments associated to IT and safety.
Get the lay of the land
When you’re clear on the enterprise aims and timelines behind the M&A transaction, it’s time to know the state of the expertise you’re inheriting, together with the related individuals and processes that energy the acquired group. This usually begins with a complete IT asset stock.
Begin by studying concerning the group’s IT belongings, the character of the information that flows by them, and the related customers and enterprise functions. Seize this info from a number of knowledge sources: community scans, id programs, cloud orchestration platforms, system administration instruments and some other IT and safety programs that may have visibility into the existence and state of the belongings. Account for on-prem, cloud and distant networks (together with workers’ houses) and don’t overlook to stock the SaaS functions.
Subsequent, collect details about the function the recognized belongings play within the acquired firm’s enterprise actions. Who makes use of them and for what objective? Who’s chargeable for their lifecycle and day-to-day operations? This context might be useful for not solely deciding how, when and whether or not to combine these belongings with the acquirer’s but in addition in helping with threat administration.
An correct IT asset stock will act as the muse for figuring out dangers and devising an strategy to integrating IT and safety packages in help of the enterprise aims.
Whereas getting the lay of the land, get to know the acquired firm’s individuals. How are they organized? What’s their experience? What motivates them to do their greatest work? What are their issues concerning the M&A transaction? Begin creating a way of how the groups and the people from the 2 organizations will work collectively.
Determine the M&A dangers and alternatives
After gathering IT asset knowledge and understanding how these programs and functions — and the related individuals and processes — contribute to the corporate’s enterprise, it’s time to evaluate the agency’s safety posture. Some good questions to begin with embody:
- How are end-users’ identities managed?
- What number of endpoints are lacking safety brokers?
- What number of programs are usually not being scanned for vulnerabilities?
- Which cloud-hosted workloads are accessible from the web?
- What mechanisms exist to determine and examine safety occasions?
- Which of the acquired firm’s belongings is likely to be susceptible or already compromised?
Asking and answering these questions will result in discussions with key personnel to know the associated processes — for instance, the best way the corporate authenticates its customers, secures endpoints, and handles vulnerability administration. By way of this effort, you’ll begin figuring out key dangers and start understanding how the acquiree’s safety program compares to the acquirer’s.
Relying on the safety and enterprise context, you may determine to maintain the applied sciences and practices that work properly whereas changing others. Likelihood is, you’ll must help a number of overlapping applied sciences a minimum of for a while, so that you’ll have to determine on the methods of supporting such coexistence. In some circumstances, you’ll be capable to use the merger as a chance to decommission undesirable or unmanaged infrastructure inside one group, particularly when a greater different exists inside the different.
Mix your understanding of individuals out of your group with what you discovered when assessing the acquired firm. Will the cultures conflict? Will individuals really feel valued and revered? Search for alternatives to deliver individuals collectively, particularly when their skillsets and backgrounds complement one another as a part of a unified firm. Additionally, think about the place there is likely to be overlap in obligations and the way the construction of the groups may should be adjusted consistent with the enterprise targets of the M&A transaction.
Maximize the worth with the suitable strategy
Safety and IT leaders must make a powerful influence on the enterprise aims of M&A transactions. This includes understanding what organizations search to realize when combining two corporations and the function that expertise groups, applied sciences and processes can play in that course of. Perceive the context, ask inquiries to study concerning the present state, after which determine the dangers and alternatives to extend the worth that each corporations get from the transaction. As we proceed to see extra consolidation throughout completely different markets, anticipate to see extra conversations across the technical aspect of M&A and the particular issues that it warrants.
Lenny Zeltser is CISO at Axonius.