Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured periods right here.
International mergers and acquisitions (M&A) reached a file $5.1 trillion in 2021, and with financial headwinds leaving acquisition as the one viable exit for a lot of startups, additional market consolidation is inevitable. As current M&A transactions like Amazon/One Medical and JetBlue/Spirit Airways proceed to make headlines, safety, IT and enterprise leaders ought to be ready for the technical challenges of integrating the digital belongings of firms searching for to mix their operations.
From reviewing the acquiree’s monetary data to scrutinizing its product roadmaps, firms assessing an acquisition goal should establish enterprise alternatives whereas accounting for a mess of cybersecurity dangers. Throughout this effort, the buying group must evaluation the opposite firm’s knowledge and programs to find out how — and typically whether or not — to merge IT and safety operations. This isn’t straightforward, given the number of applied sciences, knowledge places, and processes in trendy organizations.
As IT environments proceed to develop extra complicated, M&A transactions have gotten more and more technically difficult. There are a couple of essential issues to remember the fact that will improve the energy of a post-merger safety program.
Begin with the enterprise wants
Safety professionals have a tendency to guage M&A from a purely technical standpoint. Understandably, we fear about inheriting weak or, worse but, compromised IT belongings and weak safety practices. We additionally take into consideration integrating the acquired firm’s safety and IT applied sciences into the acquirer’s program and safety frameworks.
Be a part of as we speak’s main executives on the Low-Code/No-Code Summit nearly on November 9. Register on your free move as we speak.
Register Right here
It is a cheap start line. But, focusing solely on technological facets of the M&A transaction can result in lacking the chance to supply further worth to the group. M&A serves a particular enterprise goal, and taking the time to know the driving power behind the transaction makes it potential to align technological tasks in help of the enterprise targets. This will increase the probabilities that the businesses’ IT and safety packages will merge in a means that helps, slightly than hinders, the transaction.
As an illustration, if the purpose of the acquisition is integrating enterprise operations, the businesses will possible must carry collectively IT and safety platforms. Nonetheless, the timeline of this integration will decide how aggressively the IT and safety organizations might want to help it. Extra time means extra planning and extra alternatives for the 2 expertise groups to know one another. As well as, the time will supply a greater likelihood to find out which firm’s IT programs and purposes to maintain in help of the enterprise imaginative and prescient for the built-in entity.
In distinction, if the acquired firm will function as a separate enterprise unit — not less than for a reasonably long run — some applied sciences will stay separate and require coordination for safety oversight and danger governance. You’ll additionally want to know which IT and safety parts would possibly nonetheless be built-in to derive economies of scale or to strengthen the general IT and safety program.
You will have to find out whether or not the acquired firm expands the scope of the mixed entity’s safety compliance program. You would possibly must study and accommodate new regulatory necessities and contractual commitments associated to IT and safety.
Get the lay of the land
When you’re clear on the enterprise goals and timelines behind the M&A transaction, it’s time to know the state of the expertise you’re inheriting, together with the related folks and processes that energy the acquired group. This usually begins with a complete IT asset stock.
Begin by studying in regards to the group’s IT belongings, the character of the information that flows via them, and the related customers and enterprise functions. Seize this data from a number of knowledge sources: community scans, identification programs, cloud orchestration platforms, system administration instruments and some other IT and safety programs which may have visibility into the existence and state of the belongings. Account for on-prem, cloud and distant networks (together with staff’ properties) and don’t overlook to stock the SaaS purposes.
Subsequent, collect details about the function the recognized belongings play within the acquired firm’s enterprise actions. Who makes use of them and for what goal? Who’s chargeable for their lifecycle and day-to-day operations? This context will likely be useful for not solely deciding how, when and whether or not to combine these belongings with the acquirer’s but in addition in helping with danger administration.
An correct IT asset stock will act as the muse for figuring out dangers and devising an strategy to integrating IT and safety packages in help of the enterprise goals.
Whereas getting the lay of the land, get to know the acquired firm’s folks. How are they organized? What’s their experience? What motivates them to do their greatest work? What are their issues in regards to the M&A transaction? Begin creating a way of how the groups and the people from the 2 organizations will work collectively.
Determine the M&A dangers and alternatives
After gathering IT asset knowledge and understanding how these programs and purposes — and the related folks and processes — contribute to the corporate’s enterprise, it’s time to evaluate the agency’s safety posture. Some good questions to begin with embody:
- How are end-users’ identities managed?
- What number of endpoints are lacking safety brokers?
- What number of programs should not being scanned for vulnerabilities?
- Which cloud-hosted workloads are accessible from the web?
- What mechanisms exist to establish and examine safety occasions?
- Which of the acquired firm’s belongings could be weak or already compromised?
Asking and answering these questions will result in discussions with key personnel to know the associated processes — for instance, the way in which the corporate authenticates its customers, secures endpoints, and handles vulnerability administration. By way of this effort, you’ll begin figuring out key dangers and start understanding how the acquiree’s safety program compares to the acquirer’s.
Relying on the safety and enterprise context, you would possibly resolve to maintain the applied sciences and practices that work nicely whereas changing others. Likelihood is, you’ll need to help a number of overlapping applied sciences not less than for a while, so that you’ll must resolve on the methods of supporting such coexistence. In some instances, you’ll be capable to use the merger as a chance to decommission undesirable or unmanaged infrastructure inside one group, particularly when a greater various exists throughout the different.
Mix your understanding of individuals out of your group with what you realized when assessing the acquired firm. Will the cultures conflict? Will folks really feel valued and revered? Search for alternatives to carry folks collectively, particularly when their skillsets and backgrounds complement one another as a part of a unified firm. Additionally, contemplate the place there could be overlap in obligations and the way the construction of the groups would possibly must be adjusted in step with the enterprise targets of the M&A transaction.
Maximize the worth with the suitable strategy
Safety and IT leaders need to make a powerful influence on the enterprise goals of M&A transactions. This includes understanding what organizations search to realize when combining two firms and the function that expertise groups, applied sciences and processes can play in that course of. Perceive the context, ask inquiries to study in regards to the present state, after which establish the dangers and alternatives to extend the worth that each firms get from the transaction. As we proceed to see extra consolidation throughout totally different markets, count on to see extra conversations across the technical aspect of M&A and the particular concerns that it warrants.
Lenny Zeltser is CISO at Axonius.