Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured classes right here.
International mergers and acquisitions (M&A) reached a file $5.1 trillion in 2021, and with financial headwinds leaving acquisition as the one viable exit for a lot of startups, additional market consolidation is inevitable. As latest M&A transactions like Amazon/One Medical and JetBlue/Spirit Airways proceed to make headlines, safety, IT and enterprise leaders must be ready for the technical challenges of integrating the digital property of corporations looking for to mix their operations.
From reviewing the acquiree’s monetary information to scrutinizing its product roadmaps, corporations assessing an acquisition goal should determine enterprise alternatives whereas accounting for a mess of cybersecurity dangers. Throughout this effort, the buying group must evaluate the opposite firm’s information and programs to find out how — and generally whether or not — to merge IT and safety operations. This isn’t straightforward, given the number of applied sciences, information areas, and processes in trendy organizations.
As IT environments proceed to develop extra advanced, M&A transactions have gotten more and more technically difficult. There are just a few essential issues to take into account that will enhance the power of a post-merger safety program.
Begin with the enterprise wants
Safety professionals have a tendency to guage M&A from a purely technical standpoint. Understandably, we fear about inheriting weak or, worse but, compromised IT property and weak safety practices. We additionally take into consideration integrating the acquired firm’s safety and IT applied sciences into the acquirer’s program and safety frameworks.
Be a part of in the present day’s main executives on the Low-Code/No-Code Summit just about on November 9. Register in your free cross in the present day.
Register Right here
This can be a cheap place to begin. But, focusing solely on technological points of the M&A transaction can result in lacking the chance to supply extra worth to the group. M&A serves a particular enterprise goal, and taking the time to know the driving drive behind the transaction makes it doable to align technological initiatives in assist of the enterprise objectives. This will increase the possibilities that the businesses’ IT and safety packages will merge in a approach that helps, fairly than hinders, the transaction.
For example, if the objective of the acquisition is integrating enterprise operations, the businesses will doubtless have to deliver collectively IT and safety platforms. Nonetheless, the timeline of this integration will decide how aggressively the IT and safety organizations might want to assist it. Extra time means extra planning and extra alternatives for the 2 know-how groups to know one another. As well as, the time will provide a greater probability to find out which firm’s IT programs and purposes to maintain in assist of the enterprise imaginative and prescient for the built-in entity.
In distinction, if the acquired firm will function as a separate enterprise unit — not less than for a reasonably long run — some applied sciences will stay separate and require coordination for safety oversight and danger governance. You’ll additionally want to know which IT and safety parts would possibly nonetheless be built-in to derive economies of scale or to strengthen the general IT and safety program.
You will want to find out whether or not the acquired firm expands the scope of the mixed entity’s safety compliance program. You would possibly have to be taught and accommodate new regulatory necessities and contractual commitments associated to IT and safety.
Get the lay of the land
When you’re clear on the enterprise aims and timelines behind the M&A transaction, it’s time to know the state of the know-how you’re inheriting, together with the related folks and processes that energy the acquired group. This typically begins with a complete IT asset stock.
Begin by studying in regards to the group’s IT property, the character of the information that flows by them, and the related customers and enterprise functions. Seize this data from a number of information sources: community scans, id programs, cloud orchestration platforms, machine administration instruments and another IT and safety programs which may have visibility into the existence and state of the property. Account for on-prem, cloud and distant networks (together with workers’ houses) and don’t neglect to stock the SaaS purposes.
Subsequent, collect details about the function the recognized property play within the acquired firm’s enterprise actions. Who makes use of them and for what goal? Who’s answerable for their lifecycle and day-to-day operations? This context will likely be useful for not solely deciding how, when and whether or not to combine these property with the acquirer’s but additionally in helping with danger administration.
An correct IT asset stock will act as the muse for figuring out dangers and devising an method to integrating IT and safety packages in assist of the enterprise aims.
Whereas getting the lay of the land, get to know the acquired firm’s folks. How are they organized? What’s their experience? What motivates them to do their greatest work? What are their issues in regards to the M&A transaction? Begin creating a way of how the groups and the people from the 2 organizations will work collectively.
Establish the M&A dangers and alternatives
After gathering IT asset information and understanding how these programs and purposes — and the related folks and processes — contribute to the corporate’s enterprise, it’s time to evaluate the agency’s safety posture. Some good questions to begin with embody:
- How are end-users’ identities managed?
- What number of endpoints are lacking safety brokers?
- What number of programs usually are not being scanned for vulnerabilities?
- Which cloud-hosted workloads are accessible from the web?
- What mechanisms exist to determine and examine safety occasions?
- Which of the acquired firm’s property may be weak or already compromised?
Asking and answering these questions will result in discussions with key personnel to know the associated processes — for instance, the way in which the corporate authenticates its customers, secures endpoints, and handles vulnerability administration. By this effort, you’ll begin figuring out key dangers and start understanding how the acquiree’s safety program compares to the acquirer’s.
Relying on the safety and enterprise context, you would possibly resolve to maintain the applied sciences and practices that work nicely whereas changing others. Likelihood is, you’ll must assist a number of overlapping applied sciences not less than for a while, so that you’ll have to resolve on the methods of supporting such coexistence. In some instances, you’ll have the ability to use the merger as a chance to decommission undesirable or unmanaged infrastructure inside one group, particularly when a greater different exists throughout the different.
Mix your understanding of individuals out of your group with what you discovered when assessing the acquired firm. Will the cultures conflict? Will folks really feel valued and revered? Search for alternatives to deliver folks collectively, particularly when their skillsets and backgrounds complement one another as a part of a unified firm. Additionally, take into account the place there may be overlap in obligations and the way the construction of the groups would possibly should be adjusted according to the enterprise objectives of the M&A transaction.
Maximize the worth with the best method
Safety and IT leaders must make a powerful influence on the enterprise aims of M&A transactions. This includes understanding what organizations search to attain when combining two corporations and the function that know-how groups, applied sciences and processes can play in that course of. Perceive the context, ask inquiries to be taught in regards to the present state, after which determine the dangers and alternatives to extend the worth that each corporations get from the transaction. As we proceed to see extra consolidation throughout totally different markets, anticipate to see extra conversations across the technical facet of M&A and the particular concerns that it warrants.
Lenny Zeltser is CISO at Axonius.