Acquisition cybersecurity: Leaving cybersecurity hanging will cause irritation later

You’ve been working on this acquisition for months, pushing a year. It’s been exhilarating, you’ve worked with the new people, there is a clear culture fit with your current company, the books are crisp, the business is promising, and you’ve got big ideas for upgrading your existing go-to-market.

There’s nothing but upside. You’ve got the momentum of a freight train. It would take the strength of Clydesdales to pull the brake and halt this operation. Certainly, that kind of force isn’t available.

Certainly…

A few weeks go by, and as soon as the ink dries, you share the good news. The CISO speaks up. “All we need to do now is assess their security posture.”

“We do? Why do we care?”

It’s procedural, there are a lot of technical insights, and an assessment slows down your long-anticipated effort to do more exciting things. Let me say something to try and reframe your thinking. It’s exactly BECAUSE you want to innovate that you also care about the cybersecurity.

Would you drive a Lamborghini on bald tires with no oil and cheap gas? No. You want that kitten to purr. You want to know in that hairpin turn, you’re going to have maximum acceleration, and that means gripping the pavement and juicing the lemon to the last drop.

This acquisition is your new Lambo, you don’t want to risk a blowout going into the first turn. Without proper cybersecurity measures in place, you drastically increase the chance of a catastrophe. Your new acquisition could have weak security used as a springboard to infiltrate the mothership. Or worse, there could be a latent malware infection within the acquisition that has gone undetected. Once the two organizations are integrated, the lurking threat actors think, “Jackpot!”

So an assessment…

Sounds simple enough. Should be simple, right? Well, yes, a cybersecurity assessment is a straightforward process. Like any good consultant, though, my answer is the dreaded, “That depends.” I hate saying it, I hate myself when I say it, but it has to be said.

So quickly, what “depends?”

1. Do you have the capacity to conduct an assessment? How saturated is your team with existing projects and duties?
2. Do you have a partner at the ready to conduct an assessment? If you don’t, you must go through the whole process of evaluating options.

Getting this project started can take a few weeks. Once you’ve figured out who is going to do the work, it can take several more weeks to complete the assessment. (I know, not what you wanted to hear.) Of course, there are ways to speed this along.

1. Documentation
   Is there any existing evidence or assets to help kick start the assessment? Documents like policies & procedures, compliance certifications, or vulnerability scans will help jumpstart the operation. Smaller organizations generally don’t have rigorous standards and mandates for these sorts of initiatives. Being the eternal optimist, I hope we get lucky.
2. People – Knowledge
   We need to find out who knows their stuff. There are multiple people who have a bounty of institutional knowledge. We want to sit down with them and extract as much as possible and catalogue their brain. We need to understand if reality aligns with policy. Compliance does not equal security. If that were the case, virtually every bank, hospital, and critical infrastructure organization would be impervious to attack.
3. Analysis
   This is where it all comes together. In this phase, your assessor will review documentation, evidence, interviews, etc,. and perform what I like to call “wrinkly-brain work”. From their observations and experience, the assessor will analyze, dissect, score, and present their findings. Findings that should communicate potential risks and how to address them.
4. Results
   We worked with a company that had an acquisition months ago. This client had already completed some integration but needed a path forward to have a secure, financially prudent, and strategically aligned plan. We performed the work above with several check-ins on the information gathered. Once done, they were able to easily slice and dice a rather massive report to further deliver the findings to the appropriate internal teams. We called out week-one priorities to help minimize immediate high-impact risks. We provided a strategic roadmap with recommendations and potential timelines, and all the evidence in between. Now they have a well-informed plan for the secure integration of the companies.

Make cybersecurity part of your M&A process, engage your security leadership, or a trusted partner early in the process. This early planning with accelerate integration once the acquisition is ready and will ensure you don’t introduce more risk into your business. Innovation and speed must be done safely; that’s where security helps. Security isn’t here to stop progress. It’s here to make sure it’s done right the first time.