Mergers and acquisitions create huge growth opportunities — but, as with any good thing, they come with transition challenges, especially in security. Pre-merger planning activities are often focused within strategic, operational, and legal teams, while other groups are left to react once the deal is signed. Even when M&A keeps company operations mostly independent, security teams can see weaknesses multiply as the organizational landscape expands. Because security touches nearly every part of the business, a CISO’s hangover pains can drag on long after a merger or acquisition.
If your company is taking a sudden growth leap, you may find yourself a sudden CISO, facing an M&A or dealing with lingering M&A effects. The best prescription is a proactive approach.
Contribute to ongoing risk discussions
CISOs need a seat at the deal table to help evaluate risks and make sure both organizations stay secure. As a matter of practice, executives and Board members should rely on CISOs to drive regular cyber risk discussions. Doing so will aid their decision-making and keep security in the loop. (If you haven’t established this connection, start with our conversation guide.)
Learn on the fly
When advance notice isn’t possible, investigate and gather information as you go. Prepare to document and develop plans at the same time, considering:
- What’s in place
- A transition plan including system or process dominance
- Extent of concurrency and differentiation of use
- A sunsetting plan
- Where potential risk exists
Risk assessment guide
Look for security obstacles in major areas.
Inherited legacy systems. Besides adding complexity, out-of-date legacy systems carry security vulnerabilities both obvious and hidden. However, disentanglement isn’t always a swift process.
Digital native systems. A converse challenge lies in aligning to a proprietary system born in the digital age. Though innovative, these systems were developed to fit a narrow set of needs, making consolidation more difficult. Digital native organizations are also likely to have customers that expect consistent performance; interruptions can harm the brand.
To evaluate legacy and proprietary systems, get these answers:
- Is the system required for business continuity or key business requirements?
- Is there a more cost-effective, efficient, and secure solution achievable within the M&A transition timeline?
- If immediate replacement isn’t feasible, what combination of security infrastructure, process and policy will mitigate risk until transition to a new system can be completed?
- Ask for a history of audit and/or breach reports to support your decision.
Policies and procedures. Review documented policies, with special attention to risks around remote work/bring your own device and account security. Be alert for unwritten rules in the workplace culture that you’ll need to address during later cultural integration. Work toward streamlining and standardizing policies, processes, and procedures.
Employees. The security equation includes technology and people. Among 550 surveyed organizations impacted by data breaches last year, 21% of incidents stemmed from employees or contractors, according to IBM’s 2022 Cost of a Data Breach report. Data is at risk from both deliberate acts and unintended errors.
To stay on guard:
- Limit access to the most sensitive data.
- Create a strong plan to shut down access as employees transition out of the organization.
- Move to align all employees with best security practices and new policies if they differ between orgs.
- Stay vigilant for responsibility gaps. Establish process and ownership for issues such as acting on threat intelligence, implementing new security procedures, and owning regulatory compliance.
After the deal closes, stay ahead of snarls by setting goals and leading change.
- Which systems and operations must be integrated to enable business or regulatory compliance requirements?
- What’s ready to merge as soon as the M&A is complete?
- Which systems and processes can be immediately replaced/eliminated? Which will be preserved as-is?
- Can you identify any low effort/high impact security fixes?
Be ready to guide both operational and cultural changes
Leadership & decision-making. Consider how to brief executives and get buy-in. Help stakeholders understand how the entire organization could be exposed to risks related to access (physical or digital), data theft, or regulatory violations, for example. Present risk in terms business reputation and financial impact. Use transition as a springboard to a more visible or established relationship with C-suite and/or Board members.
Education and awareness. During transition, uncertainty makes it easier for bad actors to social engineer a breach. As quickly as possible, clearly establish a way for employees to know who to trust, how they’ll be contacted, and how to verify. Decide when and how to begin distributing additional security training information. Plan to develop materials or share existing security awareness resources. Along the way, win support by championing examples of collective efforts and attitudes. Explain what a huge part each employee plays in fighting threats. Flip the cautionary tale to include stories where employees make a heroic move — foiling a phishing attack by reporting a suspicious email, for example.
Compromise and communicate. To keep the path to change smooth, you’ll need support, so be careful of being so demanding and unyielding that you stir up negative attitudes. If security becomes a major roadblock, they’re likely to see more convenient but less safe workarounds. Finally, make communication a 2-way street — get employee input and consider their concerns.
The post-merger hangover stretches every team thin. To keep critical security capabilities robust, enlist extra assistance through this time. An experienced managed security services partner can ensure nothing falls through the cracks while supporting new directions within operations, technology, governance, culture, and education.