M&A Security: To Ponder or to Act

Where does M&A fit into your Business and IT Security Strategy?  Lately I’ve noticed an uptick in mergers and acquisitions (M&A) security discussions at conferences and in security media posts.  Some of what I hear is centered on due diligence, legal responsibility, why it’s important, the lack of security involvement in acquisition decisions, and what should happen before a purchase. The reality is, many of the discussion occur after the purchase is finalized or announced. I have read a variety of different perspectives on what to do, some convoluted enough to bog down IT governance in a discussion that never reaches a decision. This sometimes occurs when whomever was responsible for assessing the risk hasn’t been in front of the purchase.  Worse, lapses in communications between business leaders in business risk language, has not taken place.  Ultimately, these pitfalls can cause M&A Security to be ignored or get pushed to the “to do later” list.  I’ve worked in the private sector in companies that have routinely purchased other companies as part of their business model. I’ve seen what passes for the norm. When the acquisition is formally announced an M&A IT questionnaire with IT and security questions is sent out to the acquired company and it may or may not be answered. The questionnaire in my humble opinion is pseudo due diligence. If something goes wrong like the company is already compromised, then leaders with M&A oversight can say, “Hey, I sent the questionnaire, the company didn’t answer or didn’t disclose.” Today, we should not be relying on questionnaires for M&A security. I’m not saying that all companies do M&A security this way, I’m just saying this is typical from my experience and the experience of some of my colleagues.

If you are a company that buys other companies routinely you either have a fabulous structured IT integration methodology, or you don’t. Let’s say most do not. I’m a realist and yes this is my qualitative reasoning. For those companies, I suspect many, do not have an IT integration methodology that works well every time a new acquisition occurs. I would imagine the typical company that does not have that integration methodology must be inheriting a tremendous amount of technical debt; software and hardware that is out of date and unsupported. Technical debt translates to risk. Let’s say, your company is that company. You are operating on a reasonable budget for your enterprise, but you are neither manned for nor have budgeted the kind of assessment of IT and IT Security that every new acquisition should go through….in a perfect world. Without a plan for your M&A security, more risk is being inherited.

Security leaders should be able to explain to business leaders that IT and IT security should be seated at the table when new acquisitions are being discussed. Your IT staff should be able to connect remotely to newly acquired companies, possibly pre-acquisition, or go in person to evaluate the candidate company to ensure your company is not buying excessive risks or problems. Yes, it would be nice to do this prior to purchase.  It should be a negotiating point for the acquisition. This is the best-case scenario, but not typical.

So, what do you do?

Baring the immediate change in culture or realization from your company that you really do need to do M&A security right or be willing to accept the risk as part of the business model, you need to solve the risk problem. Socrates not only said, “Know Thyself” but he also said, “Seek Answers.”

One answer is you need to find a fiscally responsible way to interrogate the IT of the recently acquired company as soon as possible in order to understand the risk, plot the risks on a heat map, get answers to the right questions, and determine what happens next. But you can’t do anything until you know the state of security of the new acquisition.

A few reasonable options for understanding the state of security of the new acquisition include:

1. Send a senior IT analyst and security analyst to the location for a week to meet, interview, connect to the enterprise to get an understanding of it. This is your IT person loaded with interpersonal skills.
2. Use a third-party vendor to do the same site visit.
3. If you have agreements with Mandiant, Secureworks, Maddrix, IBM or others who already perform some level of monitoring or assessment of your enterprise with their cloud capability, just add another connection and assess the data.
4. Obviously there are many other options.

Option “1” can be costly and as I previously mentioned. You may not have the staff available to send across the world, but a small skilled team with the right tools, authority, and personality, can achieve great results.

Option “2” is reasonable because it’s probably easier to have a company or two on retainer to be able to do the same assessment. You would need to ensure they perform at the same level as option “1.”

Option “3” can also be a reasonable option if you already have agreements in place, the requirements clearly specified, and the VPN in place. This option will require cooperation of the new acquisition. If you must send some to the new company, plus use this option, it probably will become expensive. You wouldn’t want to do this for a smaller acquisition, only the larger ones.

In a previous CISO position I wanted to evaluate the performance of the security operations center. I was interested in the skill set of staff, performance of existing SOC tools, how our people, processes, and technology worked together, and of course, blind spots. I brought in a third-party company, 2 people, to perform the review/assessment. Out of the assessment I wanted more than report, I wanted prioritized risk actions to evaluate and execute against that would help me enhance the organization security posture. The evaluation team had a cyber kit that was well integrated. I called it a SOC-in-a-Box. While the contract was for a few months, the review/assessment quickly revealed security challenges that needed to be mitigated. John Latuperissa of JFL Consulting was the vendor. The cyber kit or SOC-in-a-Box at the time was basically half-a-rack but is now significantly reduced in size for mobility. While this assessment was several years ago, I saw first-hand how a small team, or even a single individual with the right skill and cyber kit could help me “know thyself” and understand the risk. I think this same approach could be easily used by companies needing to evaluate new acquisitions.

In a different organization, I contracted with Mandiant for a compromise assessment. Mandiant, like some other companies, uses cloud monitoring/collection. Since this was part of the service, if I needed a new environment evaluated, it was relatively easy and quick. The only challenge here is that you are paying for an existing instance, and for any processing. While quick, this can become costly over time because you need to interpret and analyze the data. Mandiant did quite a great job in producing a white paper on M&A due diligence. https://www.fireeye.com/services/mergers-and-acquisitions-risk-assessment.html

Ultimately, you need to know what the state of security is in the new acquisition in order to weigh and decide what, if anything, needs to be done to ensure the risk to the enterprise is acceptable. And if needed, have a discussion with the Chief Risk Officer to see if any adjustment in risk appetite needs to take place.

As a CIO or CISO, what do you do when you have a new acquisition? You must have a way to know what you are potentially inheriting with the acquisition, the risks to your enterprise and your business. You need to have something better than a security questionnaire to tell you that. Right sizing the solution for your company is the challenge, and you do have fiscally responsible options available. While I know the due diligence discussion is important, what is more important is having a clear understand of risks and taking action on what needs to be mitigated.