You’re a cybersecurity leader at a growing company. [or information security leader — I’ll just say security from here on out]. You learn that your company is in conversations to acquire a smaller company, to include the people, products, and locations. What do you do?
You likely make a lot of mistakes…at least at first. M&A and security are oftentimes, not a top line consideration for executive teams. Yet, not considering the risk implications of integrating two companies, could lead to disastrous consequences. Consider if your IT team on-boarded a start-up 3rd party vendor that connects to much of your distributed network infrastructure, but neglected to identify that this vendor doesn’t have a dedicated security team. You now have inherited all the risk of that 3rd party, since their product is now integrated into your environment. Now, picture the similar scenario, but your company is integrating every piece of a companies fabric into yours.
ask all the questions
Do their employee desktops have basic endpoint protections?
Is multifactor authentication everywhere? Is it anywhere?
What are their highest priority risk items, and how did they get scored?
Who has access to production systems; or how is least privilege determined?
What is their history with security incidents based on business email compromise?
This list can go on and on. Oftentimes, in a security leaders first M&A event, many of these (and many more) questions will go overlooked. All may be fine. Though, without creating a risk profile, you are merely rolling the dice, hoping not to inherit an active security incident (or worse, integrate an active security incident into your current environment).
….in the next post…
Why creating an M&A Security plan (not dissimilar to a combination of a 3rd party risk assessment plan and an incident response plan) is critical to do in the early stages of a security leaders role.
What should go in a plan, to start, and iterate on.
How to prepare and staff for an acquisition, when they happen very infrequently.