Cloud Computing

After the Deal Closes: Lessons Learned in M&A Cybersecurity

October 30, 2023

1198

[ad_1]

Jason Button leads the Cisco Security and Trust Mergers and Acquisitions (M&A) group. He was previously the director of IT at Duo Security, an organization Cisco acquired in 2018, making him uniquely positioned to lend his experience to the M&A course of. This weblog is the continuation of a sequence centered on M&A cybersecurity listed on the finish of this submit.

This newest weblog submit will revisit the subject of Moving Left to Right: Cybersecurity Practices and Outcomes in M&A Due Diligence and classes realized from implementing Cisco’s M&A Cybersecurity Framework final yr.

Size Matters

In this yr alone, Cisco has made ten acquisition bulletins, starting from small, agile start-ups to well-established, publicly traded corporations. The various measurement and complexity of the businesses we’re trying to purchase entail that we establish, assess, and alter for danger in a different way.

Our M&A Cybersecurity Framework has allowed us to scale and streamline our discovery and danger evaluation processes to raised align with the extent of safety danger a deal poses. Using customary safety guardrails, tooling, programs data, and different automated processes to display screen and assess non-integrated dangers, we will draft a Discovery Risk Assessment earlier, thereby releasing up groups to deal with assessing extra advanced acquisitions and probably higher safety dangers.

Accelerating Integration

Right-sizing your danger evaluation strategy has extra advantages, together with the power to establish areas of integration danger to speed up integration after the deal closes. An instance is the Valtix acquisition earlier this yr, the place we carried out an aggressive and thorough discovery investigation to shut the deal earlier than the tip of April. The driving issue was the chance to debut a vital product integration demonstration in early June at Cisco Live, our flagship buyer occasion.

To meet this timeline, we wanted to make sure that the safety danger was manageable and that we had stakeholder buy-in. We labored intently with cross-functional groups to establish and prioritize danger mitigation in order that we may meet our dedication. By having a strong framework in place, we had been in a position to speed up the combination course of whereas enabling the Valtix staff to be more practical and productive in a brief period of time.

Another lesson we’ve realized is prioritizing visibility into the acquired infrastructure earlier within the course of. Deploying instruments like Wiz.io and JuniperOne helps educate us about new environments and permits us to establish dangers sooner. This is critical when triaging and prioritizing efforts between the corporate being acquired and the enterprise it will likely be absorbed into. For the Armorblox and SamKnows acquisitions, we had been in a position to deal with high-priority dangers and spend much less time spreading efforts throughout a number of work streams. Having a framework that helps us prioritize dangers is what’s most vital and in the end makes for higher, safer merchandise.

Looking Back to Power Forward

Another vital lesson realized this yr was easy methods to apply the M&A framework to re-visit earlier acquisitions to evaluate and perceive danger. Going via this course of with out time constraints or diligence pressures allowed us to hone our investigative strategies and refine our practices. For instance, we labored with the Meraki staff, a mature group that was acquired over ten years in the past and a major contributor to Cisco’s portfolio. We combed via a decade’s price of knowledge to tell how we may simplify and streamline key areas of our integration framework and enhance our general safety stance.

Securely Enabling Business Growth

One of the driving elements for Cisco to accumulate corporations is to establish and spend money on new improvements that may enhance the safety and efficiency of our resolution portfolio. The M&A Cybersecurity staff works intently with Cisco’s Corporate Development Integration staff to evaluate and handle danger all through the invention, diligence, and integration course of.

The M&A Cybersecurity Framework has been a invaluable software to make sure that enterprise, engineering, and operations leaders align and deal with integration effectively earlier than the deal closes. Operational alignment with IT, Security, and different capabilities has helped floor vital points, akin to addressing workflows and person and buyer identities earlier than the combination course of. We’ve additionally discovered that by elevating safety early within the M&A course of, we’re serving to the enterprise take away obstacles that might get in the way in which of enterprise objectives and obtain its worth drivers sooner, which results in accelerated enterprise development.

Earning and Maintaining Trust

Leadership professional Simon Sinek has often acknowledged, “A team is not a group of people who work together.  A team is a group of people who trust each other.”

Our M&A Cybersecurity Framework is a invaluable software to assist securely allow the mergers and acquisition course of. However, you’ll be able to’t underestimate the non-public elements wanted to make it a hit. Building belief throughout a staff takes time and requires specializing in growing relationships, being empathetic, and demonstrating respect for a corporation’s tradition.

The press launch saying Cisco’s intention to accumulate Splunk cited one of many key worth propositions: “Unites two “Great Places to Work” with related values, robust cultures, and gifted groups.” The M&A course of is rather more than the mental property and expertise being acquired; the human capital and cultural strengths are sometimes probably the most invaluable belongings.

Looking again this yr, my colleague Mo Iqbal summed it up greatest, “We can’t understand the technologies until we understand the people and culture that enabled them to be so successful.”

If you have an interest in studying extra, please learn More than an Asset: The People Side of Mergers & Acquisitions.