After the Deal Closes: Classes Discovered in M&A Cybersecurity

Jason Button leads the Cisco Safety and Belief Mergers and Acquisitions (M&A) group. He was previously the director of IT at Duo Safety, an organization Cisco acquired in 2018, making him uniquely positioned to lend his experience to the M&A course of. This weblog is the continuation of a sequence targeted on M&A cybersecurity listed on the finish of this put up.

This newest weblog put up will revisit the subject of Transferring Left to Proper: Cybersecurity Practices and Outcomes in M&A Due Diligence and classes discovered from implementing Cisco’s M&A Cybersecurity Framework final yr.

Dimension Issues

On this yr alone, Cisco has made ten acquisition bulletins, starting from small, agile start-ups to well-established, publicly traded corporations. The various measurement and complexity of the businesses we’re seeking to purchase entail that we determine, assess, and modify for threat in a different way.

Our M&A Cybersecurity Framework has allowed us to scale and streamline our discovery and threat evaluation processes to raised align with the extent of safety threat a deal poses. Utilizing commonplace safety guardrails, tooling, programs info, and different automated processes to display and assess non-integrated dangers, we will draft a Discovery Threat Evaluation earlier, thereby releasing up groups to deal with assessing extra advanced acquisitions and probably better safety dangers.

Accelerating Integration

Proper-sizing your threat evaluation strategy has further advantages, together with the power to determine areas of integration threat to speed up integration after the deal closes. An instance is the Valtix acquisition earlier this yr, the place we performed an aggressive and thorough discovery investigation to shut the deal earlier than the top of April. The driving issue was the chance to debut an important product integration demonstration in early June at Cisco Reside, our flagship buyer occasion.

To fulfill this timeline, we wanted to make sure that the safety threat was manageable and that we had stakeholder buy-in. We labored carefully with cross-functional groups to determine and prioritize threat mitigation in order that we might meet our dedication. By having a strong framework in place, we have been capable of speed up the mixing course of whereas enabling the Valtix workforce to be simpler and productive in a brief period of time.

One other lesson we’ve discovered is prioritizing visibility into the acquired infrastructure earlier within the course of. Deploying instruments like Wiz.io and JuniperOne helps educate us about new environments and permits us to determine dangers sooner. That is important when triaging and prioritizing efforts between the corporate being acquired and the enterprise it is going to be absorbed into. For the Armorblox and SamKnows acquisitions, we have been capable of deal with high-priority dangers and spend much less time spreading efforts throughout a number of work streams. Having a framework that helps us prioritize dangers is what’s most essential and in the end makes for higher, safer merchandise.

Trying Again to Energy Ahead

One other essential lesson discovered this yr was learn how to apply the M&A framework to re-visit earlier acquisitions to evaluate and perceive threat. Going by means of this course of with out time constraints or diligence pressures allowed us to hone our investigative strategies and refine our practices. For instance, we labored with the Meraki workforce, a mature group that was acquired over ten years in the past and a big contributor to Cisco’s portfolio. We combed by means of a decade’s value of knowledge to tell how we might simplify and streamline key areas of our integration framework and enhance our total safety stance.

Securely Enabling Enterprise Progress

One of many driving elements for Cisco to amass corporations is to determine and put money into new improvements that can enhance the safety and efficiency of our resolution portfolio. The M&A Cybersecurity workforce works carefully with Cisco’s Company Improvement Integration workforce to evaluate and handle threat all through the invention, diligence, and integration course of.

The M&A Cybersecurity Framework has been a priceless instrument to make sure that enterprise, engineering, and operations leaders align and deal with integration properly earlier than the deal closes. Operational alignment with IT, Safety, and different features has helped floor essential points, akin to addressing workflows and consumer and buyer identities earlier than the mixing course of. We’ve additionally discovered that by elevating safety early within the M&A course of, we’re serving to the enterprise take away obstacles that would get in the best way of enterprise targets and obtain its worth drivers quicker, which results in accelerated enterprise progress.

Incomes and Sustaining Belief

Management professional Simon Sinek has often said, “A workforce isn’t a bunch of people that work collectively.  A workforce is a bunch of people that belief one another.”

Our M&A Cybersecurity Framework is a priceless instrument to assist securely allow the mergers and acquisition course of. Nonetheless, you possibly can’t underestimate the private elements wanted to make it successful. Constructing belief throughout a workforce takes time and requires specializing in creating relationships, being empathetic, and demonstrating respect for an organization’s tradition.

The press launch asserting Cisco’s intention to amass Splunk cited one of many key worth propositions: “Unites two “Nice Locations to Work” with related values, sturdy cultures, and proficient groups.” The M&A course of is rather more than the mental property and know-how being acquired; the human capital and cultural strengths are sometimes probably the most priceless property.

Trying again this yr, my colleague Mo Iqbal summed it up greatest, “We are able to’t perceive the applied sciences till we perceive the individuals and tradition that enabled them to be so profitable.”

In case you are curious about studying extra, please learn Greater than an Asset: The Folks Facet of Mergers & Acquisitions.