Mergers and acquisitions (M&A) are inherently complex events that can place pressure on decision-makers to make highly impactful choices, sometimes without a clear view into the sum of all moving parts. M&A project cycles often default to analyzing business fundamentals at the detriment of evaluating technical risk. The challenge these leaders face is that, in the frenzy of the moment, missing latent cyber risks in a new acquisition is a real, yet avoidable, tragedy.
When your business buys another organization, that integration layers new cyber risks and liabilities onto your own. If these details aren’t adequately surfaced quickly as negotiations complete and the deal is cemented, then the buyer’s run the risk of having paid too much. The union of organizations means that the security posture of both the target company and acquiring entity is reduced to the lowest common security denominator, a virtual “six degrees of separation” between purchase and possible security incident.
Organizations are often pressed, though, when it comes to enumerating technical and cloud security risks. Why might business leaders take so long to seriously evaluate this type of risk? Put succinctly, it’s complexity. Given the trend toward complex multi-cloud and containerized architectures, teams often lack the tools, time, and expertise to fully comprehend the interplay of assets, connections, vulnerabilities, and risks of their own process and technology stack…the problem is compounded with the addition of the new company.
What options are available to reduce or mitigate this quandary?
- Rely on what the seller tells you about their security posture –
- This is a route frequently chosen for expediency. Reliance is placed on the accuracy of the seller’s self-reporting, prior audits, and industry certifications.
- Hire a third party to conduct an audit or penetration test –
- This traditional option carries limitations, such as scope and visibility. For example, scans may miss interconnected containerized microservices, or chains of microservices, running within an orchestration platform such as Kubernetes or across disparate cloud networks/providers.
- Employ a cloud security platform –
- This relatively new choice employs a platform that is designed specifically for and about cloud and container security. The goal is to visualize both entity architectures and call out issues, be they from the buyer, the target, or a combination of the two.
The latter solution is promising; however, to be effective within the constraints of the M&A process and timeline, it should ideally have certain major capabilities:
- Quick and painless implementation into both your own IT environment and that of any company you would acquire.
- Transparency into the running workloads of all major cloud vendors such as AWS, Microsoft Azure, Google Cloud, or hybrid environments
- Visibility into highly distributed architectures, such as those seen in global, or geographically dispersed operations.
- Continuous monitoring to quickly identify misconfigurations, anomalous behavior, and vulnerabilities.
- Reporting to audit configuration and compliance against the most common security frameworks, such as CIS Benchmarks, PCI-DSS, HIPAA, ISO 27001, SOC 2, and more.
This availability of fast and comprehensive security assessments allows for validations early in the M&A process, where those risk factors could affect negotiations. Similarly, empowering deeper visibility during due diligence, or shortly post-acquisition can help smooth the potentially complex integration of the new collective set of services.
Here are five steps you can take to improve M&A success with a cloud security platform:
Step 1. Implement early.
- Anyone planning to pursue an M&A strategy should have a cloud security platform in place early. You need full visibility into your own systems to aid in evaluating the addition of the M&A prospect infrastructure. Companies that are seeking to be acquired should consider adopting a cloud security platform to improve their own security posture and become more attractive to buyers.
Step 2. Perform early-stage due diligence.
- Where possible, perform a quick, light assessment of the target company to reveal serious risks and vulnerabilities. A seller can also use the cloud security platform to evaluate their own environment and clean up vulnerabilities before they become concerns for a potential buyer.
Step 3. Perform mid-stage due diligence.
- Perform a deeper assessment that identifies cloud vulnerabilities and misconfigurations, validates the security posture as represented by the seller, validates regulatory compliance, and serves as a basis for integration planning.
Step 4. Leverage the cloud security platform during business and IT integration.
- As you merge processes and standards, use the cloud security platform to verify and monitor control configurations. Use its diverse monitoring and reporting capabilities to reduce cost by consolidating overlapping tools across the security stack.
Step 5. Improve security post-M&A.
- Use the cloud security platform’s capabilities to lower security costs by reducing alerts, optimizing and reducing data processed through the SIEM (where applicable), and cutting time spent researching incidents. Streamline compliance reporting with quickly generated, pre-formatted reports.
Simply put: the keys to reducing M&A cyber risk are painless visibility, with clear context, across complex modern cloud environments, and fast access to informative views and compliance reports.
To view what Lacework can do for you during and after your next M&A transaction, see our demo here.