This is the fourth, and final, part of a four-part blog series covering each of the four phases of the merger & acquisition (M&A) process and how you can build security into each phase. In case you missed them, Part 1 covered why it’s important to integrate security into the due diligence process in the first phase of M&A, Part 2 covered integration planning and public announcement, and Part 3 covered what you can expect on “Day One,” after a merger or acquisition closes.
Phase Four: Longer-term integration
As you move beyond Day One, you’re now able to provide the level of access that our executive teams need on both sides to run the combined business units. And on the operations side, you should have enablement for the different business units to start working together. But the two companies won’t really be integrated yet.
Longer-term integration is about enabling full business processes. One thing you’ll need to start with is comparing your existing technology stack to that of the target. What applications are they using? Are they an Office 365 or Google shop? Do they run Power BI instead of Excel? What cloud assets do they have? How many people are using them and what are they using them for?
You may need to evaluate solutions to decide which is the best technology for the business going forward. Deeper integration will mean getting everybody onto the same tech stack, one way or another. You don’t want to be running duplicate solutions or redundant licenses for key corporate resources for the long term. To manage this phase of integration, you need to first have an actual inventory of everything that’s currently in use. And assembling this kind of comprehensive breakdown of a new company’s tech stack can be very difficult.
The acquirer needs to establish deep and complete visibility of the target company’s entire operation. You should be able to see every application that’s being used, what devices are using them, how many people are using them, and how much data is flowing to and from each application. With that information, the security team can help the CIO and IT department understand the complete technology picture and start planning how to best eliminate duplicate technologies that waste company resources. The good news is there is technology available to provide this level of information and protection.
On a cultural level, this can also be a touchy transition. When one set of users has to transition from a familiar tool or solution to another company’s preferred technology—there can be resistance. Dynamic coaching tools can help these users to notify and prepare for the sunset of an application with automated reminders and direct links to training and other resources to help enable a smooth transition.
For example, when you decide to sunset a duplicate product you are able to set up a notice, so when a user attempts to use the product. You can say, “Notice – this product is being sunset on xx/xx/xx. The new solution is (new solution name) and you can get training by (directions on how to get training).” That message should run up until the date of the transition then use the CASB product to deny further access. If anyone calls to complain, you can look up how many times they were notified of the change.
M&As can be very hard for some people. There may be employees who choose to leave at this point. There might even have to be a reduction in force as part of the acquisition, to eliminate redundant roles in different departments. So security teams also need to be monitoring for potential insider threats. You need to also be able to see what’s going on in terms of risky user behavior and unusual movement of data, IP, or other sensitive company assets.
Build security into your M&As—early and consistently
From start to finish, M&As are difficult to pull off. But the requisite secrecy and complexity are what necessitate security team involvement—early in the process and consistently throughout the different phases. Having a security expert on the core M&A team can provide better visibility to evaluate target companies, protect communications, control information sharing, and identify threat exposures or even unknown breaches that devalue the transaction.
Building security into M&As from the earliest stages of the process isn’t just about protecting the acquirer from risk. It’s also about seeing some of the benefits of bringing these two companies together sooner rather than later. You bought the company because of the operational notion that 1 + 1 = 3. This integration should make both companies more than the sum of their parts as a combined business unit—so you want to start realizing those benefits as quickly as possible.