Login
Scott Heider is a manager within the Cisco Security Visibility and Incident Command team that reports to the company’s Security & Trust Organization. Primarily tasked with helping to keep the integration of an acquired company’s solutions as efficient as possible, Heider and his team are typically brought into the process after a public announcement of the acquisition has already been made. This blog is the final in a series focused on M&A cybersecurity, following Dan Burke’s post on Making Merger and Acquisition Cybersecurity More Manageable.
Mergers and acquisitions (M&A) are complicated. Many factors are involved, ensuring cybersecurity across the entire ecosystem as an organization integrates a newly acquired company’s products and solutions—and personnel—into its workstreams.
Through decades of acquisitions, Cisco has gained expertise and experience to make its M&A efforts seamless and successful. This success is in large part to a variety of internal teams that keep cybersecurity top of mind throughout the implementation and integration process.
“Priority one for the team,” says Heider, “is to balance the enablement of business innovation with the protection of Cisco’s information and systems. Because Cisco is now the ultimate responsible party of that acquisition, we make sure that the acquisition adheres to a minimum level of security policy standards and guidelines.”
The team looks at the acquired company’s security posture and then partners with the company to educate and influence them to take necessary actions to achieve Cisco’s security baseline.
That process starts with assessing the acquired company’s infrastructure to identify and rate attack surfaces and threats. Heider asks questions that help identify issues around what he calls the four pillars of security, monitoring, and incident response:
The infrastructure that Heider’s team evaluates isn’t just the company’s servers and data center infrastructure. It can also include the systems the acquisition rents data center space to or public cloud infrastructure. Those considerations further complicate security and must be assessed for threats and vulnerabilities.
Once Heider’s team is activated, they partner with the acquired company and meet with them regularly to suggest areas where that acquisition can improve its security posture and reduce the overall risk to Cisco.
Identifying and addressing risk is critical for both sides of the table, however, not just for Cisco. “A lot of acquisitions don’t realize that when Cisco acquires a company, that organization suddenly has a bigger target on its back,” says Heider. “Threat actors will often look at who Cisco is acquiring, and they might know that that company’s security posture isn’t adequate—because a lot of times these acquisitions are just focused on their go-to-market strategy.”
Those security vulnerabilities can become easy entry points for threat actors to gain access to Cisco’s systems and data. That’s why Heider works so closely with acquisitions to gain visibility into the company’s environment to reduce those security threats. Some companies are more focused on security than others, and it’s up to Heider’s team to figure out what each acquisition needs.
“The acquisition might not have an established forensics program, for instance, and that’s where Cisco can come in and help out,” Heider says. “They might not have tools like Stealthwatch or NetFlow monitoring, or Firepower for IDS/IPS operations.”
When Heider’s team can bring in their established toolset and experienced personnel, “that’s where the relationship between my team and that acquisition grows because they see we can provide things that they just never thought about, or that they don’t have at their disposal,” he says.
One of the most important factors in a successful acquisition, according to Heider, is to develop a true partnership with the acquired company and work with the new personnel to reduce risk as efficiently as possible—but without major disruption.
Cisco acquires companies to expand its solution offerings to customers, so disrupting an acquisition’s infrastructure or workflow would only slow down its integration. “We don’t want to disrupt that acquisition’s processes. We don’t want to disrupt their people. We don’t want to disrupt the technology,” says Heider. “What we want to do is be a complement to that acquisition, – that approach is an evolution, not a revolution.”
The focus on evolution can sometimes result in a long process, but along the way, the teams come to trust each other and work together. “They know their environment better than we do. They often know what works—so we try to learn from them. And that’s where constant discussion, constant partnership with them helps them know that we are not a threat, we’re an ally,” says Heider. “My team can’t be everywhere. And that’s where we need these acquisitions to be the eyes and ears of specific areas of Cisco’s infrastructure.”
Training is another way Heider, and his team help acquisitions get up to speed on Cisco’s security standards. “Training is one of the top priorities within our commitments to both Cisco and the industry,” Heider says. “That includes training in Cisco technologies, but also making sure that these individuals are able to connect with other security professionals at conferences and other industry events.”
When asked what advice he has for enterprises that want to maintain security while acquiring other companies, Heider has a few recommendations.
Having the right security agents and clear visibility into endpoints is critical. As is inputting the data logs of those endpoints into a security event and incident management (SEIM) system. That way, explains Heider, you have visibility into your endpoints and can run plays against those logs to identify security threats. “We’ll reach out to the asset owner and say they might have malware on their system—which is something nobody wants to hear,” says Heider. “But that’s what the job entails.”
Often, end users don’t know that they’re clicking on something that could have malware on it. Heider says user education is almost as important as visibility into endpoints. “Cisco really believes in training our users to be custodians of security, because they’re safeguarding our assets and our customers’ data as well.”
End users should be educated about practices such as creating strong passwords and not reusing passwords across different applications. Multi-factor authentication is a good practice, and end users should become familiar with the guidelines around it.
Updating software and systems is a never-ending job, but it’s crucial for keeping infrastructure operating. Sometimes, updating a system can weaken security and create vulnerabilities. Enterprises must maintain a balance between enabling business innovation and keeping systems and data secure. Patching systems can be challenging but neglecting the task can also allow threat actors into a vulnerable system.
Heider says public cloud operations can be beneficial because you’re transferring ownership liability operations to a third party, like Amazon Web Services or Google Cloud platform. “The only caveat,” he says, “is to make sure you understand that environment before you go and put your customer’s data on it. You might make one false click and expose your certificates to the Internet.”
Heider says that while a big part of his job is helping acquisitions uplevel their security domain to meet baseline security requirements, there’s always the goal to do even better. “We don’t want to be just that baseline,” he says. His team has learned from acquisitions in the past and taken some of those functionalities and technologies back to the product groups to make improvements across Cisco’s solutions portfolio.
“We’re customer zero – Cisco is Cisco’s premier customer,” says Heider, “because we will take a product or technology into our environment, identify any gaps, and then circle back to product engineering to improve upon it for us and our customers.”
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
When It Comes to M&A, Security Is a Journey
Making Merger and Acquisition Cybersecurity More Manageable
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Dan Burke is the director of strategy, risk, and compliance for AppDynamics, a company acquired by Cisco in 2017. Burke and his team are a vital part of the Cisco acquisition process in helping acquired companies adhere to a higher level of cybersecurity. This blog is the fourth in a series focused on M&A cybersecurity, following Shiva Persaud’s post on When It Comes to M&A, Security Is a Journey.
Part of the secret to Cisco’s success is its ability to acquire companies that strengthen its technology portfolio and securely integrate them into the larger organization. From the outside, that process might appear seamless—consider Webex or Duo Security, for instance—but a fruitful acquisition takes tremendous work by multiple cross-functional teams, mainly to ensure the acquired company’s solutions and products meet Cisco’s rigorous security requirements.
“My team is responsible for aligning new acquisitions to Cisco controls to maintain our compliance with SOC2 and FedRAMP, as well as other required certifications,” says Burke.
When Cisco acquires a new company, it conducts an assessment and produces a security readiness plan (SRP) document. The SRP details the identified weaknesses and risks within that company and what they need to fix to meet Cisco standards.
“In the past, my team wouldn’t find out about an acquisition until they received a completed SRP. The downside of this approach was that the assessments and negotiations had been done without input from our group of experts, and target dates for resolution had already been decided on,” shares Burke.
“We needed to be involved in the process before the SRP was created to understand all risks and compliance issues in advance. Now we have a partnership with the Cisco Security and Trust M&A team and know about an acquisition months before we can start working to address risks and other issues—before the SRP is completed and the due dates have been assigned,” Burke adds.
“Another issue resolved in this process change is that Cisco can gain earlier access to the people in the acquired company who know the security risks of their solutions. During acquisitions, people will often leave the company, taking with them their institutional knowledge, resulting in Cisco having to start from scratch to identify and assess the risks and determine how best to resolve them as quickly as possible,” says Burke. “It could be vulnerabilities in physical infrastructure or software code or both. It could be that the company isn’t scanning often enough, or they don’t have SOC 2 or FedRAMP certification yet—or they’re not using Cisco’s tools.”
“Third-party vendors and suppliers can also present an issue,” he adds. “One of the biggest risk areas of any company is outside vendors who have access to a company’s data. It’s vital to identify who these vendors are and understand the level of access they have to data and applications. The earlier we know all these things, the more time we must devise solutions to solve them.”
“Now that I’m in the process earlier, I can build a relationship with the people who have the security knowledge—before they leave. If I can understand their mindset and how all these issues came about, I can help them assimilate more easily into the bigger Cisco family,” says Burke.
The additional benefits of bringing teams in earlier are reduced risk and compliance requirements can be met earlier. It also provides a smoother transition for the company being acquired and ensures they meet the security requirements that customers expect when using their technology solutions.
“Without that early involvement, we might treat a low-risk issue as high risk, or vice versa. The misclassification of risk is extremely dangerous. If you’re treating something as high risk, that’s low risk, and you’re wasting people’s time and money. But if something’s high risk and you’re treating it as low risk, then you’re in danger of harming your company,” Burke shares.
“The key is to involve their risk, compliance, and security professionals from the beginning. I think other companies keep the M&A process so closely guarded, to their detriment. I understand the need for privacy and to make sure deals are confidential but bringing us in earlier was an advantage for the M&A team and us,” Burke adds.
When asked what he thinks makes Cisco successful in M&A, Burke says, “Cisco does an excellent job of assimilating everyone into the larger organization. I have worked at other companies where they kept their acquisitions separate, which means you have people operating separately with different controls for different companies. That’s not only a financial burden but also a compliance headache.”
“That’s why Cisco tries to drive all its acquisitions through our main programs and controls. It makes life easier for everyone in terms of compliance. With Cisco, you have that security confidence knowing that all these companies are brought up to their already very high standards, and you can rely on the fact that they don’t treat them separately. And when an acquisition has vulnerabilities, we identify them, set out a remediation path, and manage the process until those risks are resolved,” Burke concludes.
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
When It Comes to M&A, Security Is a Journey
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Shiva Persaud is the director of security engineering for Cisco. His team is responsible for the Cisco Secure Development Lifecycle (CSDL), a set of practices based on a “secure-by-design” philosophy developed to ensure that security and compliance are top-of-mind in every step of a solution’s lifecycle. This blog is the third in a series focused on M&A cybersecurity, following Jason Button’s post on Demonstrating Trust and Transparency in Mergers and Acquisitions.
One of the most important considerations when Cisco acquires a company, is ensuring that the security posture of the acquisition’s solutions and infrastructure meets the enterprise’s security standards. That can be a tricky proposition and certainly doesn’t happen overnight. In fact, at Cisco, it only comes about thanks to the efforts of a multitude of people working hard behind the scenes.
“The consistent message is that no matter where a product is in its security journey, from inception to end-of-life activities, there’s still a lot of work that can happen to lead to a better security outcome,” says Persaud.
While Persaud and his team work within Cisco on all the company’s products and solutions, they also play a critical role in maintaining security standards in Cisco’s mergers and acquisitions (M&A) work.
Simply put, Persaud’s team is tasked with identifying the security risks posed by an acquisition’s technology and helping teams mitigate those risks.
“It starts with a risk assessment where we ask ourselves what an attacker would do to compromise this specific technology,” says Persaud. “What are the industry best practices for securing this type of technology? What do our customers expect this technology to provide from a security perspective? And once we have those risks enumerated, we prioritize them to decide which is the most important to take care of first.”
To anticipate where a hacker might find vulnerabilities and the actions they might take, the CSDL team must put themselves in that attack mindset. Fortunately for Persaud, his interest in computer security started as early as middle school. “It just kind of grew from there,” he says. “For many folks I’ve worked with and hired over the years, it’s a similar situation.”
That lifelong interest and experience work to the team’s advantage. They take a risk-based approach to security, in which they identify all the issues that need to be fixed and then rate them based on the likelihood of occurrence and seriousness of the results of an attack. Those ratings inform their decisions on which issues to fix first.
“We come up with ways to go mitigate those risks and co-author a plan called the Security Readiness Plan, or SRP,” Persaud says. “Then we partner with teams to take that plan and execute it over time.”
In alignment with CSDL’s continuous approach to security throughout a solution’s lifecycle, Persaud says that “security is a journey, so the workflow to finish the secure development lifecycle never ends.”
While initial onboarding of an acquired company—including completion of the initial risk assessment and the SRP—typically ends within several months of the acquisition. Persaud adds, “The work continues as the technology is integrated into a larger tech stack or as it’s modified and sold as a standalone offering to our customers.” As the solution or technology evolves and begins to include new features and functionalities, the CSDL work continues to make sure those features are secure as well.
That work can have its obstacles. Persaud says that one of the primary challenges his team deals with is cutting through the flurry of activity and bids for the acquisition’s attention that come pouring in from all sides. It’s a crazy time for both Cisco and the acquisition, with many important tasks at the top of everyone’s to-do lists. “Not just in the security realm,” says Persaud,” but in many other areas, too. So being able to get the acquisition to focus on security in a meaningful way in the context of everything else that’s happening is a major challenge.”
Another challenge is dealing with acquisitions that might not have much security expertise on their original team. That means they’re not able to give Persaud’s team much help in determining where security risks lie and how serious they are—so Cisco’s engineers have a lot more investigative work to do.
When asked what advice he would give to organizations that want to maintain a good security posture when acquiring another company, Persaud names three key factors.
To succeed in M&A security, it’s critical that the organization’s board of directors, CEO, and all subsequent levels of management support and be committed to meeting a high level of security standards and outcomes. The remaining management of the acquisition also needs to be on board with the security commitment, and both organizations should make sure that all employees recognize that commitment and support. If management support is not there, the work ultimately won’t get done. It can be difficult and time-consuming and without companywide recognition of its key importance, it won’t get prioritized, and it will get lost in the myriad of other things that all the teams have to do.
The issue of security can get really complicated, very quickly. Persaud says it’s smart to find industry standards and best practices that already exist and are available to everyone, “so you’re not reinventing the wheel—or more concerning, reinventing the wheel poorly.”
Where to look for those industry standards will vary, depending on the technology stack that needs to be secured. “If you are interested in securing a web application,” says Persaud, “then starting with the OWASP Top Ten list is a good place to start. If you are selling a cloud offer or cloud service, then look at the Cloud Security Alliance’s Cloud Controls Matrix (CCM) or the Cisco Cloud Controls Framework.”
One way to think of it, Persaud says, is that there are a variety of security frameworks certain customers will need a company to adhere to before they can use their solutions. Think frameworks like FedRAMP, SOC-2, Common Criteria, or FIPS.
“You can align your product security work to those frameworks as a baseline and then build on top of them to make technology more resilient.” It’s a great place to start.
It’s essential that an organization be very clear on what it wants to accomplish when it comes to ensuring security of an acquisition’s solutions and infrastructure. This will help it avoid “trying to boil the whole ocean,” says Persaud.
Persaud and his team talk about working up to security fitness the way a runner would start with a 5K and work up to an Ironman competition. “You take progressive steps towards improving,” he says. “You’re very explicit about what milestones of improvement you’ll encounter on your journey of good security.”
Persaud says Cisco is uniquely positioned to help organizations maintain security standards when acquiring other companies. He points to three critical differentiators.
“The level of visibility and support that we have for security at Cisco, starts with our board of directors and our CEO, and then throughout the organization,” says Persaud. “This is a very special and unique situation that allows us to do a lot of impactful work from a security perspective,”
Cisco has long been adamant about security that’s built in from the ground up and not bolted on as an afterthought. It’s the reason the CSDL exists, as well as the Cisco Security & Trust Organization and the many, many teams that work every day to infuse security and privacy awareness into every product, service, and solution—including the technology and infrastructure of newly acquired companies.
Once Persaud’s team has identified and assessed the security risks of an acquisition, his and other teams go about helping the acquisition address and mitigate those risks. Cisco provides a set of common building blocks or tools that teams can use to improve the security posture of an acquisition.
“We have secure libraries that teams can integrate into their code base to help them do certain things securely, so that the individual teams don’t have to implement that security functionality from scratch,” says Persaud. “And Cisco produces certain pieces of hardware that can be leveraged across our product lines, such as secure boot and secure storage.”
“Cisco’s operations stack also has various services acquisitions can use,” says Persaud. “An example of this comes from our Security Vulnerability and Incident Command team (SVIC). They provide logging capabilities that cloud offers at Cisco can leverage to do centralized logging, and then monitor those logs. SVIC also offers a security vulnerability scanning service so individual teams don’t have to do it independently.”
Another critical building block is Persaud’s team and their expertise. They act as a valuable resource that teams can consult when they want to build a new feature securely or improve the security of an existing feature.
Persaud concludes, “Cisco has an extremely strong and active security community where teams can ask questions, gain insights, give guidance, troubleshoot issues, share ideas and technology, and discuss emerging security topics. The community is committed to helping others instead of competing against each other. Members have the mindset of enriching the overall approach to security at Cisco and learning from any source they can to make things continually better.
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Jason Button is a director at Cisco and leads the company’s Security and Trust Mergers and Acquisitions (M&A) team. He was formerly the director of IT at Duo Security, a company Cisco acquired in 2018, making him uniquely positioned to lend his expertise to the M&A process. This blog is the second in a series focused on M&A cybersecurity, following Jacob Bolotin’s post on Managing Cybersecurity Risk in M&A.
All good relationships are built on trust. Add in transparency, and the union becomes even more substantial. “Trust and transparency underpin everything we do,” says Button, “Cisco takes security, trust, and transparency very seriously, and it’s part of our team’s fabric.”
When Cisco acquires a company, the Security and Trust M&A team looks at not only what they can offer in the way of security but also what unique qualities the acquired company brings to Cisco. These qualities might be related to security, but they’re also found in the acquired company’s culture, technical knowledge, and processes.
In all acquisitions, the M&A team needs to move fast. In fact, the Cisco team is committed to pushing even faster as long as they never compromise on security. Around 2020, Button and his team began taking stock of how it does things. They evaluated everything from the ground up, willing to tease out what is working and toss out what isn’t.
The team is also on a trajectory of identifying how it can digitize and automate security.
“If we were going to do things differently, we needed to be bold about it,” says Mohammad Iqbal, information security architect in the Security and Trust M&A team. One of the changes Iqbal proposed to his colleagues is to ensure that an acquired company is integrated into Cisco’s critical security controls within three months after the acquisition deal closes.
To successfully meet the three-month target, the M&A team works closely with the acquired company to identify and address all non-integrated risks (NIRs) that Cisco inherits from an acquisition and encompass:
NIRs are a subset of eight security domains, or operating norms, that align with Cisco’s security and trust objectives and top priorities of the larger security community (Figure 1). The M&A team’s focus on NIRs steers the due diligence conversation away from identifying the acquisition’s security deficiencies and towards understanding the inherent risks associated with the acquisition and measuring the security liability.
“Acquisitions are coming in with these risks, and so we must address NIRs early when we’re signing non-disclosure agreements. In doing so, we help put these companies in a position to integrate successfully with all the security domains. And this integration should be done in the shortest time possible within a year of close,” Iqbal says.
Building trust and being transparent early on is critical so the acquired company knows what’s expected of them and is ready to accomplish its three-month and first-year goals.
“I wish this type of conversation was offered to me when Cisco acquired Duo,” Button says. “Being on the Duo side of that deal, I would’ve been able to say with confidence, ‘OK, I get it. I know what’s expected of me. I know where to go. I know what I need to do with my team.’”
“We have a limited time window to make sure an acquisition company is heading down the right route. We want to get in there early and quickly and make it easy,” adds Button.
Reducing the manual intervention required by the acquired company is integral to helping the acquisition meet the three-month goal. Here’s where automation can play a significant role and the M&A team is looking toward innovation.
“We’re working on bringing in automated processes to lessen the burden on the acquired company,” says Iqbal. The M&A team realizes that much of the automation can be applied in instrumenting the security controls and associated APIs to help the team move beyond what they have already assessed at acquisition day 0 and gain the visibility they need to get the acquired company to its three-month goal. For example, they can automate getting the acquired company on Cisco’s vulnerability scans, using internal tools, or attaining administrative access privileges.
So, Iqbal, Button, and the rest of the team are working on automating processes—developing the appropriate architecture pipeline and workflows—that help acquired companies integrate critical security controls. While the ability to automate integration with security controls is not novel, the innovation that the M&A team brings to the table is the ability to position an acquired target to integrate with security controls in the most expedited way possible.
As with due diligence, the M&A team strives to complete the discovery phase before the acquisition deal close. Here’s another step where digitization and automation can simplify and shorten processes. Take the acquisition company questionnaire, for instance.
“Instead of asking dozens of questions, we could give the company an audit script to run in their environment,” Iqbal says. “Then, all they have to do is give us the results.”
Also, the questionnaire can be dynamically rendered through a dashboard, improving the user experience, and shortening completion time. For example, the number of questions about containers could automatically retract if the acquired company uses Azure Kubernetes Service.
Many teams within Cisco compete for an acquired company’s time before and after an acquisition deal closes. The acquired company is pulled in several different directions. That’s why the Security and Trust M&A team doesn’t stop looking for ways to digitize and automate security processes after the close—to continue to help make the acquired company’s transition more manageable.
“If we can make processes simple, people will use them and see the value in them within days, not weeks or quarters,” says Button.
“The majority of companies we acquire are smaller,” Button says. “They don’t have large security teams. We want them to tap our plethora of security experts. We want to enable an acquired company to apply Cisco’s ability to scale security at their company. Again, we want things to be simple for them.”
The M&A team helps facilitate simplicity by telling a consistent story (maintaining consistent messaging unique to the acquired company) to all the groups at Cisco involved in the acquisition, including M&A’s extended Security and Trust partners such as corporate security, IT, and supply chain. Because each group deals with different security aspects of the integration plan, it’s essential that everyone is on the same page and understands the changes, improvements, and benefits of the acquisition that are relevant to them. Maintaining a consistent message can go a long way toward reducing complexity.
The human element can easily get overlooked throughout an acquisition’s myriad business, technical, and administrative facets. Balancing the human aspect with business goals and priorities is essential to Button and the entire Security and Trust M&A team. They want to bring the human connection to the table. In this way, trust and transparency are on their side.
“Emotions can run the gamut in an acquisition. Some people will be happy. Others will be scared. If you don’t make a human connection, you’ll lose so much value in the acquisition,” Button says. “You can lose people, skillsets, efforts. If we don’t make that human connection, then we lose that balance, and we won’t be off to a great start.”
One way the M&A team helps maintain that balance is by embracing the things that make the acquired company unique. “It’s vital to identify those things early on so we can protect and nurture them,” says Button.
He also wants to remind companies that they don’t have to be experts at everything asked of them during acquisition. “Cisco has been here for a while. We have entire teams within M&A that are dedicated to doing one thing. We can help acquired companies find out where they’re struggling. We can handle the things they don’t want to deal with.”
“M&A is complex, but complexity is off the chart when you talk about M&A and security. Our team won’t be successful if we can’t find a way to make things easier for the acquired company. They need to understand where they’re headed and why,” Button says. “It’s up to us to motivate them towards a successful outcome.”
Managing Cybersecurity Risk in M&A
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
As Technology Audit Director at Cisco, Jacob Bolotin focuses on assessing Cisco’s technology, business, and strategic risk. Providing assurance that residual risk posture falls within business risk tolerance is critical to Cisco’s Audit Committee and executive leadership team, especially during the mergers and acquisitions (M&A) process.
Bolotin champions the continued advancement of the technology audit profession and received a master’s degree in cybersecurity from the University of California Berkeley. After completing the program in 2020, he spearheaded a grant from Cisco to fund research conducted by the university’s Center for Long-Term Cybersecurity, which included identifying best practices around cybersecurity risk and risk management in the M&A process, captured in this co-authored report.
When asked about his approach to evaluating risk management, Bolotin likens the corporate dynamics to a Formula One racing team, whose success depends on the effective collaboration of experts to meet the challenges of the most demanding racecourses. In Bolotin’s analogy, a corporation (say, Cisco) is the Formula One vehicle, and the business (i.e., executive and functional leaders) races the car on the track. In the pit, you have IT and technology support, which maintains operations and optimizes efficiencies to ensure the vehicle’s peak performance. Meanwhile, InfoSec is the designer and implementor of risk management capabilities (for instance, ensuring the latest technology is deployed and within expected specifications). These groups converge to help keep the business running and help ensure the vehicle is race-day-worthy.
An M&A deal is a significant business opportunity and represents the transition to a new Formula One race car. In this scenario, the business cannot physically get behind the wheel and test drive it. Frequently, the car cannot be inspected, and critical data is not available for review before the deal. The competitive balance and sensitive nature of M&A deals require the business to trust that the car will perform as expected. “Laser-focused due diligence enables you to understand where the paved roads [the most efficient paths to data security, for example] may lie. This is where the Cisco Security and Trust M&A team plays an integral role,” says Bolotin. “They can look down those paved roads and determine, from a cybersecurity perspective, which capabilities Cisco should own, and which ones are better for the acquired business to manage. This team understands what to validate, so the audit committee and key stakeholders can be confident that the business will be able to drive the new Formula One car successfully and win the race.”
Risk management, assessment, and assurance are vital to establishing this confidence. The technology audit team conducts risk assessments across all of Cisco, including M&As, for key technology risk areas, including product build and operation. In addition to risk management oversight, Bolotin and the technology audit team are responsible for assuring the Audit Committee that the acquired entity can be operationalized within Cisco’s capabilities without undermining the asset’s valuation.
“We don’t want to run duplicate processes and systems, especially when we have bigger economies of scale to leverage,” Bolotin says. “We must operationalize the acquisition. That is table stakes. And we must do it while maintaining the integrity and security of the entity we are acquiring.”
In 2019, Bolotin resurrected a working group of technology audit director peers from companies, including Apple, Google, Microsoft, ServiceNow, and VMware, called the “Silicon Valley IT Audit Director Working Group”. The directors meet regularly to share insights and explore issues around technology risk, risk management, and business risk tolerance. “I wanted to get with my peers and understand how they do their job,” he says. “We collaborate on defining ‘what good looks like,’ as we co-develop audit and risk management programs to help move the industry forward”.
Bolotin, along with a few other members of the working group, was selected to participate in a separate research study conducted by the Center for Long-Term Cybersecurity, aimed at developing a generalized framework for improving cybersecurity risk management and oversight within M&A. Among the research questions, the working group members were asked to identify their key cybersecurity risks and where those risks sit in the M&A process.
“In my opinion, the biggest cybersecurity risks today are cloud security posture and third-party software inventory and bill of materials, or SBOM,” says Bolotin. “These risks impact not only product acquisitions but our ability to secure and operationalize business capabilities within Cisco. Whether we transition capabilities to run within Cisco or leave them for the acquired company to operate, we must have a thorough understanding of any third-party risks that may exist in IT, in the technologies and systems used by the acquired company, or anywhere else. Especially those that may impact the broader Cisco enterprise as the new entity is integrated.”
Cybersecurity risk is attached to talent management and moral hazards as well. “It’s not uncommon to lose talent in acquisition deals,” Bolotin says, “and these days, much of this talent is cybersecurity focused. This potential loss is a huge risk for us and can sometimes be due to cultural differences between Cisco and the acquired entity. People who would rather be on a swift and elegant sailboat do not readily choose to be a passenger on a massive cruise ship, no matter how grand or impressive.”
Moral hazards are always a concern in M&A. Red flags can include ongoing data breaches and either downplaying or providing misleading information about a security incident. The Cisco Security and Trust M&A team does a tremendous amount of due diligence around these hazards, sometimes augmented by investigative techniques from a Cisco security partner, such as trolling the dark web. Companies can protect themselves against the risk of moral hazards through clauses inserted in the acquisition contract.
Concerning contracts, Bolotin advises companies to ensure the risk management commitments they set down are realistic. “Companies need to be very sure they have received the right inputs to enable them to manage every relevant cybersecurity vulnerability, whether it is a misconfiguration on the acquisition’s security firewall, within their network, their product in the cloud, or any other significant vulnerability, based on contractual obligations. You need to be sure you can commit to privacy investigation and breach event readiness, and notification process the acquired entity needs and have a clear sense of how fast you can meet these requirements.”
Bolotin ardently reminds companies that risk management in cybersecurity is not owned by a solitary group. Managing risk is a collective effort that transcends different organizations, each of which should understand its role in helping to mitigate the risks.
“Risk management begins in the production environment, with the engineers building code and downloading software to help them create new products and capabilities,” says Bolotin. “It’s essential that everyone understands how to identify and properly manage cybersecurity risks in their everyday work, including the tools and services used to enable the business, and work to mitigate applicable risks, especially in these critical areas.”
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS 