IT asset management is hard enough these days, considering how readily businesses are migrating their data and tools to the cloud and how quickly employee devices are proliferating in a work-from-wherever world. But now imagine how exponentially more difficult this task becomes when your company absorbs another in a merger or acquisition.
In such a scenario, how does the IT security team inventory, catalog and assess the risks of all the new assets it’s just inherited? According to asset management experts, the answer is: as comprehensively and early in the process as possible. But the challenges often pile, introducing significant risk to an already complex process of integration.
“Historically, security teams have not been brought into early conversations around M&A deals and are often pushed off as an afterthought. This has proven to present a massive issue, as almost every organization in today’s business landscape has a digital component,” said Ben Carr, chief information security officer at Qualys.
Corporate management must understand precisely what’s on the line: “There have been cases where the security posture of the company being acquired is so poor that merging their employees and assets would cross-contaminate,” Carr continued. “This can make it extremely difficult for the business to operate – stalling the onboarding of new employees and derailing the integration of technology.”
In fact, “deals are often stalled – or even fully stopped – by the failure to bring security teams into early conversations,” noted Carr, because the acquiring company “is at risk of introducing new vulnerabilities, poor security postures and unsecured/unknown assets into their environment – having the potential to cost the company millions down the line.”
Ergo, due diligence is an absolute must. Debra Danielson, chief technology officer at Digital Guardian knows all about that. For more than eight years she served as senior vice president of M&A Strategy at CA Technologies before becoming senior advisor at Strattam Capital, where she counseled clients on matters of IT architecture and mergers and acquisitions.
“I was on the diligence side of the house, responsible for ensuring that the target provided us the information we needed to do the planning for integration,” said Danielson. “And that’s really the key to a successful integration: good diligence and planning pre-close. Getting as detailed as possible an inventory during diligence, so that any problems or inconsistencies between the two environments can have pre-close mitigation, or to amend the business case through funding for any challenging aspects of the integration.”
To accomplish this, the acquiring company must be prepared to overcome the asset management challenges and pitfalls typically associated with acquisitions.
Complicating factors
For starters, one key factor is the transparency – or lack thereof – of the organization potentially being acquired. On the one hand, “if the company fails to disclose certain security holes and/or has not historically kept an accurate asset inventory, the deal could be delayed,” said Carr, because it means more work for the organization that’s interested the purchase. “But If the company being acquired has an updated asset and vulnerability inventory, the deal is far less resource intensive.”
Asset transparency and visibility becomes even more difficult when the reason for the M&A deal is to subsume the other company’s technology stack. In such cases, that means not only assessing the company’s internal IT architecture but also evaluating its customer-facing solutions too. “If it is a product driven acquisition, due diligence will take much longer and needs to be extremely thorough,” said Carr.
The scope of the acquisition – including the number of IT systems and services used by the other organization – also can affect the difficulty level of the asset management process. Both small and big acquisitions typically have their own unique array of challenges, according to Joel Fulton, CEO at Lucidum.
For instance, “small acquisitions typically are comprised of cloud and SaaS services, few physical locations with [minimal] on-premise infrastructure… and a proliferation of BYOD endpoints and backup systems, resulting in uncontrolled sprawl of intellectual property and other crucial data,” said Fulton.
On the plus side, “these lightweight, efficient enterprises suit the needs of a fast-moving company unencumbered by process and bureaucracy.” However, “the regular application of best practices demanded by most acquiring companies is an enormous hurdle to discover, deploy, and maintain.” Consequently, these M&A cases often present asset management challenges such as confidential data and source code left on unmanaged devices, drives and cloud storage; insecure third-party access to systems; and “siloed, independent ownership of applications, preventing one [singular] view of applications, data, assets and identities.”
Conversely, larger acquisitions typically involve on-premise infrastructure hosted at multiple physical locations – plus applications, data warehouses, cloud applications and services, and inter-site and remote access VPNs, Fulton continued.
“These large enterprises are prepared for the processes and best practice requirements of security and technology asset management, but rarely match the requirements of the acquiring entity,” he said. And this results in such problems as “divergent security requirements” between the two companies; “dissimilar asset visibility and management systems yielding significant overlap and blind spots;” and a lack of documentation and visibility around “existing security controls, identities, use cases and SLAs.”
The type or location of IT assets being acquired also can complicate the due diligence process. For example, cloud-based assets are trickier to inventory, said Carr, “as the company being acquired is less likely to have a comprehensive inventory of them.” At the same time, older legacy technologies present their own issues, because “if the technology asset has been around for a long time, companies are far less likely to have a handle on it.”
Best practices
Identifying the challenges is one thing; but it’s also important to recommend certain best practice recommendations for performing asset management due diligence in early stages of an M&A event. This should be a standard component of the broader diligence efforts associated with acquisitions.
"It was really a classic security operation," with specific teams focusing on particular portions of the diligence process, recalled Jeff Costlow, CISO of ExtraHop of the company's acquisition by Bain Capital Private Equity and Crosspoint Capital Partners. "And that makes a lot of sense. A lot of money is spent to make sure it all goes through. So you have a lot of factors [to consider]; 'let's gather that information and then let's ask more questions.'"
Indeed, Danielson said the process for asset management specifically revolves around making sure you’re asking all the right questions. For that, she recommended using a “standard template of requests for information that includes every piece of info you need [to] make sure that nothing is missed.”
“My templates had different filters so that I could customize them for different types of acquisitions,” said Danielson. Such flexibility was necessary because “the infrastructure of a 10-person, cloud-native tech buy is vastly different from a customer base roll-up of a mature company, and consequently the RFI is different.”
Danielson’s system was also color-coded with red, yellow and green flags. Red-flagged assets “had to be remediated prior to close” of the M&A deal, items flagged as yellow “needed additional funding or time post-close,” and assets with a green flag were “pleasant surprises” that would serve as a “lever to improve the overall function of the business.”
To aid in the pre-close process, Carr also recommended sending that mature acquiring companies” could “send through a FlyAway Kit – “a server or rack that will include appliances that can be used to evaluate and confirm the due diligence provided.”
Fulton said that asset management due diligence typically happens in phases. Usually in the earliest of stages, before the acquisition is public knowledge, a company seeking out an acquisition might send a small due diligence team to the targeted company, with one or two members focused on technology.
Next comes the cost analysis of performing such an acquisition and the necessary integration, with the company looking out for “poorly understood assets; sprawl on premise, untracked provisioning in the cloud, and heightened risk of data loss through BYOD and shadow IT.”
If the cost seems palatable, and the deal moves forward, then the due diligence goes deeper as the M&A goes public. “Now specifics are demanded: how are those assets managed, results of vulnerability scans, risk mitigating agents, zones, and processes,” Fulton continued. And once integration begins, “the team truly own the assets and for the first time can deploy their own tooling to explore, make visible, control, and manage this new environment.
This span of time, “between the public announcement and the deployment of the acquiring company’s standard tooling brackets,” represents “the greatest period of risk for both companies,” said Fulton. “During this window, malicious attackers, both external and insiders, may take advantage of incomplete security coverage, blind spots and confusion.”
From a technology perspective SIEM tools can help protect against such threats, said Fulton. “But this visibility must include not only assets storing, transmitting, and processing data, but also identities, and data. The visibility must cross all necessary siloes without limitation and permit a comprehensive view of all assets, who uses them, and what data are transacted.”
Despite the potential headaches that come with an M&A situation, IT and cybersecurity professionals should try looking at any newly incoming assets as a potential windfall, not just a burden. After all, “acquisition presents an opportunity to reassess existing tools and potentially uplevel the mother ship when a smaller, potentially more agile and modern entity is integrated” into the business, said Danielson.
But that means being willing to embrace change if the assets you’re inheriting are better than what you currently operate – and that can be another sticking point.
“Most often, an organization will want to apply their own standards, policies, procedures and assets to the company being acquired. When this takes place, there can be a lot of friction,” said Carr. However, the more mature and seasoned that the acquiring CISO is, the more they will be able to holistically see if there is a process or procedure that is being done more efficiently. The key for the acquiring CISO is not to get wrapped up in your own routine. Just because you came up with a process or procedure does not mean that it is right.
Danielson agreed, adding, “It’s a great time to leave your ego at the door and recognize as quickly as possible that the acquired entity isn’t ‘them;’ it’s ‘us.’”
