Achieving success during 'transparent moments'
There are certain moments throughout a businesses’ lifecycle where security leaders need to have a clear view into their cloud infrastructure. One example is during mergers and acquisitions processes, when it’s crucial teams not only understand their own organization’s security posture but also that of the company being acquired. Still, a recent Forescout survey of IT and business decision-makers found that 65 percent of respondents regretted an acquisition their company made because of an overlooked cybersecurity issue.
Marriott International’s 2016 acquisition of Starwood Hotels set the company up to become the world’s largest hotel chain. However, it later emerged that Starwood’s reservation system had allowed unauthorized access to cybercriminals since 2014, leading to a large-scale (and very expensive) data breach in 2018 -- a clear example of why transparency is key during M&A. If Marriott had known that Starwood’s IT infrastructure had been compromised, they could have sought ways to remediate or otherwise address the issue and revised the proposed transaction accordingly. Instead, they were penalized heavily by regulators and were hit with lawsuits from customers.
M&A should start with due diligence, with cybersecurity as a major consideration throughout the entire process. It’s important to establish a procedure for evaluating and auditing the company, product, and services to be acquired. Consider if the risk posture is both well understood and acceptable in order to avoid taking on unnecessary risk that could ruin the value of the deal and tarnish your company’s reputation. During this phase, it’s recommended you run a health check to identify potential security issues, configuration errors or IT overlaps. Alternatively, you can consider hiring an outside, third-party auditor to conduct an in-depth evaluation.
During this process, leave no stone unturned. Determine what platforms the company to be acquired uses, how many users have access to the infrastructure, how many laid off employees might still have licenses (and thus unnecessary access), what types of third-party/shadow IT apps are connected to the environment, and so on. The more security teams know before the merger, the better. And, the sooner organizations can migrate certain tasks to the same cloud solution -- such as email -- the easier it will be to connect with newly acquired teammates.
Integration and Migration
During M&A, the acquiring organization is responsible for several key connectivity steps, including consolidating, integrating and migrating data between corporate instances -- all with security and compliance in mind.
Data sovereignty, timelines and technicalities can greatly increase the complexity of navigating an M&A deal, so preparation is key. Consider which technologies are currently used and which need to change to support ongoing, seamless data discovery. Integrating and migrating disparate technologies like Slack, Google Suite, and Outlook can be a challenge, but determining just which shared technologies will be used post-M&A can ease the pressure of potential redundancies or gaps in technology.
License Allocation and Tracking
Knowing which licenses are available during a merger helps ensure employees have proper access to business-critical applications; however, it’s just as important for a business acquiring another organization to identify cost savings by managing inactive or unassigned SaaS and cloud licenses. Research indicates that 56 percent of all Microsoft 365 licenses are not fully utilized, because they are unassigned, unused, over-sized or underutilized. Properly tracking and allocation of licenses will help ensure safe, secure onboarding -- likely with an opportunity to eliminate redundant, excess, or under/oversize licenses for the workforce.
Onboarding and Offboarding
When two organizations merge, the acquiring organization will need to onboard its newly acquired employees. Just-In-Time-Learning (JITL) addresses the needs of a modern workforce by providing training and answers to tech questions within normal workflows, and can be used to ensure a smooth onboarding process.
Post-M&A there may be redundancies in staffing which can lead to layoffs and increased employee turnover. During the offboarding process, revoking employees’ access to company systems should be a top priority. This will help ensure confidential records, data and IP stay within the organization, rather than being exfiltrated or altered by a former employee with unnecessary access.
Maintenance is a key component of achieving success during any major project, including M&A. Consolidated reporting, well-maintained license pools, and timely security patches will help ensure the ongoing health of the newly merged cloud environment.
During any transparent moment -- M&A, IPO, VC investment, etc. -- remember to do your due diligence first to ensure there won’t be any surprises once the merger is complete. Keep security top of mind when integrating and migrating disparate technologies, and don’t let license management fall by the wayside. Be prepared to revoke access to shared resources if employees are being let go and remember that maintenance is key. Happy merging!
Michael Morrison is CoreView's CEO. As a growth-stage operating executive (CEO/COO/SVP) within global business analytics organizations, he has led several companies through critical stages of transformation, predictable revenue growth and successful exits, delivering notable returns for public shareholders. He is passionate about assembling, leading and working alongside amazing teams that effectively develop strategies, solve problems, excel at product innovation and profitably grow top line revenue.