Making Merger and Acquisition Cybersecurity Extra Manageable


Dan Burke is the director of technique, threat, and compliance for AppDynamics, an organization acquired by Cisco in 2017. Burke and his workforce are an important a part of the Cisco acquisition course of in serving to acquired corporations adhere to the next degree of cybersecurity. This weblog is the fourth in a collection targeted on M&A cybersecurity, following Shiva Persaud’s submit on When It Involves M&A, Safety Is a Journey.

Participating Earlier to Establish and Handle Danger

A part of the key to Cisco’s success is its potential to amass corporations that strengthen its know-how portfolio and securely combine them into the bigger group. From the surface, that course of would possibly seem seamless—take into account Webex or Duo Safety, as an illustration—however a fruitful acquisition takes super work by a number of cross-functional groups, primarily to make sure the acquired firm’s options and merchandise meet Cisco’s rigorous safety necessities.

“My workforce is liable for aligning new acquisitions to Cisco controls to keep up our compliance with SOC2 and FedRAMP, in addition to different required certifications,” says Burke.

When Cisco acquires a brand new firm, it conducts an evaluation and produces a safety readiness plan (SRP) doc. The SRP particulars the recognized weaknesses and dangers inside that firm and what they should repair to fulfill Cisco requirements.

“Previously, my workforce wouldn’t discover out about an acquisition till they acquired a accomplished SRP.  The draw back of this method was that the assessments and negotiations had been achieved with out enter from our group of consultants, and goal dates for decision had already been selected,” shares Burke.

“We would have liked to be concerned within the course of earlier than the SRP was created to grasp all dangers and compliance points prematurely. Now we’ve got a partnership with the Cisco Safety and Belief M&A workforce and find out about an acquisition months earlier than we are able to begin working to deal with dangers and different points—earlier than the SRP is accomplished and the due dates have been assigned,” Burke provides.

“One other subject resolved on this course of change is that Cisco can achieve earlier entry to the individuals within the acquired firm who know the safety dangers of their options. Throughout acquisitions, individuals will usually go away the corporate, taking with them their institutional data, leading to Cisco having to start out from scratch to determine and assess the dangers and decide how finest to resolve them as shortly as attainable,” says Burke. “It might be vulnerabilities in bodily infrastructure or software program code or each. It might be that the corporate isn’t scanning usually sufficient, or they don’t have SOC 2 or FedRAMP certification but—or they’re not utilizing Cisco’s instruments.”

“Third-party distributors and suppliers may current a problem,” he provides. “One of many largest threat areas of any firm is outdoors distributors who’ve entry to an organization’s information. It’s important to determine who these distributors are and perceive the extent of entry they should information and functions. The sooner we all know all this stuff, the extra time we should devise options to unravel them.”

“Now that I’m within the course of earlier, I can construct a relationship with the individuals who have the safety data—earlier than they go away. If I can perceive their mindset and the way all these points took place, I may also help them assimilate extra simply into the larger Cisco household,” says Burke.

Managing Danger In the course of the M&A Course of

The extra advantages of bringing groups in earlier are decreased threat and compliance necessities could be met earlier. It additionally gives a smoother transition for the corporate being acquired and ensures they meet the safety necessities that prospects count on when utilizing their know-how options.

“With out that early involvement, we would deal with a low-risk subject as excessive threat, or vice versa. The misclassification of threat is extraordinarily harmful. For those who’re treating one thing as excessive threat, that’s low threat, and also you’re losing individuals’s money and time. But when one thing’s excessive threat and also you’re treating it as low threat, you then’re at risk of harming your organization,” Burke shares.

“The bottom line is to contain their threat, compliance, and safety professionals from the start. I believe different corporations hold the M&A course of so intently guarded, to their detriment. I perceive the necessity for privateness and to ensure offers are confidential however bringing us in earlier was a bonus for the M&A workforce and us,” Burke provides.

Guaranteeing a Profitable M&A Transition

When requested what he thinks makes Cisco profitable in M&A, Burke says, “Cisco does a superb job of assimilating everybody into the bigger group. I’ve labored at different corporations the place they stored their acquisitions separate, which suggests you could have individuals working individually with totally different controls for various corporations. That’s not solely a monetary burden but additionally a compliance headache.”

“That’s why Cisco tries to drive all its acquisitions by way of our principal packages and controls. It makes life simpler for everybody by way of compliance. With Cisco, you could have that safety confidence realizing that each one these corporations are introduced as much as their already very excessive requirements, and you’ll depend on the truth that they don’t deal with them individually. And when an acquisition has vulnerabilities, we determine them, set out a remediation path, and handle the method till these dangers are resolved,” Burke concludes.

Associated Blogs

Managing Cybersecurity Danger in M&A

Demonstrating Belief and Transparency in Mergers and Acquisitions

When It Involves M&A, Safety Is a Journey

We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels




Leave a Reply