When It Involves M&A, Safety Is a Journey


Shiva Persaud is the director of safety engineering for Cisco. His crew is answerable for the Cisco Safe Improvement Lifecycle (CSDL), a set of practices primarily based on a “secure-by-design” philosophy developed to make sure that safety and compliance are top-of-mind in each step of an answer’s lifecycle. This weblog is the third in a sequence targeted on M&A cybersecurity, following Jason Button’s submit on Demonstrating Belief and Transparency in Mergers and Acquisitions.

Some of the necessary issues when Cisco acquires an organization, is guaranteeing that the safety posture of the acquisition’s options and infrastructure meets the enterprise’s safety requirements. That may be a difficult proposition and positively doesn’t occur in a single day. Actually, at Cisco, it solely comes about because of the efforts of a mess of individuals working arduous behind the scenes.

“The constant message is that regardless of the place a product is in its safety journey, from inception to end-of-life actions, there’s nonetheless a variety of work that may occur to result in a greater safety end result,” says Persaud.

Whereas Persaud and his crew work inside Cisco on all the corporate’s merchandise and options, additionally they play a vital function in sustaining safety requirements in Cisco’s mergers and acquisitions (M&A) work.

Figuring out Dangers Takes the Mindset of a Hacker

Merely put, Persaud’s crew is tasked with figuring out the safety dangers posed by an acquisition’s expertise and serving to groups mitigate these dangers.

“It begins with a threat evaluation the place we ask ourselves what an attacker would do to compromise this particular expertise,” says Persaud. “What are the business finest practices for securing this sort of expertise? What do our clients anticipate this expertise to supply from a safety perspective? And as soon as now we have these dangers enumerated, we prioritize them to determine which is a very powerful to handle first.”

To anticipate the place a hacker would possibly discover vulnerabilities and the actions they may take, the CSDL crew should put themselves in that assault mindset. Happily for Persaud, his curiosity in pc safety began as early as center college. “It simply type of grew from there,” he says. “For a lot of people I’ve labored with and employed over time, it’s an identical scenario.”

That lifelong curiosity and expertise work to the crew’s benefit. They take a risk-based strategy to safety, through which they establish all the problems that must be fastened after which charge them primarily based on the chance of incidence and seriousness of the outcomes of an assault. These scores inform their choices on which points to repair first.

“We provide you with methods to go mitigate these dangers and co-author a plan referred to as the Safety Readiness Plan, or SRP,” Persaud says. “Then we accomplice with groups to take that plan and execute it over time.”

Not One-and-Executed: Making certain Safety Is a Continuous Precedence

In alignment with CSDL’s steady strategy to safety all through an answer’s lifecycle, Persaud says that “safety is a journey, so the workflow to complete the safe growth lifecycle by no means ends.”

Whereas preliminary onboarding of an acquired firm—together with completion of the preliminary threat evaluation and the SRP—sometimes ends inside a number of months of the acquisition. Persaud provides, “The work continues because the expertise is built-in into a bigger tech stack or because it’s modified and bought as a standalone providing to our clients.” As the answer or expertise evolves and begins to incorporate new options and functionalities, the CSDL work continues to verify these options are safe as effectively.

That work can have its obstacles. Persaud says that one of many major challenges his crew offers with is chopping by way of the flurry of exercise and bids for the acquisition’s consideration that come pouring in from all sides. It’s a loopy time for each Cisco and the acquisition, with many necessary duties on the high of everybody’s to-do lists. “Not simply within the safety realm,” says Persaud,” however in lots of different areas, too. So having the ability to get the acquisition to give attention to safety in a significant approach within the context of the whole lot else that’s taking place is a serious problem.”

One other problem is coping with acquisitions which may not have a lot safety experience on their authentic crew. Which means they’re not capable of give Persaud’s crew a lot assist in figuring out the place safety dangers lie and the way severe they’re—so Cisco’s engineers have much more investigative work to do.

3 Methods to Make Safety Less complicated in M&A

When requested what recommendation he would give to organizations that wish to preserve a very good safety posture when buying one other firm, Persaud names three key elements.

High-down assist for and dedication to safety

To achieve M&A safety, it’s vital that the group’s board of administrators, CEO, and all subsequent ranges of administration assist and be dedicated to assembly a excessive degree of safety requirements and outcomes. The remaining administration of the acquisition additionally must be on board with the safety dedication, and each organizations ought to guarantee that all staff acknowledge that dedication and assist. If administration assist shouldn’t be there, the work in the end gained’t get executed. It may be troublesome and time-consuming and with out companywide recognition of its key significance, it gained’t get prioritized, and it’ll get misplaced within the myriad of different issues that every one the groups should do.

Align to business requirements and finest practices

The problem of safety can get actually sophisticated, in a short time. Persaud says it’s good to search out business requirements and finest practices that exist already and can be found to everybody, “so that you’re not reinventing the wheel—or extra regarding, reinventing the wheel poorly.”

The place to search for these business requirements will differ, relying on the expertise stack that must be secured. “In case you are keen on securing an online software,” says Persaud, “then beginning with the OWASP High Ten listing is an effective place to start out. In case you are promoting a cloud supply or cloud service, then have a look at the Cloud Safety Alliance’s Cloud Controls Matrix (CCM) or the Cisco Cloud Controls Framework.”

A method to consider it, Persaud says, is that there are a selection of safety frameworks sure clients will want an organization to stick to earlier than they will use their options. Assume frameworks like FedRAMP, SOC-2, Frequent Standards, or FIPS.

“You may align your product safety work to these frameworks as a baseline after which construct on high of them to make expertise extra resilient.” It’s a fantastic place to start out.

Determine on very targeted outcomes that facilitate enchancment over time

It’s important that a company be very clear on what it needs to perform relating to guaranteeing safety of an acquisition’s options and infrastructure. It will assist it keep away from “making an attempt to boil the entire ocean,” says Persaud.

Persaud and his crew speak about working as much as safety health the best way a runner would begin with a 5K and work as much as an Ironman competitors. “You’re taking progressive steps in direction of enhancing,” he says. “You’re very specific about what milestones of enchancment you’ll encounter in your journey of fine safety.”

3 Methods Cisco Can Assist

Persaud says Cisco is uniquely positioned to assist organizations preserve safety requirements when buying different corporations. He factors to a few vital differentiators.

Companywide dedication to safety

“The extent of visibility and assist that now we have for safety at Cisco, begins with our board of administrators and our CEO, after which all through the group,” says Persaud.  “It is a very particular and distinctive scenario that permits us to do a variety of impactful work from a safety perspective,”

Cisco has lengthy been adamant about safety that’s inbuilt from the bottom up and never bolted on as an afterthought. It’s the rationale the CSDL exists, in addition to the Cisco Safety & Belief Group and the numerous, many groups that work day by day to infuse safety and privateness consciousness into each product, service, and answer—together with the expertise and infrastructure of newly acquired corporations.

Strong set of constructing blocks to allow safe outcomes

As soon as Persaud’s crew has recognized and assessed the safety dangers of an acquisition, his and different groups go about serving to the acquisition deal with and mitigate these dangers. Cisco gives a set of frequent constructing blocks or instruments that groups can use to enhance the safety posture of an acquisition.

“We’ve safe libraries that groups can combine into their code base to assist them do sure issues securely, in order that the person groups don’t should implement that safety performance from scratch,” says Persaud. “And Cisco produces sure items of {hardware} that may be leveraged throughout our product traces, reminiscent of safe boot and safe storage.”

“Cisco’s operations stack additionally has numerous companies acquisitions can use,” says Persaud. “An instance of this comes from our Safety Vulnerability and Incident Command crew (SVIC). They supply logging capabilities that cloud gives at Cisco can leverage to do centralized logging, after which monitor these logs. SVIC additionally gives a safety vulnerability scanning service so particular person groups don’t should do it independently.”

One other vital constructing block is Persaud’s crew and their experience. They act as a beneficial useful resource that groups can seek the advice of after they wish to construct a brand new characteristic securely or enhance the safety of an current characteristic.

Robust safety group intent on offering options

Persaud concludes, “Cisco has an especially sturdy and energetic safety group the place groups can ask questions, acquire insights, give steerage, troubleshoot points, share concepts and expertise, and talk about rising safety matters. The group is dedicated to serving to others as a substitute of competing in opposition to one another. Members have the mindset of enriching the general strategy to safety at Cisco and studying from any supply they will to make issues regularly higher.

Associated Blogs

Managing Cybersecurity Threat in M&A

Demonstrating Belief and Transparency in Mergers and Acquisitions


We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Linked with Cisco Safe on social!

Cisco Safe Social Channels




Leave a Reply