M&A involves a lot of different stakeholders working together through due diligence, closing and then integration. Leaving cybersecurity leadership out of the conversation can expose companies to business risk.
Robert Huber has been involved with many acquisitions over the course of his career. As chief security officer of Tenable, he recently played a part in the cybersecurity company’s acquisition of Ermetic, a cloud-native application protection company.
Tenable is a public cybersecurity company. It has a large portfolio of products to help its customers manage and reduce cyber risk. Ermetic’s cloud security and cloud infrastructure entitlement management offerings represented an opportunity to augment that portfolio.
“This was essentially a natural opportunity for us to help grow the company from a business perspective but also [to] help meet our customers where the risk lies [in] their cloud environments,” Huber explains.
Tenable announced the completed the acquisition of Ermetic on Oct. 2. Huber gives InformationWeek insight into the acquisition process through a cybersecurity lens.
M&A and Cybersecurity Risks
Companies face cybersecurity risk every day, and that risk can be heightened when a company is pursuing an acquisition.
During the exploratory and due diligence steps of an acquisition, the acquirer and the target company must exchange sensitive information to paint a clear picture of the potential value of a deal. “We’re both sharing confidential information … to understand how this fits, how we create a go-to market, everything from pricing strategy to customers,” says Huber. That flow of information can be attractive to threat actors looking to steal and leverage valuable data.
Acquiring and integrating an outside company also means inheriting a brand-new set of cybersecurity risks — both direct and third-party. “If we make an acquisition, a lot of our customers will request to gain some understanding of the security of the company [we] acquired,” Huber explains. How will a company manage those newly acquired risks? Answering that question takes time and comes with a learning curve.
Due diligence plays a big role in uncovering those risks, but the possibility that an unknown risk will emerge following the closing of a deal is almost certain. “I think that is always going to happen,” says Huber. “It’s not [a challenge] you can really plan for other than knowing that something’s going to happen.”
Evaluating an Acquisition Target
Acquisitions can take months or quarters from deal consideration to closing. The first part of that process involves vetting the potential fit from business and technical perspectives. Once an acquisition appears to be a promising fit, the acquiring organization must go through its entire due diligence playbook to understand the opportunities and risks associated with its target.
At Tenable, the entire C-suite is included in this process. Security due diligence is where Huber focuses. “We start out with things as simple as looking at their existing agreements with their customers and understanding what they’ve committed themselves to from a security perspective to existing customers,” he explains.
Next, Huber and his team examine the security posture of the target organization by using independent frameworks, such as the NIST Cybersecurity Framework or ISO 27001 framework. More mature organizations may already be able to demonstrate adherence to these frameworks, while smaller companies may have yet to reach that point.
Tenable also has its own internal set of security controls that it can use to evaluate a target organization’s security posture. “I’ll look for gaps of where they may have deficiencies compared to ours,” says Huber.
While working through the deal process, the Tenable C-suite meets twice per week. One meeting is specific to the security program and the other features cross-team collaboration among the company’s business leaders. These meetings give Huber the opportunity to communicate cybersecurity risks to the rest of the C-suite, and the entire team can discuss how those risks fit into the overall context of the potential acquisition.
“I don’t know that security has the seat at the table that I do in every transaction that occurs. I report directly to the CEO,” says Huber. “That’s unusual for somebody in my role.”
If due diligence determines the deal is a fit and the acquisition reaches the finish line, the work is just beginning. “You get the deal done, now, you’ve got what amounts to a year plus worth of work to finish all these integration components and make sure that somebody’s accountable to get those things done,” says Huber.
Huber and his team start with information security policy. What technical controls does the newly acquired company need to adopt to be aligned with the enterprise’s security policies?
“That would be things like endpoint protection or cloud security controls or procurement process controls and third-party risk of reviews,” says Huber. “Those are all controls that we apply.”
Tenable typically targets endpoint controls on devices like laptops and desktops within the first few months of deal close, according to Huber.
The technical controls on the product side of the equation usually take more time. The team may need to engineer changes to the acquisition’s product to bring it in line with the enterprise’s cybersecurity controls.
“We develop plans and timelines that everybody agrees upon to go achieve whatever control or process or procedure change we’re asking for,” says Huber.
Integration also has a talent component. Most of Tenable’s acquisitions have been on the smaller side, according to Huber. In these scenarios, companies typically do not have large, dedicated security teams. Instead, they may have one or two people managing security along with multiple other responsibilities.
“We look at the size of the organization and look at the additional coverage required from our perspective,” Huber details. “We budget essential dollars for additional solutions we might have to acquire, but also, human resources. Do we need more people given the amount of additional work that’s coming our way?”
Each step of the cybersecurity integration process must be prioritized alongside other business functions, like legal and human resources, while allowing the existing business to continue operations.
“What you want to do is maintain their existing business and let them operate effectively because they’re still driving revenue,” says Huber.
Each acquisition is going to offer different lessons to be learned. In the case of the Ermetic deal, Huber shares a positive takeaway. Performing due diligence in a cloud-native environment proved to be a simpler process.
“They have less technical debt than a company that is essentially supporting on-prem solutions and cloud solutions or hybrid environments,” Huber says. “It’s a little bit easier to wrap your arms around, from my perspective, what their risk posture looks like.”