After the Deal Closes: Lessons Learned in M&A Cybersecurity

Jason Button leads the Cisco Security and Trust Mergers and Acquisitions (M&A) organization. He was formerly the director of IT at Duo Security, a company Cisco acquired in 2018, making him uniquely positioned to lend his expertise to the M&A process. This blog is the continuation of a series focused on M&A cybersecurity listed at the end of this post.

This latest blog post will revisit the topic of Moving Left to Right: Cybersecurity Practices and Outcomes in M&A Due Diligence and lessons learned from implementing Cisco’s M&A Cybersecurity Framework last year.

Size Matters

In this year alone, Cisco has made ten acquisition announcements, ranging from small, agile start-ups to well-established, publicly traded companies. The varying size and complexity of the companies we’re looking to acquire entail that we identify, assess, and adjust for risk differently.

Our M&A Cybersecurity Framework has allowed us to scale and streamline our discovery and risk assessment processes to better align with the level of security risk a deal poses. Using standard security guardrails, tooling, systems information, and other automated processes to screen and assess non-integrated risks, we can draft a Discovery Risk Assessment earlier, thereby freeing up teams to focus on assessing more complex acquisitions and potentially greater security risks.

Accelerating Integration

Right-sizing your risk assessment approach has additional benefits, including the ability to identify areas of integration risk to accelerate integration after the deal closes. An example is the Valtix acquisition earlier this year, where we conducted an aggressive and thorough discovery investigation to close the deal before the end of April. The driving factor was the opportunity to debut an essential product integration demonstration in early June at Cisco Live, our flagship customer event.

To meet this timeline, we needed to ensure that the security risk was manageable and that we had stakeholder buy-in. We worked closely with cross-functional teams to identify and prioritize risk mitigation so that we could meet our commitment. By having a robust framework in place, we were able to accelerate the integration process while enabling the Valtix team to be more effective and productive in a short amount of time.

Another lesson we’ve learned is prioritizing visibility into the acquired infrastructure earlier in the process. Deploying tools like Wiz.io and JuniperOne helps educate us about new environments and allows us to identify risks sooner. This is significant when triaging and prioritizing efforts between the company being acquired and the business it will be absorbed into. For the Armorblox and SamKnows acquisitions, we were able to focus on high-priority risks and spend less time spreading efforts across multiple work streams. Having a framework that helps us prioritize risks is what’s most important and ultimately makes for better, more secure products.

Looking Back to Power Forward

Another important lesson learned this year was how to apply the M&A framework to re-visit previous acquisitions to assess and understand risk. Going through this process without time constraints or diligence pressures allowed us to hone our investigative methods and refine our practices. For example, we worked with the Meraki team, a mature organization that was acquired over ten years ago and a significant contributor to Cisco’s portfolio. We combed through a decade’s worth of data to inform how we could simplify and streamline key areas of our integration framework and improve our overall security stance.

Securely Enabling Business Growth

One of the driving factors for Cisco to acquire companies is to identify and invest in new innovations that will improve the security and performance of our solution portfolio. The M&A Cybersecurity team works closely with Cisco’s Corporate Development Integration team to assess and manage risk throughout the discovery, diligence, and integration process.

The M&A Cybersecurity Framework has been a valuable tool to ensure that business, engineering, and operations leaders align and focus on integration well before the deal closes. Operational alignment with IT, Security, and other functions has helped surface important issues, such as addressing workflows and user and customer identities before the integration process. We’ve also found that by elevating security early in the M&A process, we’re helping the business remove obstacles that could get in the way of business goals and achieve its value drivers faster, which leads to accelerated business growth.

Earning and Maintaining Trust

Leadership expert Simon Sinek has frequently stated, “A team is not a group of people who work together.  A team is a group of people who trust each other.”

Our M&A Cybersecurity Framework is a valuable tool to help securely enable the mergers and acquisition process. However, you can’t underestimate the personal factors needed to make it a success. Building trust across a team takes time and requires focusing on developing relationships, being empathetic, and demonstrating respect for a company’s culture.

The press release announcing Cisco’s intention to acquire Splunk cited one of the key value propositions: “Unites two “Great Places to Work” with similar values, strong cultures, and talented teams.” The M&A process is much more than the intellectual property and technology being acquired; the human capital and cultural strengths are often the most valuable assets.

Looking back this year, my colleague Mo Iqbal summed it up best, “We can’t understand the technologies until we understand the people and culture that enabled them to be so successful.”

If you are interested in learning more, please read More than an Asset: The People Side of Mergers & Acquisitions.