Jason Button is a director at Cisco and leads the company’s Security and Trust Mergers and Acquisitions (M&A) team. He was formerly the director of IT at Duo Security, a company Cisco acquired in 2018, making him uniquely positioned to lend his expertise to the M&A process. This blog is the continuation of a series focused on M&A cybersecurity listed at the end of this post. 

With the recent wave of Cisco acquisition announcements — ten this year alone — I am often asked about my experience first-hand, having been part of the Duo Security acquisition in 2018. What I have learned during that time has certainly helped to inform our M&A cybersecurity strategy, including the importance of taking a people-centric approach to integrating new companies into Cisco.

People: The Critical Asset in Mergers & Acquisitions

While my team’s primary role is managing risk in the M&A process, it’s not just about cybersecurity — it’s about the flight risk of people. One of the most important aspects of acquiring and integrating companies into Cisco is setting clear expectations so everyone understands their role and the resources available to support them.

Transparently communicating throughout the M&A process helps to build trust, smooth the transition, and reduce the risk of people leaving because they don’t feel valued or heard. The more you can do upfront to help prepare, partner, and support teams coming into your company will help reduce workforce attrition significantly.

Culture Eats Strategy for Breakfast

As Peter Drucker was once famously quoted, “No matter how great your business strategy is, your plan will fail without a company culture that encourages people to implement it.” Cisco doesn’t just acquire companies for their intellectual property and technology; it invests in human capital and the opportunity to enrich company culture. The Duo acquisition played a pivotal role in helping to transform both Cisco’s culture and security strategy.

While Duo was well known for its agile approach to security innovation, it was also very respected for its workplace diversity and inclusive culture. Cisco leadership soon recognized Duo’s Diversity, Equity, and Inclusion ethos and began adopting practices, prioritizing diverse hiring and promotions, and implementing programs that continue to infuse Cisco’s culture today. When Duo was acquired in 2018, Cisco ranked #48 on the Fortune 100 Best Places to Work list. In 2019 the company rocketed to #6 and has been named #1 for the last three years in a row. While not 100% attributed to the Duo acquisition, it underscores culture’s importance in the M&A process.

The Duo acquisition also influenced Cisco’s transformational journey to become a leading global security company. Duo Multi-factor Authentication (MFA) technology continues to be an essential asset in Cisco’s Zero Trust security strategy and portfolio, helping to safeguard its own enterprise and our customers worldwide.

Relationships Build Trust

Before Cisco acquired Duo, we were proud of our start-up culture and felt energized by the David vs. Goliath dynamic when competing for business. Whether you’re a start-up or an established brand in the industry, being acquired can be equally exciting and scary. While many employees may be energized about the potential financial upside of the transaction and the opportunity to work at Cisco, others may feel a sense of loss. The fact of the matter is what often draws someone to be part of a startup may not be fulfilled when working for a large global enterprise.

I impress upon our team the importance of leading empathetically and adopting a mindset of evolution versus revolution as individuals are being integrated into Cisco’s culture and corporate environment. People need to feel like they can trust both you and the process. Policies and integration frameworks are important but building open and trusted relations is essential to overall success and productivity after an acquisition.

Effective Strategies to Retain Talent

While every acquisition has its own unique characteristics, there are some key tenets that my team tries to apply to ensure a smooth transition, retain talent, and maintain respect:

  • Prepare and support incoming teams so they can quickly integrate into the business and be productive
  • Recognize and regard the value of an individual’s institutional knowledge that goes beyond the intellectual property being acquired
  • Invest in role mapping, so incoming employees have a clear understanding of where they fit in an organization and their opportunities for professional advancement
  • Ensure employees whose roles may be eliminated are respectfully treated and fully supported through outplacement services

In my next blog post, I will revisit the topic of Moving Left to Right: Cybersecurity Practices and Outcomes in M&A Due Diligence, and what we have learned since this report was published last year with the University of California Berkeley’s Center for Long-Term Cybersecurity.

Mergers and Acquisitions Cyber Risk Management

Cybersecurity Awareness Month

Related Blogs

Managing Cybersecurity Risk in M&A

Demonstrating Trust and Transparency in Mergers and Acquisitions

When It Comes to M&A, Security Is a Journey

Making Merger and Acquisition Cybersecurity More Manageable

Ensuring Security in M&A: An Evolution, Not Revolution

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



Jason Button

Director, Security and Trust Mergers and Acquisitions

Security and Trust Organization