Security Experts:

Connect with us

Hi, what are you looking for?


M&A Tracker

How to Plan Your M&A Security Strategy

Previously I explored why the importance of evaluating cybersecurity prior to mergers and acquisitions and the layers of security management that involves. However, the security strategy goes beyond having an understanding of what’s involved.

Previously I explored why the importance of evaluating cybersecurity prior to mergers and acquisitions and the layers of security management that involves. However, the security strategy goes beyond having an understanding of what’s involved. There also needs to be plans that are developed so that the merger/acquisition not only causes as little technology disruption as possible, but also prevents gaps in security.  

To formulate a plan, below are the bare minimums M&A teams should review during diligence, assuming your team has at least 1-3 weeks:

1. Existing Cyber Environment: The acquiring company needs to be hyper aware of the environment they are inheriting. Study network and system architectures, including known hardware and software systems, vulnerabilities, IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more. For example if an acquiring company is primarily a Windows environment using a colocation center and they are acquiring a Linux and open source environment in AWS, that’s a major integration effort to be planned.

2. Data Management and Protections: Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data. Review any contractual obligations, especially over data and contractor use that the acquired company may have with another company.

3. Data Storage Compliance: Review the acquired company’s security program to verify that it meets regulatory requirements, current industry standards, and best practices in the industry.

4. Existing Evaluations: Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks. Keep in mind the growth and size of the acquisition relative to industry and sensitivity of data. For instance, a health care records company using a MSSP or MDR should not be seeing a penetration testing company escalating privileges to domain administrator – where ransomware could be deployed – or gaining access to sensitive cloud storage for two weeks with no alerts. 

5. Gaps in Role Responsibilities: Understand the IT and security organization hierarchy and start thinking about ensuring the appropriate roles and responsibilities for the team. IT professionals will be expecting to understand where their careers fit into the new organization. Ensure they don’t become future insider threats who have the keys to the kingdom.

6. Current Risks and Threats: At the very minimum, conduct technical due diligence and validation. External threat hunting and cyber hygiene measures are great ways to validate consultative reviews and vulnerabilities, review for integration concerns, and ensure no active breach is present with commercially available external telemetry. If time allows, a compromise assessment is always the most holistic and complete approach to ensure no malicious network activity but often takes more than 2-3 weeks. 

If red flags are present during the above steps, security teams should consider taking the following actions during diligence:

1. Conduct extensive internal and external threat hunting against the target of acquisition over a period of three to six months. 

2. Consider the use of an MDR or MSSP service for such monitoring if it’s more cost effective relative to your internal team’s resources and bandwidth. 

3. Conduct an aggressive and thorough penetration test of the corporate and production environments of the acquisition target, ensuring both security teams work to identify and remediate the issues.

While security teams often feel pressure to move forward even if negative findings are present, ineffective security approaches when integrating two separate organizations can lead to significant issues that could undercut the business value of the merger or acquisition. Security shouldn’t be a component of mergers and acquisitions, it should be part of the foundation. 

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek


Twenty-one cybersecurity-related M&A deals were announced in December 2022.


Forty cybersecurity-related M&A deals were announced in January 2023.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...