Security Experts:

Connect with us

Hi, what are you looking for?


M&A Tracker

Managing Security and Network Implications of Mergers and Acquisitions

M&A Madness: Five Tips for Reconciling Your Data Security Posture When Going Through an Acquisition or Merger

M&A Madness: Five Tips for Reconciling Your Data Security Posture When Going Through an Acquisition or Merger

M&A activity has been on the upswing over the past 18 months—highlighted by the Verizon-Yahoo merger, the LinkedIn acquisition by Microsoft, and the thousands of other agreements that may have flown under the radar. Market consolidations are in full effect as companies continue to combine resources and market share in an effort to drive efficiencies.

However, companies often neglect the security implications of their merger. After all, each company had theoretically been secure and in compliance before the merger. Why would the combined entity be any different?

Security Assessment During M&AIntegrating two disparate IT environments with varying security needs, policies, and infrastructures rarely satisfies the security requirements of the larger organization. It is a rare case of two plus two does not equal four.

Whether you are Microsoft buying LinkedIn, or a community credit union merging with a competitor, there are intricate security issues that need to be addressed. My company, Ixia, acquired six companies in the past eight years and was acquired by Keysight Technologies just a few months ago — so have first-hand experience on both sides of the fence. Needless to say, our integration team has had a busy two years of merging disparate networks and ensuring we are meeting all security requirements.

Here are five tips, based on our own experience, to help you manage the security and network implications of mergers and acquisitions:

1. Immediately conduct a robust security assessment

The first thing you should do—even before the ink dries—is to gather all stakeholders from both sides of the table and assess each companies’ existing network infrastructures. Differences in policies, procedures, and technology should be reviewed, and a plan put in place to standardize. For example, one company may require remote systems to access corporate information through a VPN while the other company may allow users more flexibility to log in via public Wi-Fi. A new risk assessment needs to be completed given the changing circumstances, and an agreement put into place to create a new policy or adhere to an existing structure.

2. Make sure the acquired company knows its responsibilities

Security should not be the sole responsibility of the acquiring company. The IT team at the acquired company needs to step up and educate their new colleagues on the security requirements that previously affected their business, and how they may affect the new entity. The acquired company may have operations in regions that the acquiring company does not—and needs to inform the combined team of any regulations or risks that must be addressed. If this burden of diligence is not taken seriously by all parties, it could impact the continuity of the business.

3. Ensure data security consistency

One of the hardest IT tasks associated with M&A is data integration. A plan to integrate both structured and unstructured data needs to be put into place so no data is lost, users continue to have access to pertinent information, and both companies remain compliant throughout the merging process. There are three options. A forklift solution would simply migrate one dataset to the other. If there is not an easy way to do that, IT may try to force a solution—which can be risky and expensive. The third option is to just simply maintain two separate datasets, but that would seriously affect workflows and create massive inefficiencies. Choosing what works for each situation requires an in-depth analysis of the overall cost, capabilities and effectiveness of each choice.

4. Check, double check and recheck all compliance requirements

Especially as individual companies, watchdog groups and governing bodies issue new regulations on data security and privacy, compliance needs to be an underlying consideration throughout the M&A process. Some regulations begin when an organization expands to a certain size—a benchmark that may be hit from the formation of the new company. The same is true for the regions within which the companies operate, and where the larger entity would be conducting business and storing their data.

5. Reconcile your cloud policies

Everyone is migrating to the cloud in some way, shape or form, but there is no standardized playbook for how to get there. As a result, merging companies likely have different policies and vendors when it comes to the cloud. IT teams need to identify the current cloud approach at each company, reassess risk, and develop a consistent strategy for the combined entity. It may make sense to stick to the public cloud, create a virtual private cloud or adopt a hybrid model. Again, it is all about identifying what works in the context of the new organization.

Merging or acquiring another company includes security implications. It is critical to the business that you assess how the merger will affect your company’s current security posture and how differences can be resolved. Data integration, security policies, compliance efforts, and cloud strategies, will need to be reassessed with the new combined entity in mind to ease the growing pains associated with M&A activity.

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek


Forty cybersecurity-related M&A deals were announced in January 2023.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.