//
you're reading...
IT & TECHNOLOGY, Palo Alto Networks

M&A Due Diligence Must Include Cybersecurity Considerations


PANW-New-Logo-3

Mergers and acquisitions (M&A) are a regular occurrence in the business world. And while we’re all familiar with concept of due diligence when it comes to judging the financial performance of another company, it’s time for enterprises to start applying that same level of scrutiny to the cybersecurity capabilities of a potential acquisition. A thorough review of an acquisition’s security architecture, processes and policies should be a firm requirement for any M&A process.

But where should the cybersecurity due diligence process begin? As a CISO, I recommend that companies start by confirming their acquisition target’s past investments in cybersecurity were made in a manner commensurate with the growth of the company.  Ask the following:

  • Have baseline investments been made not just in detection controls but also in more proactive and preventative measures to protect data?
  • Have investments been made in ensuring that Information Security staff are on hand to support the management of risk?
  • Have non-IT employees gone through cybersecurity training?
  • Can acquirers establish with confidence that the company being assessed has not already been breached?

Due diligence should be maintained throughout the entire M&A process, particularly before information about the activity goes public. While I don’t have specific numbers, I think it’s safe to assume that there have been situations in which a hacker or less than scrupulous employee have hacked an enterprise network in search of material information they could exploit for their own financial gain before news of an M&A became public. The fallout of such activity could be extreme, so it’s important that acquirers and those looking to be acquired consider and implement the appropriate cybersecurity controls to ensure proprietary information doesn’t leak.

The constant stream of security breaches in the news have gained the attention of executive leadership and boards of directors who are now looking to their CSOs/CISOs to minimize their risk exposure when contemplating major business moves like an M&A.

I would encourage my fellow CISOs (or any other executive looking for guidance and recommendations around cybersecurity policy guidance) to visit SecurityRoundtable.org, a community designed to share best practices, use cases and expert advice to help executives better manage cybersecurity risk.

[Palo Alto Networks Research Center]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 119,161 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,247 other followers

Twitter Updates

Archives

April 2016
M T W T F S S
« Mar   May »
 123
45678910
11121314151617
18192021222324
252627282930  
%d bloggers like this: