CISO Responsibilities Before and After an M&A

Mergers and acquisitions always present challenges to an organization. When it comes to cybersecurity, how involved should a CISO be before AND after an acquisition? And can cybersecurity considerations make or break a deal?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Geoff Belknap , CISO, LinkedIn . Joining us is our guest, Alexandra Landegger , executive director and CISO, Collins Aerospace .

M&A remains a challenging time for CISOs

A merger can bring new opportunities for the business, but from a cybersecurity perspective, there’s a lot to account for. Declan Burke , CISO at NorthStandard summarized the challenges, saying, "A CISO needs to understand and interpret both risk landscapes and build a new security model for the combined group, all during a time when sensitive data is being shared more abundantly, and while the firm is in the spotlight." One of the key ways that CISOs can help ease this transition is effective communication on the challenges. “Delivering salient feedback on key areas can help ease some of the stress of how we plan to address much of the technical uncertainty in a palatable and business friendly way," said John Robinson , CISO at Northrop Grumman .

Understanding what you’re getting into

When a CISO should get involved with the M&A process depends on the specifics of each transaction. Some would prefer getting in as early as possible, with Aditya Sarangapani of WNS saying, "I would get the CISO's team in earlier during the due diligence process rather than after the purchase decision is made." But some think a CISOs involvement in the whole process speaks to bigger structural issues. "If the CISO is involved in every M&A, the process itself is flawed and needs to be revisited," said Eric Elbert - MBA, PMP, CISSP of RP Technology LLC . Drew Simonis , CISO at 瞻博网络 suggested a sensible middle ground, saying, "A CISO's team can define sound practices but that doesn't mean they need to be operationally involved in their execution."

M&A is a vulnerable time

Announcing a merger or acquisition not only casts a media spotlight, but it also signals a broadened attack surface to threat actors. "We are seeing an increase in targeted attacks on companies upon M&A announcements/closing. Having someone to manage cyber risks strategically during transactions is crucial to preserve deal value," said Dheeraj Gurugubelli of EY-Parthenon . This can persist post-acquisition if cybersecurity teams don’t get real visibility into risk. "M&A cyber risk assessments rely on questionnaires and ratings that aren't aligned with actual exposure to attackers/risk. Then it takes two years instead of six months to integrate the acquired company into the ‘networks’ of the acquired company," said Rob N. Gurzeev of CyCognito .?

The CISO needs to stay focused on risk in this process

While M&A can prove a challenging time, it’s important to realize the goal of the CISO remains the same in this process. "You need someone who can decipher not only the difference in infosec strategy, but also someone who can dig deep and find the accepted risks that the new organization will have to deal with moving forward," said Fernando Morales of AmeriHealth Caritas . As always, a CISO must connect cybersecurity with value for the business. "The CISO must be a business partner in addition to protecting the confidentiality, integrity, and availability of information assets. Advocate the value that cyber brings to an enterprise," said Kevin Heineman , CISO at Lyric - Clarity in motion.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Thanks to Aphinia

Huge thanks to our sponsor, Aphinia

LIVE! Cyber Security Headlines - Week in Review

Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino.?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Mike Kelley, vp, CISO, The E.W. Scripps Company. Thanks to Conveyor.

Thanks to our Cyber Security Headlines?sponsor, Conveyor

Shifting Communication Between CISOs and Boards

LINK EMBED: https://youtu.be/M2u0uE3R1jw

With security incidents increasingly common across companies, boards now have real-world experience on the primacy of cybersecurity when it comes to business risk. This marks a complete shift in how CISOs now communicate with the board, says Kirsten Davies, CISO, Unilever. This has led to more former CISOs being named to boards, where they can offer a more holistic view of how cybersecurity impacts overall risk to an organization. Thanks to Claroty .

Thanks to our sponsor, Claroty

Jump in on these conversations

"What do we think threat actors target for next 3-5 years" (More here)

"Worst mistake you've made/seen in Cyber? Ramifications?" (More here)

"Blank Check for Certs, What to Go For?"?(More here)

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com.

Interested in sponsorship,?contact me,?David Spark.