A cyber resilient approach to acquisitions

Accenture has been described as the world’s most acquisitive firm. In the first quarter of fiscal 2024, Accenture closed 12 acquisitions for a total of $788 million, acquiring, on average, a new company every two weeks. This past fiscal year saw 25 acquisitions. Our company’s ability to invest at scale to fuel our organic growth is a competitive advantage. As beneficial as this is to our business, the companies being acquired are often small and have lower cybersecurity maturity and therefore introduce risk.

This risk stems from cyber criminals who monitor the market and continue to develop new attack targets. Small companies are generally not of interest until a big company announces an acquisition intention. These criminals then strike in an attempt to extort from the acquiring company whose cash stake in the acquisition target has been made public.

These threats had our Information Security organization zeroing in on how do we rapidly change the security posture of smaller companies and keep them secure? We knew it was critical to remediate risks early and to shorten the integration timeline. Yet, this is no small feat given the companies acquired vary immensely in type and variety of IT environments.

Here’s how we did it.

?

Our cyber enablement program

Our Information Security organization industrialized a comprehensive Acquisition Cyber Enablement (ACE) program that proactively strengthens the cyber resilience of a company prior to acquisition, during integration, and into standard operations against inevitable attacks. Led by Jeff McIlrath, the program consists of synchronized coordination of information security and information technology teams working through four stages—prepare, protect, integrate, and stabilize.

Key highlights include:

Prepare: Before Accenture even signs a deal, we expect acquisition targets to comply with 10 critical baseline controls, such as using multifactor authentication and having a strong network perimeter.

Protect: We then focus on rapid risk reduction, which we drive down very fast—to under two months—using 16 key measures.

Integrate: We enable the technical integration of a newly acquired company into Accenture’s standard information security “immune system” (the accumulation of Accenture’s security processes, technical controls, and training) by having streamlined the synchronization of integration activities among Accenture teams. We essentially assess the situation until a newly acquired company is secure and proceed to set up a smooth transition, allowing an acquisition to keep innovating and creating business value.

Stabilize: We created this phase for newly acquired companies to demonstrate operational effectiveness across four areas of information security within six months after integrating.

?

A welcome approach to secure integration

Accenture has built a reputation among small businesses and their advisers as being a good acquirer. Among the things they value is our rigorous and collaborative cyber enablement.

ACE is an investment Accenture makes in acquiring a company to protect it by assessing the information security risk of an acquisition up front, reducing risk in that organization’s environment, and integrating its IT assets into Accenture’s IT environment with a standardized integration plan that supports migration into Accenture’s Information Security immune system.

Our ACE approach does so at speed and scale in handling the variety and pace of acquisitions. On average, the integration of an acquired company takes a year. With ongoing standardization and continued learning, the timeline to integrate is expected to decrease further.

More than ever, our Information Security organization recognizes how critical a security assessment is before a company is acquired. A prospective company’s information security posture is a key decision point in Accenture’s journey to acquire a company.

Rather than making cyber resilience an afterthought, consider embedding it in your business strategy from the start. Check out our The Cyber-Resilient CEO for five practical steps.

As always, I am happy to talk more with you about proactive cyber enablement and other cybersecurity topics. Let’s share what we know to secure what we must.

?