Guaranteeing Safety in M&A: An Evolution, Not Revolution



Scott Heider is a supervisor inside the Cisco Safety Visibility and Incident Command staff that stories to the corporate’s Safety & Belief Group. Primarily tasked with serving to to maintain the combination of an acquired firm’s options as environment friendly as attainable, Heider and his staff are sometimes introduced into the method after a public announcement of the acquisition has already been made. This weblog is the ultimate in a collection centered on M&A cybersecurity, following Dan Burke’s put up on Making Merger and Acquisition Cybersecurity Extra Manageable.

Mergers and acquisitions (M&A) are difficult. Many components are concerned, guaranteeing cybersecurity throughout the complete ecosystem as a corporation integrates a newly acquired firm’s merchandise and options—and personnel—into its workstreams.

By means of a long time of acquisitions, Cisco has gained experience and expertise to make its M&A efforts seamless and profitable. This success is largely to a wide range of inner groups that maintain cybersecurity high of thoughts all through the implementation and integration course of.

Assessing the Assault Floor and Safety Dangers

“Precedence one for the staff,” says Heider, “is to steadiness the enablement of enterprise innovation with the safety of Cisco’s info and programs. As a result of Cisco is now the last word accountable celebration of that acquisition, we ensure that the acquisition adheres to a minimal stage of safety coverage requirements and tips.”

The staff seems on the acquired firm’s safety posture after which companions with the corporate to teach and affect them to take obligatory actions to attain Cisco’s safety baseline.

That course of begins with assessing the acquired firm’s infrastructure to determine and fee assault surfaces and threats. Heider asks questions that assist determine points round what he calls the 4 pillars of safety, monitoring, and incident response:

  • What programs, knowledge, or purposes are you making an attempt to guard?
  • What are the potential threats, together with exploits or vulnerabilities, to these programs, knowledge, or purposes?
  • How do you detect these threats?
  • How do you mitigate or include these threats?

The infrastructure that Heider’s staff evaluates isn’t simply the corporate’s servers and knowledge middle infrastructure. It might additionally embody the programs the acquisition rents knowledge middle house to or public cloud infrastructure. These concerns additional complicate safety and should be assessed for threats and vulnerabilities.

Acquisition Will increase Threat for All Events Concerned

As soon as Heider’s staff is activated, they companion with the acquired firm and meet with them frequently to counsel areas the place that acquisition can enhance its safety posture and scale back the general threat to Cisco.

Figuring out and addressing threat is crucial for either side of the desk, nevertheless, not only for Cisco. “A number of acquisitions don’t understand that when Cisco acquires an organization, that group abruptly has an even bigger goal on its again,” says Heider. “Risk actors will usually take a look at who Cisco is buying, they usually would possibly know that that firm’s safety posture isn’t satisfactory—as a result of lots of instances these acquisitions are simply centered on their go-to-market technique.”

These safety vulnerabilities can develop into straightforward entry factors for risk actors to achieve entry to Cisco’s programs and knowledge. That’s why Heider works so carefully with acquisitions to achieve visibility into the corporate’s atmosphere to scale back these safety threats. Some firms are extra centered on safety than others, and it’s as much as Heider’s staff to determine what every acquisition wants.

“The acquisition may not have a longtime forensics program, as an example, and that’s the place Cisco can are available in and assist out,” Heider says. “They may not have instruments like Stealthwatch or NetFlow monitoring, or Firepower for IDS/IPS operations.”

When Heider’s staff can deliver of their established toolset and skilled personnel, “that’s the place the connection between my staff and that acquisition grows as a result of they see we will present issues that they simply by no means considered, or that they don’t have at their disposal,” he says.

Partnership over Energy Play

One of the vital necessary components in a profitable acquisition, in response to Heider, is to develop a real partnership with the acquired firm and work with the brand new personnel to scale back threat as effectively as attainable—however with out main disruption.

Cisco acquires firms to increase its resolution choices to prospects, so disrupting an acquisition’s infrastructure or workflow would solely decelerate its integration. “We don’t need to disrupt that acquisition’s processes. We don’t need to disrupt their individuals. We don’t need to disrupt the expertise,” says Heider. “What we need to do is be a complement to that acquisition, – that strategy is an evolution, not a revolution.”

The concentrate on evolution can typically end in a protracted course of, however alongside the best way, the groups come to belief one another and work collectively. “They know their atmosphere higher than we do. They usually know what works—so we attempt to study from them. And that’s the place fixed dialogue, fixed partnership with them helps them know that we’re not a risk, we’re an ally,” says Heider. “My staff can’t be in every single place. And that’s the place we want these acquisitions to be the eyes and ears of particular areas of Cisco’s infrastructure.”

Coaching is one other manner Heider, and his staff assist acquisitions stand up to hurry on Cisco’s safety requirements. “Coaching is without doubt one of the high priorities inside our commitments to each Cisco and the trade,” Heider says. “That features coaching in Cisco applied sciences, but additionally ensuring that these people are capable of join with different safety professionals at conferences and different trade occasions.”

Finest Practices for Safety Issues in M&A

When requested what recommendation he has for enterprises that need to preserve safety whereas buying different firms, Heider has just a few suggestions.

Make endpoint administration a precedence

Having the best safety brokers and clear visibility into endpoints is crucial. As is inputting the information logs of these endpoints right into a safety occasion and incident administration (SEIM) system. That manner, explains Heider, you have got visibility into your endpoints and may run performs in opposition to these logs to determine safety threats. “We’ll attain out to the asset proprietor and say they could have malware on their system—which is one thing no person desires to listen to,” says Heider. “However that’s what the job entails.”

Finish consumer schooling is necessary, too

Typically, finish customers don’t know that they’re clicking on one thing that might have malware on it. Heider says consumer schooling is sort of as necessary as visibility into endpoints. “Cisco actually believes in coaching our customers to be custodians of safety, as a result of they’re safeguarding our property and our prospects’ knowledge as effectively.”

Finish customers ought to be educated about practices akin to creating sturdy passwords and never reusing passwords throughout completely different purposes. Multi-factor authentication is an efficient apply, and finish customers ought to develop into acquainted with the rules round it.

Model updates and patching are widespread sources of vulnerabilities

Updating software program and programs is a endless job, however it’s essential for retaining infrastructure working. Generally, updating a system can weaken safety and create vulnerabilities. Enterprises should preserve a steadiness between enabling enterprise innovation and retaining programs and knowledge safe. Patching programs might be difficult however neglecting the duty can even enable risk actors right into a susceptible system.

Perceive public cloud safety earlier than going all in

Heider says public cloud operations might be helpful since you’re transferring possession legal responsibility operations to a 3rd celebration, like Amazon Net Companies or Google Cloud platform. “The one caveat,” he says, “is to be sure you perceive that atmosphere earlier than you go and put your buyer’s knowledge on it. You would possibly make one false click on and expose your certificates to the Web.”

Cisco Regularly Strives for Enchancment

Heider says that whereas a giant a part of his job helps acquisitions uplevel their safety area to fulfill baseline safety necessities, there’s all the time the objective to do even higher. “We don’t need to be simply that baseline,” he says. His staff has discovered from acquisitions up to now and brought a few of these functionalities and applied sciences again to the product teams to make enhancements throughout Cisco’s options portfolio.

“We’re buyer zero – Cisco is Cisco’s premier buyer,” says Heider, “as a result of we’ll take a product or expertise into the environment, determine any gaps, after which circle again to product engineering to enhance upon it for us and our prospects.”

Associated Blogs

Managing Cybersecurity Threat in M&A

Demonstrating Belief and Transparency in Mergers and Acquisitions

When It Involves M&A, Safety Is a Journey

Making Merger and Acquisition Cybersecurity Extra Manageable

We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels