Mergers and acquisitions always present challenges to an organization. When it comes to cybersecurity, how involved should a CISO be before AND after an acquisition? And can cybersecurity considerations make or break a deal?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Alexandra Landegger, executive director and CISO, Collins Aerospace.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Aphinia
Full Transcript
[David Spark] Merger and acquisition only means more work for the CISO. You’re taking on some other organization’s security program or lack thereof. How does that stress the existing security department before and after the merger?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, it’s your favorite host, sometimes on Defense in Depth… Because I don’t want to diss the other hosts. But I would say your favorite or your top two favorite cohosts of Defense in Depth, and his name is Geoff Belknap, the CISO of LinkedIn.
Geoff, did you know that you’re one of the top two favorite cohosts?
[Geoff Belknap] I’ve always known that when it’s you and I hosting the show, I am in the top two hosts of the show. And that always gives me some comfort because I don’t feel like that in my day job always.
[David Spark] Do you feel that way in your own home?
[Geoff Belknap] I am bottom percentile in my home. That’s clearly… There is a pecking order, and I am not at the top. But at work, also not at the top. But at this show, very close to the top.
[David Spark] There you go. We’re here to just boost your ego, Geoff.
[Geoff Belknap] It’s not working. [Laughs]
[David Spark] I’m doing the best I can.
[Geoff Belknap] Should we talk about mergers and acquisitions and not my trauma?
[David Spark] We can. But first, I want to mention our sponsor. Our sponsor is Aphinia, an invitation only community of CISOs and other senior cyber security executives. Aphinia. More on their great community a little bit later in the show. And, yes, let’s talk about mergers and acquisitions.
“Your CISO should be deeply involved in your M&A process because you inherit the risk and liabilities of the companies you bring on,” said Jamey Cummings of JM Search in a post on LinkedIn. Now, Jamey was advocating for the type of CISO you want to hire if your business plans on getting involved in a lot of M&A activity.
In general, all of Jamey’s advice centered around the ability to community, which is the top skill needed from a CISO. So, Geoff, what skills did you find yourself flexing with your first M&A experience?
[Geoff Belknap] I’ll tell you, that’s a great question. I’m really excited about this topic. Having been on both sides of this, I can tell you the number one skill is communication. I think Jamey is exactly right. But just also, just all those things that sometimes people call soft skills – diplomacy, reasoning, understanding, empathy, compassion.
This is a weird process, and it can be fraught. And if you come at it without all of those things we just talked about, it’s going to go rough for you and everyone else involved, so I’m really excited to talk to our guest about this today.
[David Spark] Yes, making something, I think, that is inherently rough less rough I think is the goal for any M&A activity because I think it comes sort of out of the gate, like fraught with issues, and it’s your job to deal with that. So, the person who’s going to help us with this is someone I got a chance to do a live recording of the other podcast.
We won’t talk about those two cohosts because we’re only concerned about you, Geoff. But very thrilled to have her on board for this recording as well. It is the executive director and CISO for Collins Aerospace, Alexandra Landegger. Alexandra, thank you so much for joining us.
[Alexandra Landegger] Really appreciate the opportunity to be here and join, and I hear it’s great for a good ego boost, so excited for the next conversation here.
Why is this relevant?
3:40.192
[David Spark] John Robinson, CISO for Northrop Grumman, said, “Each M&A activity comes down to what we know up front, what we can discover as we move forward, and what can be fixed before and after transition since you will never be able to 100% address all risks of the business within the intended timeframe or acquisition.
M&A is a skillful art of navigating profit and loss targets affectively. Delivering salient feedback on key areas can help ease some of the stress of how we plan to address much of the technical uncertainty in a palatable and business friendly way.” And I also want to add Declan Burke, who’s the CISO of NorthStandard, said, “A CISO needs to work quickly to understand and interpret both risk landscapes and build a new security model for the combined group, all during a time when sensitive data is being shared more abundantly and while the firm is in the regulatory and media spotlight.” So, I think actually they set this up really nicely, Geoff, saying, “Wow, it’s really complex and a very touchy subject,” isn’t it?
[Geoff Belknap] Yeah, perfect. No notes. Let’s move on. No.
[David Spark] [Laughs]
[Geoff Belknap] I think this is… Like you said, my job is done for me here. The only thing I’d really point out that’s really important as you consider an M&A is that not every M&A ends up where the security team of the acquired company just is dissolved and absorbed into the existing security company or security organization.
But a lot of times what happens is that operating unit operates independently. My company was also acquired by a larger organization, and we operated almost completely independently. So, while there is a lot of touchpoint and relationship between myself and the parent company’s security organization, we largely operate like an independent company.
So, a lot of that M&A process is understanding the risk that is coming to the organization, not necessarily understanding how do we get rid of, or fix, or change everything that was done before because you got to remember your job as a security leader is to ensure that the business is successful, not to ensure that nobody ever makes a mistake.
It’s to understand the risk and to help the business be successful moving forward.
[David Spark] Alexandra, with all these things… And I’ll start mostly with John’s comments. He really kind of outlines a lot of sort of the issues you have to deal with. Is there one that kind of really stands out with you of what you…becomes the biggest part of the M&A process?
[Alexandra Landegger] So, I think really one of the things that stands out is cyber has got to be involved up front. And really, we have to understand the business strategy. Because ultimately, it’s not cyber’s job to say no in any of these types of transactions but rather how do we get there.
And so the first piece you’ve got to understand, I think, is what’s the business strategy. Is this an intellectual property buy? Is this a customer expansion? Is this about driving a whole new sort of connectivity backbone for the organization? What are we trying to accomplish with this acquisition, divestiture, merger?
That comes first. Because then from there, you can start to understand what’s the risk portfolio that we’re willing to accept. What are the other risks that are also at play, not just with cyber but beyond across the whole business? And so I think that’s really the first key is understanding up front what is the business strategy here and then taking that risk mindset, in the second quote you shared it, I think, is a really strong piece of this as well.
[David Spark] Before we close this segment out, I’d love to hear from both of you, what is the biggest surprise you’ve ever seen in an M&A? Like, “Whoa, I didn’t see that one coming.”
[Geoff Belknap] I’ll just say, I feel like the biggest surprise is when everything is in pretty good shape.
[David Spark] Oh, so you expect things to be more of a dumpster fire.
[Geoff Belknap] I think everybody, especially if you’re relatively new to the CISO role and you’re certainly…if you don’t do a lot of M&A, you come to the M&A process assuming everything that is done differently than you is wrong and needs to be fixed.
And occasionally what you find as you do more and more of these is like, yeah, there’s plenty of people that have reasonable programs. They might be different than yours, but they’re very reasonable. And there might not be that much to do, and that’s always a welcome finding.
[Alexandra Landegger] Yeah, I love that one. I think sort of similar in that vein, one of the things that I found most surprising in one of my early M&A experiences back in my consulting days was about the idea of, “Hey, all of a sudden we can actually leverage the smaller company, the acquired company…we can leverage their capabilities to upgrade ours.” And when you have a CISO that’s willing to learn and grow, that’s where magic really happens.
What’s going on?
8:31.152
[David Spark] Aditya Sarangapani of WNS said, “I would get the CISO’s team in earlier during the due diligence process rather than after the purchase decision is made.” And that’s something you said at the very beginning, Alexandra, and we’ve heard this many times, by the way.
Adikya goes on to say, “If the target organization has too many gaps compared to your current posture it may require significant effort, time, and money to bring them up to speed. You’re still exposed in the interim.” Eric Elbert of RP technologies said, “The only time a CISO should be deeply involved in the actual M&A is when the target organization has situations that defined by the process requires the CISO’s direct attention.
If the CISO Is involved in every M&A, the process itself is flawed and needs to be revisited.” That is an interesting comment. Would like your takes on that. And Drew Simonis, who’s the CISO over at Juniper Networks, said, “A CISO’s team can define sound practices, but that doesn’t mean they need to be operationally involved in their execution.
There may be bigger fish to fry. What you really want is a CISO who can prioritize, use influence and process to scale, and knows how to use affective governance to ensure others are acting within the contracts and policy.” So, I’ll ask you, Alexandra, is it important that you’re involved in every M&A, or are there so many happening that you don’t need to be involved?
[Alexandra Landegger] So, the Collins Aerospace business strategy is largely around mergers, acquisitions, and divestures. I mean we are a company of companies. Rockwell Collins and United Technologies came together in 2018. Before that, Rockwell had acquired BE Aerospace, ARINC, etc.
Then you look at our parent company level. Used to be United Technologies, which merged with Raytheon to become RTX.
[David Spark] I’ve gone onto ancestry.com, and I found the whole tree.
[Laughter]
[Alexandra Landegger] Oh, yeah. There’s about 306 different moves around this. And what I will tell you is because of all those different experiences, I’ve been involved in different ways in multiple different transactions that have happened here. My teams have been involved in multiple different ways.
And in general, I will say it is much better when cyber has a seat at the table. Largely because cyber costs are very real, and cyber threats during these transactions are particularly heightened. Regulatory scrutiny is particularly important in these environments as well.
And so you’ve got to have a seat at the table up front to understand what are we doing, what’s the stack that we are inheriting, what’s the transition going to look like. And then, oh, once we get to full separation you still need to integrate it into your enterprise.
So, you’re talking two to five years to really drive the right level of security integration across these organizations. And at the end of the day, our job as security professionals is to ensure a continued user experience throughout all these different moving pieces and moving phases.
[David Spark] You’re saying during the process. Have you seen significant spear phishing attacks during M&As, Alexandera?
[Alexandra Landegger] I have spoken to many peers that have experienced that type of a thing.
[David Spark] Okay, so it does happen. All right. Geoff, when I read that quote from Eric saying that a CISO doesn’t always need to be involved, you were kind of shocked by that. Can you see a rationale? I’m assuming you don’t agree, but can you see a rationale where you believe Eric’s theory here?
[Geoff Belknap] You know, I was thinking about that. I think my rection is I don’t think about the CISO as a person. I think about the CISO as a leader of a system of processes. I think in this case, what I expect is he is literally right, and I agree with him.
If the CISO themselves individually is involved in every M&A, the process is flawed. So, if I reflect on the way we run our current M&A security process in my current job, I have the privilege of working with an extremely talented technical program manager who is very gifted at running our M&A security process, and that process rarely involves me personally unless there is a decision that needs to be made, or a risk that needs to be accepted, or there’s some kind of exception to the process.
But the process itself is designed to just be a big information finding mission so that we can present any risks that might be detrimental to the merger, the acquisition, or the divesture, whatever it might be so the organization can be successful. And I think on reflection, it doesn’t need to involve me or the person in the job, but the person in the job needs to make sure that there is a process that can be run at scale and at volume that is affective at understanding those risks.
So, I think my initial hot take is like Eric is crazy, but the reality is Eric is right. It should be a process, not a person.
[David Spark] So, Eric is crazy and right.
[Geoff Belknap] Eric is crazy right.
[David Spark] There you go.
[Alexandra Landegger] Well, and that goes to the next quote, too, around sort of the operational elements as well. Like, I don’t sit in a SOC on a daily basis. I’m not the one monitoring everything. This is why we have teams. However, we’ve got to make sure as CISOs, I think, that we know who’s on the ball.
Is it the selling company? Is it the acquiring company? When are the transitions? And if you’ve got that solid playbook, yeah, you can run it over and over again. But unfortunately, every single one of these is slightly different – different tools, different processes, different parts of the organization may or may not be part of the cyber team.
Right? Firewalls, VPNS sometimes are in, sometimes are out. And so how do you create that consistent playbook but have the leeway for your team to reach out for that sort of strategic advice as needed?
Sponsor – Aphinia
14:27.273
[David Spark] Before I go on any further, I do want to tell you about our awesome sponsor, Aphinia. So, Aphinia, they are a private by invitation only community of thousands of cyber security executives. They call themselves a professional tribe of superheroes fighting cyber criminals.
I see so many communities out there these days, and I find that most of them will charge you big money for membership, or they are completely overrun by vendors. Not Aphinia. So, if you are a CISO, a vice president, or a director of information security, let me suggest that you join Aphinia today to get instant access to, get ready of this, thousands of your peers, real time insights, career advice, networking opportunities, consulting gigs, and so much more.
The best part, it is free for now. But not forever. So, click on the link in the show notes. It’ll be the banner ad you see for Aphinia, for this episode, and join the team of good guys because you already know that the only way to succeed is together.
Go to their website. Let me spell you their company name. It’s aphinia.com. Go there and register.
What aspects haven’t been considered?
15:55.216
[David Spark] Dheeraj Gurugubelli of EY-Parthenon said, “Transaction risks are real. We are seeing an increase in targeted attacks on companies upon M&A announcements/closing,” per my comment about spear phishing. Deroj goes on to say, “Having someone to manage cyber risk strategically during transactions is crucial to preserve deal value and capture synergies” And Rob N.
Gurzeev of CyCognito said, “Most M&A cyber risk assessments seem to rely on questionnaires and security ratings. Both aren’t well aligned with actual exposure to attackers/risk. The result post-acquisition is it takes two years instead of six months to integrate the acquired company into the networks of the acquirer with substantial IT and security costs involved.
So, a lot of this goes to what you were saying, Alexandra, about the time it takes. But I also want to point out this thing about questionnaires and security ratings. Do you put any merit in that, or is that something you have to do for compliance reasons?
Alexandra?
[Alexandra Landegger] So, I think security questionnaires are a useful tool, but they are only one tool in the toolbox. I think particularly once you’ve assessed that there is anything above mild risk that it might be worth doing a threat hunt. It might be worth doing some show and tell type activities.
It might be worth doing a tabletop exercise potentially even before signed, so that way you know once you’re in the TSA period when you’ve got that sort of transition and coverage period, everyone knows who’s on first and what’s going on. Because until you have a true, full risk picture that uses not just the wrench of security questionnaires but also the screwdriver of understanding the security stack and the hammer of understanding different processes, you’ve got to bring it all together as one bigger picture.
[David Spark] Geoff, what about you in this? The exposure during that time of the M&A. What does it look like? Does it become scary? Does it just become situation normal? How do things change?
[Geoff Belknap] It honestly doesn’t change that quickly. So, even if you’re going through an extended months long M&A process because it’s two large organizations, you know, there’s still plenty of room for the attacker to find out. There is still plenty of opportunity for an attacker or attackers to launch attacks because during the M&A period…which may be a secret from the Wallstreet Journal, but it’s certainly not a secret from enough people that an attacker couldn’t possibly find out…it is a period where both of the organizations are used to giving sensitive information to somebody who’s new, somebody they might not know personally yet.
So, I think it’s really important to tell people what to be on the lookout for so they know what to do if they get something that looks phishy.
And you should be prepared ahead of time for an abnormal amount of false positives, of people going, “This guy, Steve, emailed me asking me for financial results. I don’t know him.” Well, that’s true. You don’t know anybody at the new company yet. So, just report those and manage through those.
I think that’s really important. But until your organizations are integrated, which is going to be months if not years down the road, there’s no additional exposure in the sense that your cloud environments are not using different passwords now. You’re not turning off your endpoint detection, or you’re not closing one of your SOCs.
You’re both working together. I think one of the most important thing is to make sure you build those touchpoints. Because before the deal is closed, you are not coworkers yet, but you are now working on a common mission together, and I think it’s really important to make sure that you have those connections up front.
[Alexandra Landegger] And building off of that, I think it’s important to not just bring the cyber threat lens into this but to also look from a compliance perspective. So, particularly when you’re acquiring a company in another country, or maybe that has… You know, again, as an aerospace company, we’re generally not directly consumer facing.
But then all of a sudden with the FlightAware acquisition, we are directly consumer facing in a very, very visible way. And so all of a sudden are we subject to different regulations? And how do we understand that business model? How do we make sure that we’re taking that full one company view of how we need to meet this together, on mission, as you said, Geoff?
Whose issue is this?
20:30.896
[David Spark] Kevn Heineman, CISO over at Lyric – Clarity in Motion, said, “The CISO must be a business partner in addition to protecting the confidentiality, integrity, and availability of information assets. The CISO must advocate the value that cyber brings to an enterprise.” And Fernando Morales of AmeriHealth Caritas said, “You need someone during M&A discovery that can decipher not only the difference in infosec strategy but also someone that can dig deep and find the accepted risks that the new organization will have to deal with moving forward.” So, I want to talk about that, the accepted risk.
We’re seeing things like… Geoff, you spoke of they go, “Hey, you know, they don’t the same thing I do, but this is actually a well built security program.” But, A, you don’t always see that. And, B, I’m assuming there’s things like, “Yikes, this is not what I want to do, but we do have to move forward.
This is a business imperative. How are we going to manage this, or how do I accept this?” When have you had situations like that?
[Geoff Belknap] Oh, I think you have situations like that on every M&A deal, including the ones that close. And to be clear, there are lots of M&A activities that don’t close. And it is rarely to do with a cyber issue. It’s usually something else. I think this is where I want to toot the horn of the…maybe not the most sexy part of cyber security but governance risk and compliance.
When you have a well formed governance risk and compliance program, and I can walk in, or you can walk in to an M&A situation and say, “Hey, let’s go through your risk register, and let’s understand the risks that are on the register,” which will give you an idea of the risks that might not be on the register just by virtue of looking at that document.
And that gives you an opening to talk about how do you identify risks, how do you manage risks, what’s your long tail of remediation of some of these things, and what things aren’t on here than you think should be. It becomes a really affective way to have a conversation and understand the risks that are involved without having to pop the hood open and look at all the bits that are flowing on the network and really understand what attacker activity might be there or not there.
Just understanding how you manage the risk is a great asset to be able to provide a recommendation, which is what you, the cyber security leader, are going to do to the business people that are closing the deal about whether this is a material risk to the deal.
[David Spark] I’m interested to know with both of you, have either of you said, “Hey, this is going to bring on a huge cost to us. You should know this in your M&A.” And do they go back and use that as a negotiating tool? Have either of you had situations like that?
[Alexandra Landegger] I think it’s really important to, as Geoff said, understand the risk and then be able to parse out what is the real cost of this. What is the cost, A, if something goes wrong, and, B, what is the cost to fix this, assuming we want to move forward?
Because, again, cyber shouldn’t be the org that’s driving a no in most cases. So, how do we get to yes? It’s really by articulating the value of what it will take to get to green and the value of what might be lost if things do go wrong if your risk is truly realized.
[David Spark] Right. And I understand you’re not the one there negotiating the actual deal of the M&A, but you’re saying, “Just so you know, we take this on. It’s going to be X dollars to deal with this,” kind of a thing.
[Alexandra Landegger] Yeah. And then you look at examples, like the Yahoo sale several years ago. Once they came out and said, “Hey, look, we’ve got a known cyber breach,” their price went down by, what was it, 300 million or something. It was huge. So, there’s definitely times where cyber does have a voice and can ultimately affect the deal.
As Geoff said, sometimes deals do fall apart for a variety of reasons, and cyber might be one of many in those cases.
[Geoff Belknap] Yeah, I think one of the things that’s really interesting here is this is why it’s really important that the CISO be a business peer. Not just a technical leader but a business leader. Sometimes you’re looking at an M&A deal where it’s thin margins.
And if there is significant things in the risk register or significant issues that are discovered that aren’t we’ll say relatively normal… Like, look, everybody… I’m not going to speak for you, Alexandra, but it’s my belief that most people are walking around in this role with a couple of years of tech debt that they know they have to pay off.
That they’re planning to pay down at some point. If it throws the M&A deal out of contention because you’ve got something really big that needs to be fixed over the next three years, a really big investment or something like in the case that you brought up, Alexandra, where it [Inaudible 00:25:22] down the value of the brand, that’s material, and they’re going to want to know about that.
But pretty much every other deal that is being made is a long-term deal. It’s not just about now and flipping an asset. It’s about how do we bring these two organizations together to build a better organization. Cyber security is going to be a longtail part of that.
It really is just about figuring out whether there is something that’s so disruptive that it can throw the whole deal out of whack.
Closing
25:46.991
[David Spark] Well, that brings us to the conclusion of today’s episode. And I want to thank you, Alexandra, for your great insight on this topic. But more importantly, I want to ask you, which of all these wonderful quotes that I have read from the security community…which one was your favorite?
[Alexandra Landegger] So, I would have to say Kevin Heineman, CISO of Lyric – Clarity in Motion. The idea that the CISO is a business partner is 100% spot on. It’s our job to help the business understand the risks that we’re accepting, understand how we get from day zero to day two in a secure and compliant way.
And ultimately, as Geoff said earlier, we’ve got to be a business partner here to drive that to conclusion.
[David Spark] Geoff, your favorite quote and why?
[Geoff Belknap] So, I’m going to go with Eric Elbert, who… Eric, I’m sorry I made a face when they read your quote originally, but I…
[David Spark] Now it’s your favorite. Look… Eric, this is amazing. Eric wasn’t even here, and he turned you around.
[Geoff Belknap] I appreciate it. Eric, Amazing ability. Just the charisma to turn me around from a quote only, amazing. Good job. You should be involved in many M&As. But, hey, in case you can’t remember, Eric, what he said was the only time a CISO should be deeply involved in the actual M&A is when the target organization has situations that defined by the process require the CISO’s direct attention.
If the CISO individually is involved in every M&A, the process itself is flawed. I think that’s 100% correct. Your job as CISO many times is to design a process and a system that other people are going to operate so that it can operate at scale. If you, the individual security leader, have to be involved in every process that involves security you’re doing it wrong.
That’s the best way I can put it. And I think it’s really important to remind people that you, the CISO, are the leader of a business unit, not an individual contributor of that business unit for everything that involves security.
[David Spark] Excellent point. Well, that now brings us to the very end of the show. I want to thank our sponsor, Aphinia. If you are a CISO, some type of security leader, a vice president, director, anything like that and you want to connect with your other cyber security professionals… I know you do, because, heck, that’s why you’re probably listening to this show.
Why not check out Aphinia? Their website is aphinia.com. Or you can just click on the banner ad in the show notes, and you’ll see everything right there. Aphinia.com. Thank you for sponsoring today’s episode. Geoff, thank you, as always. And for those of you who don’t, you know you can always find wonderful jobs at linkedin.com.
Not just at LinkedIn but at other locations because they put the job listings there. Now, Alexandra, I greatly appreciate you joining us today. Any last thoughts on our topic, and are you hiring over at Collins Aerospace?
[Alexandra Landegger] Well, first of all, thank you again for hosting me today. This has been a fabulous conversation. I always walk away from these learning at least one thing, and I think I walked away learning a few today, so thank you. In terms of hiring, definitely feel free to reach out to me on LinkedIn, of course, but you can also look at the Collins Aerospace and our parent company, RTX…our job pages.
We have some hiring to do in our cyber environment across the next several months, so definitely look forward to hearing from many of you.
[David Spark] Excellent. Well, thank you, again, Alexandra. Thank you very much, Geoff. And thank you to our audience. We greatly appreciate your contributions. It isn’t just something I say at the end of every episode. Because you think, “Oh, he just says it at the end of every episode and doesn’t mean it.” No.
Literally this wouldn’t exist if people didn’t contribute to the community. Sometimes you’re not directly contributing to us. You’re just directly contributing to the community, and then we take advantage of that, and we love that. So, thanks for contributing to the cyber community and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.