Simplifying Cyber
This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.
Simplifying Cyber
Cybersecurity Mergers & Acquisitions - Crown Jewels and Red Flags
Ever wonder what lurks beneath the surface of that shiny acquisition target? Our expert panel, featuring M&A Expert Brandon Kern, pulls back the curtain on the hidden cyber risks that can make or break your next deal.
When companies merge or acquire, cybersecurity considerations often take a backseat to financial projections and market synergies. Yet overlooking digital vulnerabilities can transform a strategic investment into a costly liability. In this revealing conversation, corporate veterans and M&A specialists share battle-tested strategies for conducting effective cyber due diligence without derailing deal momentum.
The discussion kicks off with a practical comparison: cyber due diligence functions much like a home inspection when purchasing property. Just as you wouldn't commit to buying a house without checking for structural damage, acquiring a business without assessing its cybersecurity posture can lead to expensive remediation costs or even devaluation of critical assets. Our experts emphasize focusing on the "crown jewels" – the specific intellectual property, customer data, or technology capabilities that motivated the acquisition in the first place.
Timing emerges as a crucial factor throughout the conversation. Bringing in cybersecurity professionals early provides opportunity to identify risks that might affect valuation or negotiation terms. However, the panel acknowledges the delicate balance between thorough assessment and maintaining deal momentum. They share practical approaches for prioritizing critical issues while deferring less immediate concerns to post-close planning – allowing security to enable rather than impede business objectives.
The conversation also addresses often-overlooked aspects of M&A cybersecurity, including third-party relationships that come with the acquisition, organizational change management to reduce resistance, and strategies for maintaining business continuity during integration. With firsthand experience from both corporate and consulting perspectives, our experts provide a comprehensive playbook for protecting deal value through strategic cybersecurity planning.
Whether you're a corporate development executive, private equity investor, or security leader supporting M&A activities, this episode delivers actionable insights for your next transaction. Listen now to learn how proper cyber due diligence can safeguard your investments and accelerate post-merger integration.
Thanks for tuning in to Simplifying Cyber. I'm Aaron Kurtz and I'm Cody Rivers and I'm Todd Wilkinson. I'm Brandon Kern. All right, brandon, I think this is your first time on the show. Thanks for joining. Yeah, thanks, good to have you. I know you've had a lot of experience in mergers and acquisitions and cyber, so we're excited to have you on this show. And, todd, you've been on the corporate side as of I with Cody. You've seen it on a number of different regards, so we're excited to dive into this conversation today and really jump in. We'll jump in right into the conversation. Let's start with, like Brandon, let's just define what is a diligence assessment. Give us a little bit of the landscape of what we're talking about when we think about the cyber aspects of doing a deal.
Speaker 3:No good question. So cyber in the context of an M&A deal is all about risk-based or risk identification throughout the transaction. So in the due diligence phase you're really examining the targets of the acquisition. You're looking for major red flags, prior incidents, any kind of risks that, once the transaction closes, you're going to have to clean up or otherwise remediate.
Speaker 1:And simplistically. Could we think about this very simplistically as, like a home inspection? Yeah, you make an offer, initial offer to buy a house. You have that four or five hour home inspection. Yeah, you make an offer, initial offer to buy a house. You have that four or five hour home inspection. You get a bunch of findings and then you decide like, hey, how much am I going to reduce the price for this? Am I gonna like? Recently my parents walked away from a home purchase exactly thankfully because they live on a lake and they were looking to not live on the lake. I know, I know it's a good. I'm glad that inspection was negative.
Speaker 3:Yeah, exactly, you're looking for red flags. You're looking for things that are going to cost you right in the end as the buyer, basically things that you can either use to lower the cost of the acquisition or again, if it's major enough, if there's IP loss, right, I'm buying the IP. If it's already exposed, I no longer want to buy it.
Speaker 1:So, todd, we talk a lot about business-driven risk management, or the old school term is crown jewels. You've been multiple decades as the buy, maybe not multiple, double decades.
Speaker 2:On the corporate side 40 years.
Speaker 1:How great is it, oh my gosh. But you think about crown jewels critical risks. Talk about when you're looking at an acquisition target or you're looking to divest. What do crown jewels have to do with M&A focus?
Speaker 2:Typically, or at least I've seen, typically, when you're going to go make an acquisition, there's one or two reasons that you're driving this acquisition. I may want a product, I may want something in the pipeline or, quite frankly, I may want to buy out the competition. Those are things that typically drive that. So you're not going in necessarily thinking I care about the whole entire estate. It depends, it depends. But you are going in and saying, all right, the asset that I want to buy, is it really there? Does it have associated risk, associated with it itself? That product or that manufacturing line or whatever it might be? So that's what you're going in to verify Is the thing I want actually there? And then the second piece of that story is okay, how much distractions am I buying? And it could very well be they've got a lot of risk on other parts of the business, but I don't really care about that. So part of my story might be to make the acquisition and, quickly as possible, get rid of that other stuff that I don't.
Speaker 1:Staying on you, Todd, just because you've been on the corporate side, you've been part of these large deals from a cyber standpoint. How do we align the cyber due diligence that we're doing from an overall business standpoint as well as regulatory?
Speaker 2:Okay. So two things about that. I think one is from the alignment of the risk. I think a key piece is if you're coming in going we've made an offer, and sometimes you're coming in the offer has already been made or at least there's been some facilitation of a price, or maybe there's not. But you are going to look at that and go, okay, how much problem children underneath the covers there and you actually bring that back into the deal, say, hey, I'd love to make this offer, but there's 20 million dollars worth of work that we have to do.
Speaker 2:That was unanticipated or not part of that original conversation. We need to adjust the price. That's a big deal at a table, so you got to come in ready to go. This is the actual issue. I think the second piece of that story is you're going to close that deal. What follow-on work do you have to do on day one versus day 60 versus day 365? Using that early diligence to map out what that acquisition actually looks like long-term can really accelerate the deal and the closure of it, which is, the longer that deal takes to close, the longer and the more money you're spending to keep things going. So you want to close the deal as much as possible and then get the integration stuff out of the way.
Speaker 4:Well, and sometimes it's going to happen. So it's just whether you know about it earlier or later. But it will happen. But it's nice to know the surprises before you acquire it.
Speaker 1:And Cody, I swear this isn't going to be like the Saturday Night Live sketch what's up with that with Lindsey Buckingham where they come to him at the very end and then they run out of time. I will not do that to you. But going back to Brandon, just because you have the experience kind of on the big consulting, you spent a number of years on that space before you joined Reveal Risk and really expanded your horizons into much cooler stuff from your experience of what went well and didn't. Bring us cyber or the cyber support into a deal life cycle to get the most value and why.
Speaker 3:Yeah, good question. I'll start with a slightly different question is when do we typically get brought in? And that's too late, right, the earlier the better. As Todd's mentioned, and you brought up the home inspection, right, you want to know all of these red flags. You want to know these things up front so you can then integrate that red flag or that challenge into other streams. Challenge as well.
Speaker 3:Right, Finance may have their own things, HR have their own things, but if we can kind of look under the covers and kind of all come together on you know we're all going to have to be compliant to this regulatory requirement, then you can almost piece cyber into that as well. So, to answer your question, it's all about how early can you get cyber involved, and a lot of times it rides on IT being involved, which is looking more at the network side of things, the connectivity of things, the technical structure of the organization where cyber. You want to again identify those risks as early as possible so you can start to plan for those and start to remediate those if you can.
Speaker 1:So, cody Buckingham, I told you I wouldn't do that to you, so I'm going to bring you right in right now.
Speaker 3:All right.
Speaker 1:So let's assume you have your home inspection, you've made the deal offer, you got back the inspection report. It's not so great on cyber and you're helping a client right now with diligence, deals and negotiation and there's a deal that they passed on, not only based on cyber but some other stuff. But talk to me about how does cyber come into? Whether you pass, whether you reduce the price, Like how does that work?
Speaker 4:Yeah. So I think a lot of things Nice that you're seeing now, like security, kind of come outside of IT. Before it was kind of under IT, now it's like you get three questions in the IT meeting. So it's nice now to kind of get your own kind of time at the table. I think the key thing is a lot of compliance and regulatory.
Speaker 4:Things are like, if I'm going to chase business or I need to keep this revenue stream going, what do I need in place? And especially if the target may be more mature than like the acquiring body, and so now, like now, the mothership has to level up real quick. So it kind of gives a viewpoint of like the 30, 60, 90, 120 of like what do we got to do real fast to either maintain business or keep chasing business, because at the end of the day, when you're buying a company, you're not looking to pull back, you're looking to kind of chase forward. So I think it helps to know where to focus and in a world where we all have the fighting for priority, you got to make sure this is why it's priority, this is what we're going to keep doing. So it gives them support to that.
Speaker 1:Yeah, that makes sense. So, Todd, what are the biggest misconceptions that clients or business partners that are doing these deals have about an M&A, cyber due diligence and maybe seeding the clouds? How do we reset some of those expectations that you might be about to tell us?
Speaker 2:Yeah. So, having been in the room with some of those, they tend to get nervous when the security professionals are there because they're going to feel like they're going to get a long laundry list of things they have to do. But I try to seed it a different way. You're either buying revenue, buying people, or buying a product, and when you purchase a company, the longer it takes to do that acquisition, the longer that gets drug out, the more that revenue drops off. It just does.
Speaker 2:Acquisitions are a distraction for everyone involved until you get into the normal rhythm. So one of the things that helps is how can you use security to focus on the? What are the things we're going to take risk on fast and move, like, how do I get people going on day one, day two, day three as quickly as possible and say we're going to accept some risk. We're going to recommend you accept that risk, not just play a here are the risks and then pivot back and going hey, we did buy some stuff. There's some warts under the covers, they need to get on the roadmap of being fixed, but these things can probably wait 30 days or 60 days. You know building the house analogy hey, I bought a house and the furnace is trash. But it's April, it's okay. I can wait till October to fix the furnace versus the air conditioners. Bad, let's fix that day one.
Speaker 1:I'll add an example. I remember talking with one of the VPs that one of the companies I worked with that why is cyber last to the table? Or too late? To your point of like, it seems to be always too late and it's really the need for speed and business people want to do deals fast and they want to. They're eager to make the deal and they may not want the distraction, even even if the you know the money reduction opportunity is there. They'd rather get the deal done and then sort it out on the backend, even though we all know that that's that that could be costly. You could end up with the money house, from a company analogy standpoint, that you've got to spend $5 million that you didn't think about to even get them integrated with your environment.
Speaker 2:I was going to say having a biased action is helpful, because that's what everybody's there for. How quickly can you make a decision and can you do it in the room while you're there, not give us a week to come back.
Speaker 1:So knowledgeable agile professionals that can be lean in and out. Get what you need, not spend extra weeks elongating a deal. It's all about efficiency, having a playbook, which we've done a lot of, and then really making it seem seamless with the rest of the process, not the longest pole in the town.
Speaker 4:And I remember our conversation too, when you were saying like sometimes you don't get all the time. It's like, hey, you get like 30 minutes, 30, 45 minutes and they'll give you what you give you. But what are those few questions you're asking? They say, hey, you don't get to have in full hour. You get three to five questions. What are you looking at when you walk in?
Speaker 2:How? How are people going to work day one, and this is a simple question Are you going to hand them new laptops? Are they going to use the laptops that they used before, or are you going to have some new way, through virtual desktops or their phones, that they're going to work? Or was that not thought out, using security as a spearhead to think through that? That way, your IT partners can think through it, your logistics folks can be ready to go. That's a huge win, just to keep the business flowing.
Speaker 2:That day two question is where does that ERP data go? How are the financial transactions going to happen? Are you going to bridge networks together? Are you going to keep systems separate? Which drives into the third piece of that is what things are you going to get rid of versus what things you're going to keep, because that drives costs down really quickly. You can better paint a picture of what people are going to use and what things they're going to give up and they're going to use the new systems or you're going to replace them the more they can start thinking through. This is what my life is going to look like in the new environment and I can better facilitate how to get there.
Speaker 1:So we talked about the perception of the impediment of speed and slowing down the deal. What is our approach when we engage in a cyber sport to balancing speed and thoroughness or detail during that deal, especially when the buyer is under pressure to close?
Speaker 2:Well, we've got a deep bench of expertise We've been through this on both sides of it so being able to ask the right questions quickly, so we're not asking 100 questions over and over again to the same party. I think that's a key trick that we bring to the table. And two, how do we rise to the top of? Here's the three or four things that we must focus on For day one. The rest of these things can be a day 60 or a day 180 type of a question. I think that's a huge part of the deal conversation.
Speaker 3:Yeah, I think your first point. There is the key differentiator that I've seen from where I'm at now and where I have been in the past life. But it's asking the questions about the product, the revenue stream or the piece that you're actually buying. But it's nice to know that they have secure policies and they have all these things in place at the parent company that you're looking to buy either a part of or even the whole thing of. At the end of the day, it doesn't matter, right, You're going to replace that with your own. Or, if it does matter, great, hit on that. But that's not the part you're buying. You're buying again the product, the stream, the customer base, something like that, Absolutely so the stream, the customer base, something like that. So focus on that rather than focusing on getting to know how secure is the target company?
Speaker 1:overall Yep. So maybe taking that need for speed, and if you're first you're not, If you're first you're last, If you're first, you're last If you're not first, you're last If you're not first you're last I totally butchered that, ricky Bobby's, I know and then revealing and highlighting those risks and then turning them into actual post-close plans.
Speaker 1:How do you effectively do that and be relevant within the deal process? What have you, maybe starting with Todd? What have you seen to kind of full end-to-end be there, throw those things up on the table, influence and then make sure that they're used versus like, oh, we knew that, but we didn't actually negotiate the reduction in spend.
Speaker 2:Take the step away from that cyber focus for a second. Bring that knowledge to the table, but put yourself in the shoes of the people doing the work. That is super helpful. Live and breathe like they have to get the job done themselves. Use that lens and that helps shape. How quickly can we move and how can we keep them productive? Because if you're acquiring a company or divesting a company emerging, at the end of the day, if you've irritated the ploys along the way, they're not going to be as productive and everything becomes so.
Speaker 2:That's the first step, and I know that's overly simplistic, but it matters in the field of cyber, because not everybody understands what we do and the more we can be empathetic to their work. Yep, there's two or three things that we got to focus on, but keep them functioning. That's really step one that matters. And then the second piece of that is how quickly and if you can do it in the room, paint that picture to the key stakeholders. I mean the IT folks and the business leads that are getting the work done. Here are the two or three things that I need you to do those first 60 days, and this is how people are going to get that work done and you can paint that picture. People can then follow up.
Speaker 1:So not everything can be perfect. You might not have the perfect negotiation to reduce or give you the budget from the reduction to solve the things you're going to solve. But what should quickly be decided around the deal time versus a few months from the deal versus year end of the deal versus never. What are some examples? Maybe Brandon from your side on the big consulting vantage point and then Todd on the corporate practitioner, having to live with the integrations years later or months later?
Speaker 3:I've seen a lot of big consulting kind of suggest to add it to a TSA or a service agreement. Just keep it as is right or keep it operational which works when it works right, which works when it works right. But if it doesn't work then you have to make a temporary service if needed, or you have to quickly, like Todd's saying, integrate into whatever it is that you're going to. It doesn't necessarily have to be the final. You know they have to be able to do their job on day one, preferably day two required, right. So it's a temporary service, it's a temporary fix. Sometimes that may get wiped out completely, may get evolved into the final one. But the more granular you can get in your detailed planning at the task level, right at the technical task level of you know we're going to do this, this and then this and show folks that roadmap, I think really helps kind of the transition. And again applies speed but thoroughness in that transition as well.
Speaker 1:So maybe pivoting that question and for your guys' perspective, I want both of your opinions dealing with, like here's all the things you could do the lift and shift, the put in a bubble and let it sit for a couple of years Cody, I know you've had, or Todd, you've had a couple of examples of that versus other tactics, how do you manage the options, knowing not everything is going to be perfect and you're not going to get everything that you're recommending.
Speaker 2:This is a less technical answer, but it starts out with and I had a leader share this with me he goes you mentioned TSA. You may have TSAs. You may have small deals that don't require these things. It's like acquire and just pull them in right, but a lot of times you do. Those TSAs should be uncomfortable and they should feel like divorce paperwork, because the longer you're in them, the more expensive it gets and you should make it uncomfortable for all parties.
Speaker 2:So you want to get out of the TSA hard. Make them difficult and it's okay, and saying that out loud helps people go yep, yep this TSA is irritating.
Speaker 2:I would like to get out of it. That's the feeling you want, stating out loud, faster and sooner, upfront this is what we're going to lift and shift. This is what we're gonna lift and shift, this is what we're gonna get rid of and this is what we're all gonna head towards for new solutions. Helps everybody get comfortable early of how they're gonna have to change their work, because that uncertainty is what kills productivity. So if you're gonna kill a solution off and say we're all using something new, make that statement early so you can start those organizational changes and people can head towards that same direction, versus sweating.
Speaker 4:Yeah, one thing I think I see too, we forget about and I was talking to a cyber leader just last week about this was like what does life look like? Post for himself, so I'm acquiring these companies and they're getting four or five companies in one year. And he's like I'm acquiring these companies but I'm not getting headcount.
Speaker 1:I'm getting budget for the integration.
Speaker 4:But now I've got more headcount and things look different and I still have my day job that I'm doing too. So I think in the integration part of go fast, be quick on the integration, but like, what does life look like on the other side? I got, I have three more tasks I gotta do with my team and figure out who's going to maintain that. So that's, I think, where those questions come in. I think maybe we're a little different. You know we all. But on our other side built the program before and ran them. So you've got that experience on the execution side of like it's going to get to the integration. But we're going to have more to do and like, how do we plan for that? Is that a and the budget request got to come in early Cause. If you do that post-close, you're late in the game. You're there for a year or so before you even get the response.
Speaker 2:Yeah Well, if you're given no budget and it can't grow, that paints a clear picture towards I paints a clear picture towards I'm not duplicating solutions. That is a financial picture towards. We are heading towards one path and the faster we get there. So you don't have two MSPs, you don't have two endpoint environments, you don't have all the different tooling that's out there, different processes, you're heading towards one and everybody needs to get behind that. They may not like it and they may push back. Hey, I like the way I did it before. That's great.
Speaker 4:Nobody's paying for that I think you'd call it a good point. One thing I think I see a lot about is that I like the black hole is like third parties. When I buy this company, I'm looking at the technology, the IP, the employees. But one thing you forget about is what is already contractually obligated to and who's coming to this party that maybe was not invited or just getting figured out. So in my previous life as the MSP of being on the acquiring side and the purchase side, you're not pulled into a company that's like hey, welcome to the party, what are you doing? What's your contract terms? How fast can we snip you as a contract? Or, while you're here, how do we get the max value out of it? So it's like you have this new stakeholder management on day one of like. Now you're with a new person. It's like a forced relationship for X amount of time.
Speaker 1:So forced relationship for X amount of time. So, todd, you referenced the divorce analogy. You're using the marriage analogy like you're getting married. Have you interviewed the family members and extended family members that are coming to this party Because you're going to have to live with them for the next 40 years or maybe less? I mean, it's America 50-50,. You know who knows. All right Pivoting a little bit. Well, here's a scenario and this is a jump ball question. I didn't have a whistle, but just assume we'll add that in post, a large healthcare company acquires a startup. Post-close reveal risk is helping integrate security operations, but the acquired team, cyber team, is pushing back hard on how we're recommending or mandating policies and tools. How are we going to handle this? What questions are we going to ask? To whom?
Speaker 4:I'll take the first step here. I think one thing we forget in cyber a lot of times is like the OCM factor of things. Like you can have process policy tools, but it's also hearts and minds campaign, because you've got people that are a lot of parts of the company that are non-IT, not cyber, marketing, legal finance, ops and like what is the messaging and what's the org change management process to bring them along to the party. Here's what we're doing, here's why we're doing it and here's the value of the company. I think to your point of like, when you get the situation and you get do this real quick and people aren't necessarily on board or they don't understand the why they're going to be resistant, to say no, and even when they know the why, they still may not go along.
Speaker 3:But at least you've got more context to hope you might give more to the party and if it's the cyber team at the startup or whatever it might be, bringing them into the decision, not to say that they get a full vote right or whatever it might be, but to say, if we went this route, what would that cause your day-to-day look like? How would that affect you? We still may go that route, even if they say, hey, that's going to be a headache, we're going to need this, this and this. But at least you know up front and you can plan for we need this, this and this. It's not a surprise. Later down the road, whenever you've made the decision, you've invested a little bit of money into it or a lot of money into it, and then all of a sudden it's like, well, we can't do that because of XYZ.
Speaker 1:Yep. So we reveal risk. Unique team. Todd, you've had more than two decades, not three. Sorry to make you seem old, earlier of corporate experience.
Speaker 1:You've been through many, many deals, cody. You being a CTO. You've helped companies both sides of the table with these deals. Brandon Ninja M&A spent a lot of your early career days in doing cyber diligence and getting a lot of reps. We've had some good experiences with clients and we've gotten the feedback that, wow, that was better than a lot of the big consulting options that we've used in the past, like what makes us different? What are we doing? That differentiates us from kind of the rest of the options that?
Speaker 3:might be the, you know the first things you might think of of hey, I'm going to call big name one. Yeah, I mean, I think first off is our team is not too large in the sense of we don't bring folks on that aren't going to add value to the deal or add value to the decisions being made.
Speaker 3:Exactly, you know, helpful in the first part of your career, right, and first part of my career I definitely benefited from being brought along, not to say that we don't bring folks along to teach them, but if they're not making a decision, if they're not helping make a decision, you know they're not needed in the room. And then we don't waste time in the interview process, right, like I said, like we don't ask about the policies, we don't ask about things that don't apply to the deal and don't apply to the business reason for the deal, the deal thesis. We've gotten a brass tacks, they call it Exactly, exactly. We're not there to just be there. We're there to get answers and work for the client specifically, instead of just conduct the due diligence. To conduct the due diligence.
Speaker 4:I would say because of our background on building programs, we know like no cyber budget is bottomless. They don't have a limited people process. Even if I had those things, I don't have a limited change capacity. So we're taught or we're learning. Our experience like find the critical crown jewels, focus on those immediately. That's your focus, and so M&A is somewhat very similar. It's like acquiring a company find the crown jewels, get those secured, report those back, key things in integration to watch for and then we'll get to the next things. But we don't have this unlimited time to go after and budgets. Find the big things, orient what they call UTA in Air Force Observe, orient, decide, act. And so I think that your experience plays into that ability to get speed and to focus at the right point there.
Speaker 1:Yeah, great, I'm going to give one more scenario, and maybe, cody, this one's for you, but anybody can chime in. A private equity firm is acquired by a small but strategic tech company. They want to close in 30 days, so the speed we talked about. There's little time for a deep technical assessment and they're asking us, or our team, or a team like us, for a quick pulse. Quick pulse on cyber risk exposure. What are we doing? What's the minimum viable product?
Speaker 4:that's a great point. Private equity acquiring a small tech firm. I think you're looking at again what are we purchasing, I think. Is it market share? Is it buying competition? What is the ip you're diving in? You know it's not going to be such a small tech firm. They're're going to be focused on revenue generation.
Speaker 4:So I think, getting in asking those three to four questions where are the crown jewels? How are we protecting those? And then at that point you're looking at, like, how fast can I bring this company in and absorb into my culture? We're controlling the PE versus the VC side, where VC may be more of just like a bet If it loses, I'm okay and the PE side, you're taking a little bigger chunk with an operational or long-term plan. So I think having that clear picture of what do we need to protect revenue and what do we need to get more revenue, and if those two things aren't covered in your first two questions, then you're not focused, because PE doesn't buy firms just for the fun of it, it's to make money and protect money. So I think having those two things tied together, I was going to say.
Speaker 2:cyber tends to look at things from the confidentiality, the integrity, the availability picture, and that is still important. But during these acquisitions, these M&A deals, that revenue piece needs to be a piece of that puzzle. So we're keeping that central focus because that's the end goal, yep.
Speaker 1:Awesome. Well, I think that wraps it up for this discussion. Thank you everyone for participating. If this resonates with individuals that are at companies that are looking to do deals, bring in expertise to help augment their or their cyber team's ability to work through these deals, we're here for you. So there'll be more on our website around M&A, but thanks for tuning in and if you have any questions, you can reach out to any of us or contact us via our website.
