Baptistin Buchet
Baptistin Buchet

From people and organizations, to strategic alignment and governance, the complexity of M&As can be overwhelming. But more importantly, it can be a major security vulnerability for both companies coming together.

Today, the four biggest IT security risks in an M&A are:

  1. Security postures. When you bring two organizations together that have different approaches to securing data, there’s a significant chance that you will create gaps. Prior to executing an M&A, organizations have a unique security profile and most likely secure their data differently. As you bring them together, you might create security holes that can be manipulated, jeopardizing the entire process. That said, rule number one in M&As is to never sacrifice your security posture. You need to have tight controls over how the two companies come together and share their data every step of the way. Knowledgeable security architects from each organization should be at the table very early in the engagement.
  2. Data classification. It’s not uncommon for companies to classify their data differently, so establishing a common taxonomy of how data is regarded and classified is critical. For example, company A may classify its sensitive data as “classified/internal use only,” while company B may label those files “restricted.” These classifications are especially important in M&As because both companies need to ensure they apply the same controls to data in the same vertical. To make this possible, we have to understand both where the data exists and its significance, always ensuring that merging organizations arrive at a common method of classifying information.
  3. Security technologies. Technology can be a major risk as it determines the efficacy of your controls. In M&As, it’s common to find duplication, but also gaps. You should ask: What are the security capabilities of each organization? Does one organization possess a higher maturity in a specific security domain or domains? How do we bring these strengths together in the best way to ensure a robust and effective security program? Do both organizations have intrusion prevention systems? Do they have security incident and event management (SIEM)?Equally, methodology is just as important in M&As as the technology itself. Ask yourself: Do we apply similar controls to similar systems and information? What is our BC/DR/IR strategy for these systems? Do both organizations provide access to the environment in the same way? A thorough review is in order to ensure that you have the right capabilities and processes for the necessary controls.
  4. New risks. As two companies with different IT systems, capabilities and methodologies merge, new risks will arise that will require mitigation. This is especially important in compromise and compliance risk, as an M&A could open up one company to extra scrutiny due to regulations imposed on the other. A great example of this is PCI compliance—if the acquired company requires a PCI audit scope, the acquiring company not doing one could lead to a larger audit, and eventually, sanctions. A review of both organizations’ risk registers will be a good start, a thorough review with a holistic assessment is important.

Ultimately, it all comes down to priority.

IT leaders need to involve their security teams from day one and see to it that IT security is woven into every stage of the integration process. This means making sure each organization defines a process where they understand their risks and vulnerabilities, as well as the security controls at their disposal to mitigate them. 

Finally, re-evaluate and retest your controls every step of the way as the merger or acquisition progresses. Be prepared to make adjustments to ensure your security posture remains sound without creating new security headaches.

Download our M&A Playbook for IT to find out more about major integration challenges faced by IT leaders and a framework to handle them more effectively.

Read More

Baptistin Buchet
Head of Cybersecurity & Digital Trust

Baptistin Buchet leads the cybersecurity activities at the Wavestone US office in New York City. He graduated from EPITA, the premier graduate school of computer science and advanced technologies in France, majoring in systems, network, and security. Certified in both CISSP and CISM, Baptistin has, over the years, developed extensive expertise in risk management, security architecture, crisis management, and emerging technologies. He is also a frequent media and conference speaker and gives university lectures at New York University and other European-based schools.

4 Strategic Mistakes to Avoid When Defining Service Level Management Processes

Jun 01, 2023

Strategic errors made when defining service levels can have a detrimental, cascading effect on service level operational performance - leading to additional costs and service delays. Here are 4 strategic errors to avoid when defining service levels and instituting the SLM processes to govern them.

Optimizing the 3 Stages of Your Cloud Software Development Lifecycle

May 25, 2023

Your Cloud Optimization Strategy requires seamless coordination between optimization levers throughout the SDLC to produce and maintain effective cloud solutions. Discover best practices and improvement opportunities for each lever, where they fit in the SDLC, and how to synergize them effectively.

Have a Question? Just Ask


Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.

Ask Wavestone