In the world of cybersecurity, former CISOs are shedding light on the challenges that come with managing risks during the post-acquisition period. These individuals, with years of experience in the field, have seen firsthand how information security can often take a backseat to business interests during the acquisition process.
One such former CISO, who chose to remain anonymous, spoke about the difficulties of managing risks that were outside of his control during the 100-day post-acquisition period. He likened the experience to an arranged marriage, where both parties come with their own histories and baggage. For him, the challenge was not only to identify and mitigate risks but also to navigate the complexities of corporate mergers and acquisitions.
Another former CISO, Michael Lines, shared his insights based on his experiences at companies like PWC, TransUnion, and FICO. As someone who has been on both sides of the acquisition process, Lines emphasized the fact that cybersecurity is often seen as an afterthought in these deals. Infosec may be brought in late in the process, with an unspoken expectation not to disrupt the acquisition. In his view, business interests typically take precedence, and only catastrophic issues would be enough to stop a deal in its tracks.
Lines highlighted the fact that, in many cases, cybersecurity is viewed as a checkbox to be marked off rather than a critical aspect of the acquisition process. Despite the importance of identifying and addressing security risks, the ultimate decision to proceed with a deal often comes down to the bottom line. Infosec professionals are left grappling with how to balance the need for robust security measures with the demands of a fast-paced acquisition environment.
Overall, the insights shared by these former CISOs shed light on the complex dynamics at play during the post-acquisition holding period. As companies navigate the challenges of integrating new systems and processes, cybersecurity remains a critical concern that cannot be overlooked. Finding a balance between business interests and information security is essential to ensuring a smooth transition and safeguarding against potential threats in the wake of an acquisition.