Post written by
CISO & VP Product Innovation at Verodin, working with customers worldwide to improve their cybersecurity effectiveness.
This is the first installment of a new series called “Cybersecurity In Real Life.” Each article will offer real-world examples of the positive impact of cybersecurity technology on areas of business beyond securing a company’s digital assets. While that is important, a more proactive approach to security can also provide:
In order to accomplish this, cybersecurity technology needs to be applied in the right way — meaning, security teams not making assumptions that things are working as promised or that the diverse elements of security infrastructure are configured properly and optimized.
But this is often not the case. When trying to measure security effectiveness, many organizations discover that misconfigurations, environmental drift and other factors compromise performance of the tools they’ve invested millions of dollars in and open them to a breach. The real-world examples I’ll share demonstrate that when these discoveries are made and remedied, the benefits go far beyond a more secure enterprise. Organizations are transformed. Technology investments are rationalized. Hiring and employee retention are improved. People’s lives change.
Streamline Due Diligence in Mergers and Acquisitions
This story is about a large U.S. retail brand, a Verodin customer, that frequently acquires other companies. In conducting due diligence, security teams need to evaluate whether the acquisition company’s IT environment is secure and how its security tools will integrate into their own infrastructure. This includes testing and confirming that all of the interrelated software and protocols are working as they should and looking at how the company complies with industry regulations.
These are not easy items to check off. Security teams are challenged with staying on top of their own company’s people, products and processes, and are working around the clock to keep digital assets protected. When the security infrastructure of multiple acquisition targets is added, these challenges are exponentially greater. Furthermore, like most companies, this retailer conducted cyber due diligence through a manual, paperwork-intensive approach that was time-consuming, inefficient and not always accurate.
Below are three aspects of security due diligence that were significantly improved when technology was applied to replace traditional, manual ways of doing things, along with best practices for conducting your own cyber due diligence.
1. Scans and surveys. Like many large enterprises, the retailer’s security team conducted paper-based scans and surveys as a basis for its security analysis — enabling it to find areas that needed patching but offering no understanding of the overall effectiveness of the infrastructure. These surveys required time and effort for both companies’ security teams and provided only qualitative information without important quantitative metrics. Security instrumentation technology allowed for a holistic look at the effectiveness of the new company’s security controls so the team could more quickly determine which companies were the best acquisition candidates and how to integrate new IT/security environments with their own.
2. On-site configuration checks. Conducting on-site configuration checks of the network, systems and applications was also a common approach, but it was highly inefficient and costly. Additionally, it only provided a point-in-time snapshot of the overall configuration rather than ongoing, automated measurement to spot how changes in the IT environment affected security. Once the company looked to testing and measurement technology to assess and monitor on a continual basis, individuals on the security team were able to focus their time on taking steps to improve the cybersecurity tech stack and processes rather than spend several days or weeks merely pinpointing gaps.
3. Reports and communication. When reporting their findings, security professionals communicated results in technical language that didn’t match the business terms executives required. Executive teams are now demanding information on their company’s cybersecurity stance in response to board and regulatory demands — beyond identification of security gaps and issues — and they want to see a plan of actionable steps to fix problems. With effectiveness measurement technology and real-time analysis, the retailer could create evidence-based metrics that demonstrated what steps would be taken to resolve security gaps and the processes that would be integrated and automated to defend against new vulnerabilities.
Cyber Due Diligence Best Practices
Below are some tips for how to conduct thorough, informed security due diligence when considering a merger or acquisition:
• Take inventory of the acquisition target’s critical business assets: Are their security controls effectively protecting those assets? If not, your company may be subject to a major fine or lawsuit in the event of a breach.
• Understand how security tools are managed and monitored: Are managed services being used? What processes are in place for incident prevention, detection and response? This is typically an area where there is room for improvement, particularly for smaller companies.
• Identify and prioritize gaps across various security levels: This should include endpoint, email, network and cloud, as well as organizational approaches to following standards and frameworks such as MITRE ATT&CK, SANS, OWASP, NIST, etc.
• Review organizational approaches to compliance with relevant regulatory mandates: How is security effectiveness communicated at a leadership and board level? How is company leadership leveraging that information for decision making and corporate governance?
• Determine cyber investment priorities: How do these map to your organization’s budget and priorities? Which investments will provide the most value given the areas that most need to be addressed?
Industry consolidation is constant. As regulatory pressures increase and the threat landscape continues to evolve, companies will invest larger sums in cyber defense, making it important to conduct efficient and accurate due diligence of a company’s security posture in ways far beyond the historic concerns of the IT team. It has now become the focus of both business and technology leadership teams — particularly in the robust evaluation of a potential M&A candidate.