Merger Mambo: Security and M&A

Every deal has its own rhythm, energizing its executives into purposeful activity. But the dirtiest dance of all is an acquisition. It begins with a tentative waltz and grinds into a maniacal merengue. That’s when security has to cut in without disrupting the beat.

During the past decade or so, I’ve been involved in several mergers and acquisitionssome worth billions of dollarsand I’ve made an observation: No matter how big the deal is, if it’s going to happen, it will happen fast. Keeping that in mind, I’ve come up with a security cheat sheet for abbreviated, yet meaningful, due diligence.

1. Find out why you’re really buying the company.

There are three reasons why these deals happen. Either you’re going to dismantle the company for its parts, assimilate it as a profit and loss center, or augment your organization by adding the company as a subsidiary. Knowing which path you’re on is the key to spending your time wisely.

2. Look for culture clash.

If incompatible security styles become tangled, they can bring the party to a crashing halt. In my experience, that has been the biggest problem. Some of the characters that may require careful assimilation are:

• The ex-military, ex-intelligence types. Their hallmark is a pyramidal organization chart and well-documented processes. This is an ideal culture for companies looking to augment current security services.
• NT shops. Their security function is probably integrated into the IT department and layered on top of Windows. This group is a good candidate for dismantling, but like a cautious shopper, CSOs should thoroughly check out what they’re buying. It’s easy to force assimilation by appointing a new alpha male and thinning the herd, but this group is a weak choice for augmentation.
• Unix fanatics. Their slogan is: “If it’s documented, it’s not important; if it’s important, it’s not documented.” These types are lousy candidates for dismantling because they’ll fight every step of the way.
• Security teams that report to finance. Their primary function is to look flashy for upper management and to fast-talk their way through security problems. They are difficult to dismantle because they hide their problems. For companies looking to assimilate a target or augment their own company by adding a subsidiary, this group will work fine.

3. Check the likeliest problem areas.

Start by validating key assumptions made by the M&A team. If the other company is going to be dismantled, focus on the parts that you’re really buying. If they’re to be assimilated, probe across the breadth of the organization. If it’s an augmentation play, ask them for a briefing on their organization and then see whether they’ve portrayed themselves accurately.

4. Document your findings in a report.

Keep it short. Avoid speculation, criticism and weaselly wording. While you’re writing it, think about how it might look as evidence in a lawsuit. Begin by restating the purpose of the acquisition, followed by a characterization of the other company’s security environment, the biggest problem area that you see and a short discussion of hidden benefits and possible pitfalls. Conclude with a recommendation of areas for deeper digging.

5. Close the loop with the target company.

A little courtesy goes a long way. If you don’t contact them, no one else will. Don’t make any promises and avoid discussing any specific problems. But a simple phone call can earn you a lot of goodwill.

Security is about choreographing a routine into a stylized art form. The dedicated CSO should not decline to dance nor blindly follow his partner’s lead. He should take a deep breath, move to the beat and keep the best interests of corporate security as his focusall of this while trying not to step on any toes.