The most dangerous time for enterprise security? One month after an acquisition

Posted on by

But, he noted, he also needed to create a 100-day plan to precisely try and manage the new risks. “How do I place blame for all of the crap that I had no control over? It’s really about the CISO managing the risk for an arranged marriage. Even worse, this is an arranged second marriage where both parties have a lot of history and both sides come with lots of baggage,” he said.

Another former CISO, Michael Lines, helmed cybersecurity operations at PWC, TransUnion, and FICO. He currently is principal of cybersecurity vendor Heuristic Security.

He, too, is familiar with the cybersecurity problems of the post-acquisition holding period. “This is something that I do have experience with, both as an acquirer, and being acquired,” he said. “Often, infosec is the tail on the dog of the acquisition, brought in late to the process, and there is often an unstated expectation not to rock the boat on the acquisition. To the extent that issues are identified, it would have to be something catastrophic to derail the deal. What I am saying is that business interests determine whether the deal happens — infosec is often just a box to be checked.”