What do you really inherit in an acquisition?
When I bought my house a few years ago, my wife and I were thrilled. It had all the space we wanted with great natural light, a good school district, and the perfect distance to work – it checked all of our boxes – score!
As part of the homebuying process, during due diligence, there’s a mandatory home inspection so that the buyer knows where the proverbial bodies could be buried. We had a lovely gentleman give us “house-ownership 101” as part of the inspection. When we were done with his multi-hour evaluation, he said the house looked great. However, he said he couldn’t look into anything to do with pipes, external hookups, or the gas line so we were in the dark on some things. Since we loved the house and it accomplished our strategic goals, we went ahead with the buy, being blind to potential problems…
Lo-and-behold, a few months later we noticed a gas smell around the outside of the house that seemed to be emanating from our basement – a problem we originally had no visibility into, but one that was now our (costly) responsibility to fix to ensure the safety of our home. Had we known about this issue in the early stages of the home buying process, we could have taken steps to proactively solve it before it developed into a catastrophic (and expensive) problem.
The home buying process can also serve as a general picture of what can happen during an acquisition, where one company buys another: the buyer expresses interest, then enters into due diligence to evaluate the company, and after due diligence, the buyer finalizes or moves on. When the buyer takes ownership of the new company, they take not only the assets but also the liabilities and hidden risks that maybe weren’t fully uncovered in due diligence.
One major hidden risk is data security and privacy. It’s hard enough for a company to answer the following questions:
1) What data do I have?
2) What data is sensitive?
3) Of the sensitive data, is it all protected?
4) Of the protected data, what is not sensitive and doesn’t need to be protected?
Now, imagine this same set of questions – which is already a huge challenge for one company – but during an acquisition, the scope can increase dramatically. The gas problem that wasn’t uncovered is now the responsibility of the buyer, and the stakes are high when it comes to data security, with potential fines in the millions and maintaining customer trust.
Often, CISOs and Information Risk professionals are in the dark. The scale of their responsibility increases in an exponential way and the tools at their disposal now need to be extended to a new sphere.
The typical response to an acquisition is to perform a data inventory of new assets to help answer data security and privacy questions. Where this response can run into trouble is the fact that a manual data inventory can be a long process – taking weeks or months – and it’s only a snapshot of data that is constantly changing. Once an inventory is complete, protection controls – encryption, tokenization, monitoring, etc. – can be applied to provide a level of relief to the organization.
One proposed solution would be to automate the full data inventory process so that it can be done quickly with minimal false positives, and can be constantly updated without human intervention. This then creates a sustainable posture from which protection can be deployed as soon as new sensitive data is discovered. Allowing companies to reduce their risk footprint and to allow for the business to take full advantage of their shiny new acquisition asset. Companies have reported massive cost savings, risk reduction, and operational efficiencies as a result of an automated, comprehensive data inventory, even to the point of fueling their entire data security and privacy posture as the source of truth.
Sounds great, doesn’t it? These solutions do exist in the world of data security and privacy to make life easier for all parties. Now, if only we had a way to discover and classify home issues before they turn into bigger problems!