The chapter “Navigating Cybersecurity During Transition” addresses cybersecurity challenges during transitions like mergers and leadership changes. It covers cyber risks in M&A, due diligence, integration planning, managing leadership changes (especially in the CISO role), grooming a Deputy CISO, handling insider threats, transitioning between CISOs, and using growth opportunities to strengthen cybersecurity.
Once upon a time, when the internet was still young, a giant walked the world wide web.
Yahoo was once the king of the realm, a behemoth worth $125 bn, long before Google or Facebook dethroned it. A series of unfortunate incidents and consistent bad decisions later, Yahoo was acquired by Verizon in 2017.
Selling its core operating business to Verizon – to be united with yet another fallen star, AOL – the deal was supposed to be worth approximately $4.8 bn. But then tragedy struck.
During the acquisition negotiations in 2016, Yahoo disclosed that it had suffered two massive data breaches in 2013 and 2014, which compromised the personal information of hundreds of millions of its user accounts.
Considered among the largest in history back then, the breaches had severe implications on the Yahoo-Verizon acquisition deal. Apart from the huge blow to Yahoo’s reputation and user trust, it also raised concerns for Verizon about the security and integrity of Yahoo’s user databases. It prompted Verizon to reassess the terms of the deal and conduct a thorough cybersecurity evaluation of Yahoo’s systems.
In the end, Verizon lowered the acquisition price. Slashing $350 mn from the original amount, the deal was finally closed at a reduced negotiated price of $4.5 bn.
The Yahoo-Verizon merger is a significant example of how cybersecurity considerations play a crucial role in the success of transitions like mergers and acquisitions, divestitures, or even internal leadership changes. During the uncertainties of a transition, the leadership often loses sight of the significance of evaluating and strengthening the company’s cybersecurity posture as the primary focus is largely on financial, legal, and business aspects. Cybersecurity risks, as proven by the Yahoo-Verizon story, can have far-reaching consequences for the involved companies.
During transitional phases, the risk of cyber threats and data breaches increases significantly, making it crucial for organizations to adopt a proactive approach to safeguard their digital assets.
What are the different scenarios where a transition occurs in an organization? What does the Board need to know during such transitions to safeguard the company’s digital assets and pave the way for a more secure and resilient future?
Let’s find out.
Navigating the waters of mergers and acquisitions is a long and complex process, with the involved companies having to assess every aspect of their individual organizations.
During mergers and acquisitions, there are various cyber risks that organizations must be aware of and take measures against to ensure the security of their infrastructure. These risks can arise due to the integration of different IT environments, increased access points, and the potential mishandling of data during the transition. Some of these cyber risks include:
To mitigate these risks, both involved companies should conduct thorough cyber due diligence before the transaction.
In the past, until around five years ago, cybersecurity due diligence was completed in a matter of 20 minutes. But if we have learned anything from the likes of the Yahoo-Verizon deal or the Marriott-Starwood Hotels deal, it is that ensuring the protection of sensitive data and maintaining robust cybersecurity measures are equally, if not more, important during transitions.
Cybersecurity due diligence in mergers and acquisitions is a critical process that helps the mitigating potential risks and vulnerabilities associated with the targeted company. It helps the acquiring organization understand the cybersecurity posture of the target and identify any potential issues that could pose a risk to the deal.
Cyber due diligence is not only important for the acquiring company but also for the selling company. For selling companies, it is important to do a compromise assessment before announcing the deal because their cyber program will be under severe scrutiny during the process. Conducting cyber due diligence will help the selling company understand and present its cybersecurity posture to potential buyers. Demonstrating a strong cybersecurity posture can increase their value in the process.
A selling company should cover the following processes in their cyber due diligence:
Preparing for the integration of the cybersecurity infrastructure during an M&A is crucial to protect sensitive data, maintain business continuity, and prevent potential security breaches. It is important to plan the integration well in advance and set expectations before the deal is negotiated and closed.
An important step is assessing the overall security culture of the company being acquired. Does the company have an established culture of conducting regular phishing exercises? Do they conduct regular training and awareness programs? Is cybersecurity more of a culture rather than a practice in the company? If yes is the answer to all these questions, then the integration has the potential to be seamless. On the other hand, if the buying company has all its practices and policies in place and the selling company hasn’t even rolled out multifactor authentication, then the integration needs to be a thoroughly planned program, starting from setting the culture right.
Conducting table top exercises during the transition period is a good idea to prepare for any potential incidents. When key stakeholders sit together and discuss their actions and decisions in response to hypothetical situations, it will help build preparedness awareness, and coordination among them. Table top exercises will also help in enhancing the decision-making capabilities of these stakeholders, equipping them to respond effectively to high-pressure scenarios.
Creating an integration cybersecurity budget is a process that is often overlooked during acquisitions. When a cybersecurity budget is set up, it must be ensured that it is not just for the first 90 days; it must be a standing procedure which includes all processes, from setting up security systems in endpoints to the number of users who need privileged access. The stakeholders of the acquiring company must assess all one-time costs and recurring costs associated with cybersecurity and data privacy.
Two weeks into Elon Musk taking ownership of Twitter, the company found itself grappling with a massive exodus of its leadership and cybersecurity staff. For a company already burdened with cybersecurity issues, this posed a fresh set of challenges and raised concerns about the company’s ability to swiftly and efficiently address its security vulnerabilities in case of a data breach.
The departure of senior executives like CEO Parag Agrawal, General Counsel Sean Edgett, and Legal Policy Chief Vijaya Gadde, followed by the resignation of Lea Kissner, Twitter’s Senior Cybersecurity Staffer along with Damien Kieran, Chief Privacy Officer and Marianne Fogarty, Chief Compliance
Officer raised serious regulatory concerns. The situation left the public and the business world confused and unclear as to who would be responsible for Twitter’s day-to-day security operations, especially given the company’s troubled history of data breaches and poor cybersecurity culture.
Twitter had what can only be defined as a messy, unplanned transition to clear the chaos and clean up the mess in the wake of its leadership change. Unfortunately, unplanned transitions like this are not that uncommon. This is where grooming a Deputy CISO will add immense value because as long as there is a practice of having a Deputy CISO, a regime change will not cause a major disruption in the organization’s cybersecurity scene.
Grooming a Deputy CISO in an organization who is prepared to step in during a leadership change is a strategic process that requires careful planning and development. To begin with, it is important that the chosen candidate must have a deep understanding of cybersecurity and risk management while also having the potential to be a strong leader. Ideally, the Deputy CISO should have a well-rounded skill set that covers technical expertise, communication skills, and the ability to collaborate with other departments.
Targeted training and development opportunities will help the Deputy CISO acquire the necessary skills and knowledge to handle the role effectively. This may include workshops, conferences, and obtaining relevant certifications.
A key part of grooming a Deputy CISO is conducting table top exercises in which the CISO is not present, giving the Deputy CISO an opportunity to practice their skills through simulated scenarios. This will help not just when the Deputy CISO needs to take over permanently in the event of an unplanned transition but also whenever the CISO needs to have an uninterrupted break from work.
It is important to provide the Deputy CISO with enough leadership opportunities to lead and collaborate on various security initiatives. Allowing them to shadow the current CISO will also help them hone their skills in decision-making, strategic planning, and stakeholder interactions.
While CISOs manage up, Deputy CISOs manage down. They are usually responsible for running the entire vertical supply chain of cybersecurity. The transition plan to move the Deputy CISO to CISO is a crucial element in business continuity and succession planning.
When a leadership change occurs in an organization, there are increased chances of disgruntled employees, or those who have access to sensitive information, taking advantage of the chaos of the transitional period. Managing possible insider threats in cybersecurity during a change in leadership requires a proactive and comprehensive approach.
The very first thing to do in case of a surprise exit is to ensure that departing employees have their access revoked immediately, and their accounts are disabled. It is important to establish robust exit procedures and to update access controls for various systems, applications, and critical data.
It is also important to review their downloads and ensure that their security logs are immutable for at least a year prior to be certain that they don’t have access to organizational emails and other sensitive information after their exit.
To mitigate insider threats, every organization must have well-defined security policies, which are kept up-to-date regularly. Employees must be made aware of these policies and the consequences of violating them. Implementing the principle of least privilege is also a good practice, granting employees only the minimum access required to perform their jobs.
Identifying unusual or suspicious behavior is a crucial element of detecting insider threats and as such, organizations must consider deploying monitoring tools to track user activities on their network and devices. Monitoring and preventing unauthorized transmission of sensitive data outside the organization must be a non-negotiable policy.
Most importantly, it is important to foster a positive and supportive work culture within the organization, where employees feel safe and valued, making it less likely for any exiting employees to act maliciously. During leadership transitions, ensure clear communication about the changes and expectations, adopting a transparent approach to help alleviate uncertainties and reduce potential insider threats.
No matter how planned the transition is, there is no guarantee that the process will be foolproof. Planned transitions with an overlap time of 2 weeks to a month is ideal but it is also rare. There might be too much overlap time during some transitions whereas in others, there might not be enough.
There are scenarios in unplanned transitions where the overlap time between the current CISO and the new one becomes overkill, for example maybe 4 to 5 months, with both of them having access to the Board. The CISOs in question will have their individual working styles and perspectives which might not always be complementary.
In other cases, an interim CISO might be required to fill in after the exit of the current CISO and before the new CISO takes over. The interim CISO may have the authority on paper but may lack the necessary confidence to make critical decisions because of the uncertainty in their position.
Transitioning between CISOs can present unique cybersecurity challenges as it involves a change in leadership and strategy. To manage cybersecurity effectively during this transition, facilitating a comprehensive knowledge transfer from the outgoing CISO to the incoming CISO is extremely important. This transfer should include detailed documentation of security policies and procedures, ongoing projects, risk assessments, incident response plans, and any other relevant information.
Whereas the role of the outgoing CISO ends with the knowledge transfer, the incoming CISO must be proactive in approaching their cybersecurity duties early on. They should conduct a thorough assessment of the organization’s existing cybersecurity posture to gain an understanding of the strengths and vulnerabilities, and potential areas of improvement.
They should also work with the management and the Board to identify cybersecurity priorities and align them with the overall business objectives. It is also a good idea to get third-party assessments to figure out the problem areas, which can then become the new CISO’s areas of focus.
It is also crucial for the incoming CISO to build strong relationships with key stakeholders including the Board, management, IT leaders, and other department heads. This will help them establish trust and effective communication channels within the organization.
The new CISO must clearly communicate their vision and strategy to the entire organization as there will be differences in approach from the previous CISO, as we discussed earlier. The incoming CISO should engage with employees at all levels to create a security-conscious culture and ensure them that there will be no disruptions to cybersecurity operations during or after the transition.
Navigating the complex landscape of cybersecurity during a transition can give rise to formidable challenges. But with the right strategies and best practices, organizations can effectively safeguard their existing cyber defenses and even fortify them.