How can security teams measure the risk and maturity of a company they’re acquiring?

I've been spending a lot of time in the private equity space around due diligence, and there's a lot going on in building Capability Maturity Models. Not only around business and processes in companies but also around culture and some other areas, to try to ensure that things are not going to crash and burn post-acquisition. But I haven't really seen those people talk about security.

46 views
2 comments
1 upvotes
Related Tags
Anonymous Author
I've been spending a lot of time in the private equity space around due diligence, and there's a lot going on in building Capability Maturity Models. Not only around business and processes in companies but also around culture and some other areas, to try to ensure that things are not going to crash and burn post-acquisition. But I haven't really seen those people talk about security.
1 upvotes
Anonymous Author
When you do an M&A activity what should happen is the purchasing company should be able to deploy their controls before the purchase is made. I should be able to and my controls should be flexible enough that you don't need to be on my enterprise or my network. I deploy my controls to a subset or a selection of the prospective purchased company's assets. And then after a two week period, your professional SOCK should be able to say, "Hey, we put controls on 100 machines, out of the 100 machines 10% were on expired OS’, 50% had critical or high exploitable vulnerabilities, and we saw 30 things that went wrong that nobody responded to." And that is a good way of measuring the risk and maturity of the company to be purchased, which may result in renegotiating the price.
1 upvotes