Super Cyber Fridays!
Join us TOMORROW, Friday [01-26-24], for "Super Cyber Game Show Friday"

Join us Friday, January 26, 2024, for “Super Cyber Game Show Friday”, one hour packed with cyber games. We'll be bringing our audience into the show to play some of our favorite games.

It all begins at 1 PM ET/10 AM PT on Friday, January 26, 2024. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Defense in Depth
CISOs Responsibilities Before and After an M&A

Mergers and acquisitions always present challenges to an organization. When it comes to cybersecurity, how involved should a CISO be before AND after an acquisition? And can cybersecurity considerations make or break a deal?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. Joining us is our guest, Alexandra Landegger, executive director and CISO, Collins Aerospace.

M&A remains a challenging time for CISOs

A merger can bring new opportunities for the business, but from a cybersecurity perspective, there’s a lot to account for. Declan Burke, CISO at NorthStandard summarized the challenges, saying, "A CISO needs to understand and interpret both risk landscapes and build a new security model for the combined group, all during a time when sensitive data is being shared more abundantly, and while the firm is in the spotlight." One of the key ways that CISOs can help ease this transition is effective communication on the challenges. “Delivering salient feedback on key areas can help ease some of the stress of how we plan to address much of the technical uncertainty in a palatable and business friendly way," said John Robinson, CISO at Northrop Grumman.

Understanding what you’re getting into

When a CISO should get involved with the M&A process depends on the specifics of each transaction. Some would prefer getting in as early as possible, with Aditya Sarangapani of WNS saying, "I would get the CISO's team in earlier during the due diligence process rather than after the purchase decision is made." But some think a CISOs involvement in the whole process speaks to bigger structural issues. "If the CISO is involved in every M&A, the process itself is flawed and needs to be revisited," said Eric Elbert of RP Technology LLC. Drew Simonis, CISO at Juniper Networks suggested a sensible middle ground, saying, "A CISO's team can define sound practices but that doesn't mean they need to be operationally involved in their execution."

M&A is a vulnerable time

Announcing a merger or acquisition not only casts a media spotlight, but it also signals a broadened attack surface to threat actors. "We are seeing an increase in targeted attacks on companies upon M&A announcements/closing. Having someone to manage cyber risks strategically during transactions is crucial to preserve deal value," said Dheeraj Gurugubelli of EY-Parthenon. This can persist post-acquisition if cybersecurity teams don’t get real visibility into risk. "M&A cyber risk assessments rely on questionnaires and ratings that aren't aligned with actual exposure to attackers/risk. Then it takes two years instead of six months to integrate the acquired company into the ‘networks’ of the acquired company," said Rob N. Gurzeev of CyCognito. 

The CISO needs to stay focused on risk in this process

While M&A can prove a challenging time, it’s important to realize the goal of the CISO remains the same in this process. "You need someone who can decipher not only the difference in infosec strategy, but also someone who can dig deep and find the accepted risks that the new organization will have to deal with moving forward," said Fernando Morales of AmeriHealth Caritas. As always, a CISO must connect cybersecurity with value for the business. "The CISO must be a business partner in addition to protecting the confidentiality, integrity, and availability of information assets. Advocate the value that cyber brings to an enterprise," said Kevin Heineman, CISO at Lyric.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Aphinia

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be guest Mike Kelley, vp, CISO, The E.W. Scripps Company.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Shifting Communication Between CISOs and Boards

With security incidents increasingly common across companies, boards now have real-world experience on the primacy of cybersecurity when it comes to business risk. This marks a complete shift in how CISOs now communicate with the board, says Kirsten Davies, CISO, Unilever. This has led to more former CISOs being named to boards, where they can offer a more holistic view of how cybersecurity impacts overall risk to an organization.

Thanks to our sponsor, Claroty

Cyber chatter from around the web...
Jump in on these conversations

"What do we think threat actors target for next 3-5 years" (More here)

"Worst mistake you've made/seen in Cyber? Ramifications?" (More here)

"Blank Check for Certs, What to Go For?" (More here)

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.