Cloud Hosting

Mergers and acquisitions (M&A) have been challenging for IT and security teams for as long as businesses have relied on technology. Every companys IT system is as unique as the company itself. Your business may run on commonly used tools and apps, and industry best practices to deploy and configure them. Nevertheless, these systems get molded to the specific needs of the business over time.

This can make the M&A process difficult when it comes to bringing together the technical systems and security needs on which the merged companies must function. This can result in drawn-out projects that may take years to fully transition to one IT pipeline.

The growth of cloud platforms has made these already challenging processes more complex. First, many apps used for work moved to a software-as-a-service model. In addition, the assets which comprise the products and unique selling points of many businesses now reside in one of the many cloud-hosted platforms. They arent physical assets in a data center anymore.

In order to help address these challenges, assess and review tech early in the M&A cycle. Its tempting to assess targets based mainly on their places in the market. After all, companies acquiring others want to fill a gap in their portfolio or own a specific tool or service. Checking for tech bottlenecks often comes late in the M&A cycle, leaving little time to consider the impact they will have on the future.

This is where open-source intelligence (OSINT) can help. It lets an acquirer assess a potential targets defenses and understand many aspects of the way it runs long before getting into the weeds of due diligence. As the name suggests, OSINT combines free, openly available information gathered from different sources. It builds a picture of a companys posture and is uniquely positioned to assess cloud defenses.

The simplest route to get to know a companys cloud security posture is to get OSINT health reports. These cover a lot of potential issues directly tied to the way the target company runs. They also pull their source data from multiple public scans and repositories. They can compare these with other, similar industry players, allowing a simple visual contrast with business rivals.

Some areas that an OSINT report will cover include:

Knowing all of this helps to indicate the resources put towards information security generally, most importantly the delivery and management of those systems and services that face the public internet. A poor score in one or more areas may suggest a weakness in a certain skill set or a blind spot in defenses.

A lot can be inferred from the pictures they paint. For example, the use of a specific cloud-hosting platform or underlying tech can guide the acquirer towards picking a target that aligns with their tech base, helping smooth the transition. It will also be obvious right away if you will need to standardize towards a certain platform, such as moving from G-Suite to Microsoft 365.

The use of OSINT doesnt replace the need for due diligence of IT systems and security practices once the acquisition is underway. However, it can help build a picture of how seriously a company takes security. In doing so, it reduces the risk of any nasty surprises further down the line.

Go here to see the original:
Using Open-Source Intelligence for Mergers and Acquisitions - Security Intelligence