Strategic security acquisitions: What makes sense?
Thanks to a steady stream of high-profile data breaches, a rapidly shifting threat environment, and the recent indictment of 5 members of Chinese People’s Liberation Army “Unit 61398″ for state-sponsored espionage, security is top-of-mind, even in the boardroom.
Collectively, these forces have major implications for the security technology marketplace. Already, we’re seeing some “old guard’ technology vendors being overcome by newer, more agile vendors. In addition, security technology vendors are scrambling to build out their security product portfolios through strategic acquisitions.
Don’t create a monster
Over the years, I’ve seen large security companies put together “Franken-mergers” that never worked well. These ill-fated combinations often hampered execution and killed customer satisfaction. Unfortunately, some of these organizations have earned reputations as “places good products go to die.” These companies didn’t grasp that technology fit alone isn’t sufficient – an effective merger must also blend people, culture, and go-to-market capabilities in a sustainable way or the merger will fail. In these scenarios, it’s ultimately the customers who suffer.
Another problem is that some of these deals are driven by emotions and hype, rather than business value and a sustainable business plan.
Many CISOs recognize that mergers can bring instability and increase risk, so they are consciously diversifying their vendor portfolios to avoid relying on a single vendor. This approach is accelerating due to the complexity of today’s threat environment, which continues to change so quickly it can’t be effectively addressed by a single vendor.
I’ve worked with a number of forward-thinking CISOs and they have a few things in common. First, they deliberately connect security to their business goals and metrics, and this in turn makes it easier to get recognition for the value information security provides to the organization and get their non-technical peers on board with what they are doing
Second, rather than looking for “silver bullet” security tools, these CISO’s determine a composite set of capabilities required to defend their organizations. Understanding those capabilities makes it easier to objectively evaluate the onslaught of new options available.
Third, these CISO’s diversify their own technology portfolios to build a “defense in depth” security model to minimize single points of failure. This has the additional benefit of making it easier to adjust their security strategy as the threat landscape changes.
Finally, these CISOs evaluate the capabilities of their organization to ensure they address any skills gaps, lean on outside expertise as necessary, and fully understand how any new technology will fit with their existing technology set.
All of that makes sense, right? If you take a step back, you’ll notice that security companies would benefit from asking the same before they rush out and buy another technology company.
You’re not done just when the deal is done
Once the acquisition is made, the real work begins. How will the new product addition add value without causing distractions or creating a bunch of thrash? Technology product companies have a tendency to create a bunch of new data and alerts that might very well overwhelm an enterprise’s ability to consume the data.
The current tendency is to lump this problem in with “big data” and “security intelligence” solutions, which doesn’t necessarily solve the problem. The challenge for all vendors is that of prioritization and discrimination, and this problem becomes particularly acute for security vendors with a large portfolio of solutions.
To be effective, any new solution must tie back to the business goals and metrics I mentioned earlier. In other words, not all security products controls or alerts are created equal, and the only way to prioritize them correctly is to align priorities through the lens of business impact and business value.
One approach is to rely on the “so what” test — ask what the potential consequences are if you choose to ignore a specific type of data. That objective evaluation can bring a lot of clarity when deciding how much energy to spend on dealing with a product, an information source, or an alert.
Look before you leap
The bottom line is that success of security M&A and enterprise technology adoption both rely on objectivity, and evaluating things in the context of your business priorities and strategy. Don’t let your emotions get in the way of a good decision, and make sure your security acquisitions are always connected to value for your unique business.