Digital Business

Mergers and acquisitions: How zero trust helps achieve a competitive advantage

Oct 21, 2022
Mergers and acquisitions: How zero trust helps achieve a competitive advantage

Despite an economic downturn, corporate acquisitions have increased: the big are getting bigger. This trend is expected to continue over the next 16-24 months, and chances are high that your company will either acquire or get acquired. The question is, are you prepared from an IT and cybersecurity standpoint?

The two most important pieces of your integration playbook that will reduce time to value are:

  • Delivering earlier synergies, improving deal valuation 
  • Protecting both acquirer/acquiree from targeted cyber threats

I recently spoke with IT and cybersecurity leaders at CXO Summit Live Chicago about how to modernize the mergers and acquisitions playbook ahead of an integration. Here are some of the things I discussed.

Cloud platforms deliver faster and more secure acquisitions

Here’s a common scenario many CIOs and CTOs find themselves in: you turn on the news to find your company has just acquired 10,000 users. What’s the rule of thumb? IT and cybersecurity are the last to know. What typically happens next is you hire a consulting firm that will spend the next six to eight weeks doing pre-closure due diligence and producing an integration plan.

The good news is, if you have Zscaler deployed, we’ll provide a client connector on the acquired users’ endpoints and an application connector wherever their applications reside. Now you, the buyer, are fully operating every security application, connecting to the same cloud instance (tenant) as the acquired asset, and using real-time profiling to identify and mitigate Cyber threats. This is critical because the greatest risk coming into an acquisition is that you don’t know what you don’t know, often hidden behind a porous firewall connecting non-employees, third parties, and legacy acquisitions that were never completed.

We automatically assume that the asset coming in is fully compromised. By profiling assets quickly, you gain visibility into users, applications, policies, risk threats, vulnerabilities, risk ratings, IT assets, and licensing—an entire six to nine months of work can be done in a matter of days in-house. You now have an unprecedented source of truth and can set the appropriate level of control and policy.

The traditional any-to-any MPLS/VPN approach, where one network connects to another network, leaves your business vulnerable to unauthorized access, illicit behavior, and, most damagingly, ransomware attacks. Some of the largest ransomware attacks occurred post-acquisition when third-party access controls were left incomplete.

With Zscaler, your most important systems remain unreachable because you’re granting users least privilege, identity-based control, and preventing lateral spread. You do this not within months, not within weeks, but within hours. When minimizing attack surfaces, it’s extremely difficult to see, scan, attack, or breach what isn’t there.

Matt Ramberg, VP of Information Security at Sanmina, who recently completed a 1,000-user merger and acquisition with Zscaler, is a noteworthy case study. Connecting a user to an application through the appropriate AAA security framework and the necessary restrictions in place took his organization only a few hours whereas, in the past, it would have taken up to two years to integrate facilities, dedicated circuits, and stacks of technology.

Divestitures built in the cloud with Zero IT footprint

Divestitures have the opposite goal: to surgically identify and separate users, applications, and control. But it’s not always clear which users are going and which applications are remaining, let alone TSA’d.

Separations in the cloud enable an originator to securely establish a virtual IT estate (splitco tenant) in the cloud with no physical IT footprint. Based on environmental profiling, users are connected to the new splitco tenant with proper security controls and user experience monitoring.  Application workloads affiliated with the divestiture are connected to the splitco tenant, with an identity & access management system providing policy. Splitco users are able to securely access divested applications, while still securely connecting to applications left behind as part of the TSA. Data separation and workload migrations, which often take the longest amount of time, can now commence, without impacting the day 1 change of control. 

With proper planning and preparation, rapid and secure divestitures can occur over just a weekend. By leveraging a cloud platform with zero IT footprint, we move complexity behind the scenes without interrupting the end user by connecting users directly to applications in a secure and reliable manner. What once required an army of architects, engineers, operations, and PMOs can be done with just a few full-stack engineers. 

Zscaler has led some of the largest global divestitures among Fortune 100 firms this past year. Clients leveraging the platform see a compelling competitive advantage. To get the conversation started with the separation management office (SMO), here are a few key questions to consider:

  • How did we do during the last transaction? Did we hit our synergy growth targets? Did achieve our savings objectives?
  • What type of cyber risk did we incur? How long did it take to identify the threats and subsequently remediate it? Was the initial wave of controls enough to make an impact?
  • What if we could do the next transaction in half the time and at a fraction of the cost?
  • Remember all of the past acquisitions, which were never completely integrated, what’s going to happen to them?

Five themes to take heed of ahead of an acquisition or separation

Among the 400 clients that have adopted the Zscaler platform for their mergers, acquisitions, and divestitures, we’ve seen five common challenges:

  • Time to value: Today’s supply chain issues make the traditional approach even lengthier. If you have Zscaler deployed, on the other hand, you can connect users and applications securely in a matter of hours.
  • Risks and threats: You don’t know what you don’t know about the newly acquired assets—especially when it comes to their security posture. We’re eliminating 85% to 90% of the attack surface and, more importantly, the unknown attack surfaces from third-party access and non-employees.
  • Cost reduction: The Zscaler platform is 40% to 50% more economical. There’s no hardware to invest in and maintain. Zscaler is all software, and we’re doing transactions in the cloud.
  • Simplification: With Zscaler, you don’t need an army of architects and engineers. The work can be completed with a full-stack engineer and a site reliability engineer.
  • People: Zscaler helps reduce the burden of change management on users. Zscaler Digital Experience (ZDX) enables you to continually measure, monitor, troubleshoot, and resolve user experience issues.

Your most business-critical applications are migrating to Cloud Service Providers. Isn’t it time you move your most important business processes (M&A/Div) there as well? When you’re ready, Zscaler makes it fast, secure, and more reliable.

What to read next

The right way to M&A with Stephen Singh, Zscaler GVP [podcast]

Broker don’t bridge: Shortening time to value during mergers and acquisition