The Day After 'Day One': A Security Leader's Guide Surviving M&A W/O Day Drinking

Hi everybody. Welcome. Everybody's got those tacos in their belly. Great food, great turnout we had over the last couple days. Thanks you all. Thank you to all of you for being here. Uh my name is Hillilary Young. That's me in front of Mount Reineer October. The first weekend in October, FYI. Best colors you've ever seen in your life. Highly recommend checking it out. Uh, I would like to start this talk with a confession. I am not an expert. If you thought you were coming to see an expert, I don't know who that person is. I would love to refer you, but it's just me. uh school of hard knocks got me here and I'm happy

to share the lessons I've learned along the way on my uh TPM journey in relation to how do we get security integrated when there's an existing subsidiary or someone who's a new acquisition. So thanks everybody for coming. We're going to start with the game. Everybody loves games, right? It's after lunch. Good time. Let's get the jitters out. Uh we're going to do the integration disaster bingo card. So by a show of hands, who has seen or heard actually uh B1? Who can get a B1 here? We've always done it this way. Oh, I'm so shocked. I did not know that that was a really common thing. Challenge to status quo is always tricky. Um I

too, who has seen those Slack channels with the popcorn emoji? Anyone? Are those some of your Those are some of my personal favorite Slack channels. Um, I do love a good tel nolla and if I actually know the characters, even more fun. Give me all the popcorn. Um, in three, who can claim N3? That is going to be that like string of resignation emails. you know, they're kind of clouded with something along the lines of, "It's been a wonderful adventure and I'm ready to find my new journey and it just keeps coming and coming." Unrelated totally to that latest acquisition that maybe replaced their job or something. Um, G4, who can claim the G4? those

great ghost town status meetings. Lots of heads, no one talks, very expensive, completely worthless. How do we avoid those? And last but not least, to get your bingo 05 overnight shift from collaboration to documentation. I'm just going to write everything down so I don't have to talk to anybody. I'm over here by myself. Nobody look. Just a few. So only a few truly got bingo. But I'm gonna help you figure out how to solve for bingo in your daily lives the next time there's an acquisition that gets dropped in your lap, your favorite kind of unplanned work. So, first we'll talk about why traditional approaches fail. Um, my my friendly little kitty memes. I mean, aren't they so cute? It should not

be us versus them. That's really the bottom line here. dictation comes in that traditional, hey, the CEO, we just spent a whole ton of money on X XYZ tool. We just bought this whole team. There's a whole myriad of reasons why it's so fabulous. And here, go make it work. Get it to connect and make I'm sure they know everything they ever needed to know about security. it's completely secure because we were part of the process right in the beginning like when they were doing their due diligence because that totally always happens. Um not really and you know different companies use different tools like some of them don't necessarily talk to each other. How do we consolidate

that? That's not really a thought process that happens you know from that top down dictation. SME aren't really um integrated into those conversations. So that's really important. Um, and then ultimately totally ignoring the company culture. Like, who thinks that's going to work out? If um, people don't like to make decisions in your company culture and now all of a sudden someone's been charged with making a bunch of decisions without other insight, it's not going to end well. So, what have I kind of come up with to solve for this problem? Something called the capability maturity model or CMM for short. And what is CMM? It's basically what I see as a toolkit that you can put in your back pocket to

help you with when an unplanned some people may say disaster happens um for that acquisition that first you get that NDA notice in your inbox and now you have to implement how do we get these two teams to work together? Who are these people? What are they trying to do? What even is the product that they own that somebody bought it for? Why did we buy it? So it's a combination of documents and we'll go through what that looks like. So security, integration, maturity levels or otherwise known as the five stages of grief, right? This is how you think of um the learning cycles of, hey, I just got an NDA. What in the world am I going to do about it? I have

no idea who this company is. I've never even heard of it before. Then you get to the next stage of grief where you're like, "Okay, I guess I guess I'll do a thing now. Um, I've learned a little bit. I I Googled the name of the company to see what it is that they make." And then you move on. You're kind of in that middle stage to get to, okay, maybe it's not a terrible product. I could kind of see what leadership was going for here. And then you start to actually build those connections with your new partners from the acquisition team. you're starting to think, okay, we could kind of work together. I could see your

value. You've got something to contribute to this situation. And then the most um epic ending point is that peaceful coexistence like, oh, now they come to you for information. They being the um the acquisition team, they come to you, they come to the security team for help like maybe before launch, maybe in the development of the product before they're going to launch a new thing. like have you built those relationships? So, that's what we're trying to get to. There's an assessment period that has to happen. Um, preferably you get more due diligence in the beginning before they sign on the dotted line. That doesn't always happen, but you need to be thinking about tools. So, you're

going to go from an assessment of figuring out where are the contracts for the tools, like when do these things renew? Do we have to keep it on board? Is there a compliance issue that's associated with this to, hey, we have a cheaper contract, so how do we get them transitioned over to our contract versus the contract they were on? And then you get that, you know, dollar savings that leadership is looking for. Um, you have processes. Sometimes you have processes like sometimes it's just a person that knows a thing and it's not documented anywhere. So that's something that you have to uncover and figure out what processes do you need. Um, maybe there's no one on your security team

that has ever had access to a specific tool. They don't even know how it works. You got to document what does that look like? What will that look like for your future? Move from that us versus them mentality for the people like we're on a team. The goal is the same at the end. How do we make your life easier? Um, evangelism of security along the way, building those relationships. And always there's politics involved and um it's a tricky thing. There's politics from that you've never experienced before from the acquisition team and then there's politics the land you know and relationship building can help you navigate some of those hurdles that you run into. Another thing part of the tool of

the capability maturity model is your assessment approach. So you really want to focus on the capabilities and coverage visibility in the beginning stages of your process. If you don't have visibility into anything, it's a black hole. You want to get out of that however possible you can. When you're doing documentation, use neutral documentation. Again, it's not us versus them. It's we in this new unified front. How do we move forward together? And then create those joint teams where you have people from your new acquisition team as well as your, you know, subject matter experts on the security team. Create regular check-ins. You know, maybe you meet once a month to say, "Hey, what are you guys working on? What

painoints do you have? What problems can we solve for you?" And then this I put it all in one slide for you. So you have the visual of really it's an 18-month process. It does not happen overnight. Um, and we kind of I broke it into two pieces where it's like the critical first 90 days of what happens out the gate and then that longer horizon approach. So, if we're looking at the critical first 90 days, your first 30 days is really about listening understanding um mapping like what documentation do they already have? What do you need that's really urgent? Um, I would argue in that very first week, actually, it's really important to have a presentation from

your security team with security leadership to the acquisition team, whoever it is that's like their points of contact that they've identified and say, "Hey, we're security. We're not here to be a blocker. We're here to be your partner. Um, we just want you to know how you reach out to us. We'll be reaching out with more information and also kind of what to expect along the way." And you can share a really high level timeline like this with them because those acquisition teams, as much as we would like to think they only care about security, they're also getting hit from sales, from HR, from the IT department, from a myriad of different ways. And everyone, everyone wants it

today. So save yourself the time. Give them that little bit of sense of relief. It helps to build that relationship too and say, "Hey, this is what's going to happen." So that first 30 days, get visibility, listen, understanding those pain points. Your next 30 days, identify just one thing that's really super important and solve it together. Figure out what that could be for you. Oh, also something I want to mention in that first 30 days, get a phone number and a name of a contact person for your incident response team. If you have nothing else documented, make sure you have that because you just don't know um when the next bad actor is going to all

of a sudden you're in the news um and something may be uncovered that you weren't expecting. So going back to our schedule. So we did the 30 days. Then when you do the last of the 38 for your 90, you know, 61 to 90, you're going to build a very high level mo road map that maps out the remaining of the 18 months. You need to have identified for yourself, for your security team, what are your non-negotiables? What are the things that you have to have in order to say to your leadership, to your CISO, to your board? Yes, we have this acquisition. This is our timeline for implementation. What does done look like? Have that from a very high

level. So the horizon one encompasses those first 90 days and then the following, you know, your first six months, the next 90 days after you are really just looking to stabilize the current situation, get your visibility in place, logs, like where is stuff at, just getting access. Any light winds you can get, throw those in there. Like get it done, get it over with. and your next horizon for the next, you know, six to 18month period. That's when you're going to do the hard work and implementing those non-negotiables for the security team. Have a real strong timeline. Get your assessment team together, leadership to sign off. Yes, I have a commitment. These are the people that

I'm sending to this room, you know, to this situation to move forward. And then on the end, your 18-month period, you're really done. Those items are in that were in the backlog from that 18 that first 18-month period before are going to be probably really difficult to solve, require a lot of money or specified staff that you probably won't have access to. That's like the nice to have side of like the security integration. And maybe you have a longer tail. You have to negotiate more to get it on the road map. Um what's the appetite? um what did you learn, you know, along the way for the non-negotiables that you really need to tackle? And maybe you get one or two of

those things after the 18-month period, but solidly, you should probably be able to move on and say, "We have complete coverage and integration from a security standpoint for this new ac new acquisition 18 months in." And hopefully it's no, you've achieved that. It's not us versus them like we're all on the same team. It's very important. Don't forget to measure your success along the way that first, you know, one month. Have your stat, make sure you have a status report. If you have a security newsletter, make a blurb and say, "Hey, we have this new team. Did you know we have a regular meetup?" This is also your opportunity to evangelize for your or your security organization to other

partner teams that you also work with. Oh, I didn't know they did. I didn't know they did that service. I didn't know that they were able to connect those things. I didn't even know we did that at this company. You know, different things like that. Take opportunity to be able to move forward and evangelize for your team while you're doing other successes. Oh, one other thing about measuring success for your team. Don't throw anybody under the bus. like make sure that when you're reporting you're reporting on things that the team knows you're reporting on. Don't don't have any surprises. It shouldn't be a surprise for the core team that's working on the thing that your QSSR

document said that you failed your deadline or that you had an amazing launch and everything went fabulously. Either way, it shouldn't be a surprise. Okay. Culture wars. by a raise of hands. Who's heard? But we've always done it this way. Anyone? Yeah. How frustrating is that? Super frustrating. Especially when you become a change agent. You're like, "That's great, but that's not how it's going to go anymore." At the end of the day, people just want to be heard. If you have naysayers, go have a one-on-one with them. Schedule a coffee talk. Whatever it is that works in your specific organization, hear them out. Why are they adverse to change? Why don't they want to do it some other way? Maybe

they've tried other things in the past that didn't work. Learn from their failures to maybe turn into successes or maybe avoid failures for yourself, right? Like, oh, we've tried that before. Maybe there's a new technology now that didn't exist before, a new plugin, something along those lines that could really be successful for you for the future. So just, you know, be willing to hear them out, build that relationship, figure out how to turn them from naysayers to partners to go forward. Yeah. Um I I think it's also good for I'm an engineer and it's good to for those others who are engineers or are the person with experience, it's good to remind people just because we've always

done it this way doesn't the right way to do it. because then when they hear that coming from you, it smooths out the environment and people are willing to talk and change a little more. I don't know. Just sorry. No, it's totally fine. So, just, you know, for those that may be listening at home, the the statement is more along the lines of don't forget that you can also say just because we've always done that this way doesn't mean we should continue to do it this way. And you can also leverage allies, right? Like if you have a mission to go forward and you know that this engineering manager or this principal or some other

person that has a little bit of clout in your organization like hey let's work together in this meeting I need your support to turn the naysayers away and be like yeah sure we've done it this way all the time but it's also been wrong the whole time like how do we move forward together? So thank you for calling that out. That's a great reminder. So some things I've learned from the trenches right? Opportunities exist to leverage um knowledge base that on both sides. Just because your acquisition maybe they didn't have a security team, maybe their team is 10 people and they had to wear a lot of hats. They know a lot intimately about that tool and again things that

they learned from mistakes they've made in the past. Now they are working for a new company that has this huge budget and we didn't know we could do these integrations or there's this fun thing that their tool does that we wanted you know figure out what you can learn from both sides work together on that joint evaluation tools that exist they will tell you I had to have this specific tool because of this compliance report you know socks audit whatever it was and do you guys have a better way when you start building those relationships and opening up the dialogue with both parties. That's when those true um the true magic happens in in delivering

something successful for the future. And don't forget to note that stuff for your future self for the next acquisition. You're like, "Oh, this actually made this process a lot easier. Be super transparent about measuring that success, tracking the project status of the integration, and make recognition when you need to. team successes. Keep everyone along for the ride. Don't be just the hero that makes the announcement. Call people out that have gone above and beyond to help you. Those are the things that help. Um what doesn't work? Silence. Don't go radio silent. If someone has their head under, you know, under the desk, not talking, not responding to your, you know, Slack messages, emails, Zoom calls, you know,

whatever it is that, you know, you like to communicate with in your in your organization. Figure out what's going on. Silence usually means they're pissed off about something and no one's listening and so they're just going to ignore you. Well, use the trick trip tricks of the trade to help you figure that out. Get an ally, someone else to talk to them. Hey, if you want to talk to me, maybe you'll talk to Suzie over here because you guys are friends. Or maybe it's that you need to have a conversation with the manager, not to rat them out, but to say, "Hey, is there a better way to communicate with Sammy because I haven't had much

success?" you know, you have other people at the company that can help you navigate stuff like that. Dict don't dictate standardization. Oh, I've been here before. This is exactly how we do it. Make sure you get that subject matter expertise to help you along your journey. And don't just rush to turn things off right away without understanding how the interconnectedness happens. like don't break this fancy tool that you just bought that is their you know their busy season was tax season and we all know that just passed. Um don't try to turn a bunch of stuff off in like February because you may have a problem and you don't want to be in the news for

that. So at the end I'm leaving you with your M&A survival toolkit. This is like the couple of you know a handful five things to reme to remember. So ex ass assess the capabilities not the tool. What are you trying to provide coverage for at your new acquisition or this also works for you know existing integrations that maybe were just left in the side for a while. Uh create joint ownership of the integration. Work together. You're creating a new team, new relationships, new partnerships so you can move together in the future. Move slowly on technical challenges quickly on relationship building. again, the core relationships. These people just fig figured out that the job that they love um isn't going to

be the same anymore. There's different oversightes. There's different involvement. There's all new leadership. I don't know who you are. Why are you asking me all these questions? Am I going to be out of my job? Like their brain is fried. Like be there to support them and try to prevent burnout because that can happen in that first like even 90 days of the situation. and so many questions and things coming at those new acquisition teams. You want to measure your collaboration and capability, not conformity. They don't have to be 100% on all your tools. They don't have to assimilate in order to be successful. I mean, sure, ideally, that's what we would like to have happen. Assimilate

the things that you can and the things that you cannot assimilate for whatever reason, how it was built, there's some funky code somewhere. create a plan for how you address that and let your leadership know hey this is where our one blind side is and figure out is it important to change that now at the end of the day the goal is about better security not winning political battles you're in it for your customer and ultimately a happy customer is you know a happy you helps it's a little win in your pocket we see a lot of ugly stuff in security we have stuff that keeps us up at night and we want to you know

confront that whenever possible and somehow I have time. So Q&A here's my contact information. I love to build my network. So please feel free to connect to me on LinkedIn. I would love to meet you. And um thanks so much for coming to my talk. I appreciate any [Applause] questions. If not everybody have a great afternoon. Oh, there's a question in the back. Yes. Um, out of your experience with lemonade, um, maybe what is what is one that really gave you an aha moment? Yeah. So, for me, um, my aha moment was we had a new acquisition that happened and two weeks later we had a second one. And my um my whole M&A um program was

created like just because we had existing subsidiaries that had been on boarded years before and people didn't even know like who to talk to to ask questions about hey what's going on. they were work working completely independently and so there was some temperature to change that and so once I started digging in to where the existing bodies were buried I created a process and when I got hit with that one acquisition and then quickly another one after I was like oh amazing I have a process to deal with this and as a team of one because you know sometimes that happens in really lean organizations I was able to at least have enough pinpoints and a roadmap and

understanding that um really set the new acquisition teams at ease. I still became, you know, the point person for security. Hey, we have this problem. How do we deal with this? And having those check-ins and just having that established process really does help. And I think the schedule is amazing. Having an understanding of that schedule is like I've had so many acquisition teams come to me and say, "Thank you so much. I didn't know which house was on fire first or which one I should put out first." So, it really helped to kind of alleviate some of those stressors in the beginning. Cool. Thank you for your question. Yes. I'm curious uh if you could tell me or

talk a little bit about before a merger and acquisition happens sometimes as a security researcher like with two different ones I've been asked to like kind of review their code like there's enough trust that like they would let us look at things and see how secure they are before we actually make the purchase. Kind of like a home inspection or something like that, right? And what what do you all I've seen is like just within my little niche, right? What do you see about that side of things and are there career opportunities or Right. So, what I would say is um get in contact with the right people within your organization that are the ones kind

of making those deals. And if there is not already a due diligence process, um, get in on that. Get the questions that you need answered. You you'll get the answers before they sign on the dotted line and then you'll have the opportunity to flex. Um, some team or some organizations h will have a a pentesting budget. you'll probably have you'll probably have to use like a third party pentester or something to target specific things you might have concerns about and navigate um through those people that manage those acquisitions like hey I want security to be more involved in the beginning build those relationships and partnerships so that you're more involved in the front of the process and

maybe you might find something like this is actually a really bad bad idea and here's why because you've asked the questions and we're given, you know, a little bit of leeway there. The runway isn't big, but, you know, you can do your best. It's really building those relationships with the acquisition teams to get you there, for sure. Any other questions? No. All right. Thank you. I'll be out in the hallway if anybody, you know, wanted me to ask me some questions. Thanks everybody. Enjoy the con.