Mergers and acquisitions are more than business transactions. They’re trust transfers, cultural collisions, and risk amplifiers. When security leaders step into an M&A scenario, they’re not just checking compliance boxes. They’re managing the friction between speed and due diligence, risk and ROI, cultures and codebases.
We invited five seasoned security leaders to share what they’ve learned on the frontlines of M&A:
Geoff Belknap, (u/GeoffBelknap), co-host, Defense in Depth
Their experiences span due diligence disasters, cultural mismatches, tech debt surprises, and the persistent challenge of making security a respected voice at the deal table.
Here are the key takeaways, straight from the AMA.
Post-acquisition chaos is the norm — Not the exception
“This is a few years back, mid 2000’s, I was at a company that was doing an acquisition… what ended up happening is a security person that was also doing IT work ended up getting missed, basically security (my group) thought they were going to IT and vice versa… not surprisingly, that person ended up finding another job not long after the acquisition was completed, it was a mess.”
Acquisitions can be so focused on legal closure and executive alignment that teams on the ground are left guessing who owns what. Security, often split between IT and engineering, is especially prone to these dropped balls. When cost models don’t include security headcount, teams get overlooked — and eventually, they leave.
Security gets locked out until it’s too late
“Even with the best due diligence efforts, I’m always surprised in every transaction (even though I shouldn’t be) by how much obsolescence exists on IT/OT networks and the lack of basic security protocols… The repercussions are almost always the same: immediate integration costs, extended TSAs, and a dent in transaction value just to establish baseline security.”
Due diligence often looks clean on paper — until real infrastructure is revealed. No MFA, unsupported OSs, inherited admin credentials — all while claiming to be “NIST compliant.” These tech debts not only delay integration but drag down valuation. It’s a reminder that “compliance-ready” doesn’t mean secure.
You can’t integrate what you can’t influence
“If the acquisition and the acquiring company have incompatible cultures, it’s not going to go great… You can upgrade systems, install new gear, improve posture, even hand over identity, but if the parties involved don’t think the work is valuable, it’s not going to go well.”
— Geoff Belknap, (u/GeoffBelknap), co-host, Defense in Depth
Even if the systems are fixable, the people might not be. A recurring theme was culture clash — where accountability, posture expectations, and priorities don’t align. Security leaders often find themselves without leverage unless they’re brought in early and empowered post-close.
The unknown unknowns are the real risk
“To quote our famous Secretary of Defense, it’s the unknown unknowns… there are so many issues that will emerge after the tech is going to be acquired and re-platformed. Then you don’t have the context, or the staff, or the trust… It will take time and energy to understand how things work and who owns what.”
Security due diligence reveals what you ask for — but the biggest risks are usually the ones you didn’t know to ask about. Once the deal closes, leadership moves on and the integration slog begins. Those “unknown unknowns” turn into budget requests, escalations, and surprises no one scoped for.
Being heard takes more than technical skill
“Sure you can ‘tell the risk story’ or ‘quantify the risk’ – but in practice the acquirer (big dog) typically pushes down their practices to the target (little dog)… You can tell the story about how it will benefit the big dog, you might have a chance. But I’ve been through too many M&As to hold my breath. And I’ve been the big dog in all of them. :(”
Telling the story of risk isn’t enough. If you’re the smaller org, your influence is minimal unless your insights directly support the acquirer’s goals. Several CISOs pointed out that political capital and relationship building are more effective than even the most accurate risk models.
The M&A playbook is missing a security chapter
“Is this new acquisition going to operate independently? Cool – who’s holding them accountable to the acquirers expectations? Who’s making sure regulatory and technology policy changes consider the acquisitions unique need?”
— Geoff Belknap, (u/GeoffBelknap), co-host, Defense in Depth
M&A roadmaps are often sales-led, legal-heavy, and security-light. Questions like “Who owns risk transfer?” or “What does secure integration mean for this specific deal?” are rarely answered. One big takeaway from our AMA: Security needs its own M&A playbook.
Final thought: M&A is a security stress test
As these seasoned leaders made clear, M&A isn’t just a business milestone — it’s a stress test for your culture, controls, and communication. Whether you’re integrating an MSSP into a product line or being acquired by a global giant, the ability to operate amid ambiguity, advocate for your team, and clarify unknown risk is what separates security leaders from compliance officers.
If you don’t know what you’re buying, you’ll never know what you’ve inherited.
Join us for our next Reddit AMA starting Sunday, November 16, “I’m a CISO who has experience dealing with an insider threat. Ask Me Anything.”
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
