The due diligence portion of an M&A is lengthy and complex, yet security teams are often given just a few weeks to perform a full risk analysis before final terms are agreed. That’s very little time to source, activate, and review results from any worthwhile security assessment.

With tight timelines, and a lot on the line, security teams should consider four things when evaluating potential solutions:

Time to Launch AND Time to Value

Time to launch has often superseded cost and results when it comes to finding a security testing provider. Scanners that check open source components for flaws have become particularly popular for quick assessments, though are also notoriously noisy. If organizations choose this route they should have a plan to quickly activate necessary resources to comb through results and deliver final recommendations.

Pen test firms that can put people on a plane tomorrow are another (complementary) option. But organizations should be aware that many traditional pen test firms rely on utilization rates rather than performance metrics to assign available resources. This could result in a skills-mismatch between testers and target. Unfortunately, you won’t know until the final report is delivered, 2-3 weeks later.

When attempting to balance speed, value, and cost, organizations should consider testing solutions that provide:

  • Immediate access to the right resources matched by skill and experience, not just availability
  • Streaming results from Day 1 to forecast outcomes prior to final report rendering
  • A fully-managed approach to ensure critical insights are validated, distilled, and prioritized for immediate action 

Expensive “Surprises”

When assessing the security of an acquisition target, overarching posture is usually more important than individual issues which can often be remediated post-sale. Of course, there is a limit to this rule. When volume or severity of vulnerabilities are much greater than can be reasonably absorbed by the existing resources of the acquiring organization, there may be an opportunity to re-negotiate price to account for cost to resolve. 

While vulnerabilities in known assets can cause a bit of a headache, vulnerabilities in unknown assets can be far more problematic. The formal announcement of an acquisition is like a gun shot at the starting line for a global network of attackers competing to identify forgotten assets to exploit.

To protect both organizations in the deal, the acquiring company should look for solutions that can: 

  • Deliver high-value results quickly
  • Prioritize outcomes to ensure high-impact issues aren’t missed
  • Provide executive recommendations based on benchmark data for your industry

Executive and Audit-Ready Reporting

The duration and depth of testing is moot if results are easily digested by executive leadership, and external stakeholders alike. Pen tests that follow a standardized and well-documented methodology can provide a low-friction way to assess an acquisition target in a way that both organizations and prospective auditors, partners, and customers are familiar. 

When requesting final reporting structure organizations should request:

  • Inclusion of full testing methodology; preferably one that has been assessed by a QSAC to align with your target compliance requirements
  • Aggregated analysis which considers output from both automated and manual assessment techniques
  • Prioritized results and “red” “yellow” “green” assessment rating to streamline final recommendations

Continuity and Relationship Preservation

Every M&A event should proceed as any partnership would– a period of getting to know one another, learning how to work together, and defining which areas each will maintain autonomy. Aggressive or overly disruptive security assessments can sour post-sale relations and hamper growth for both businesses. This is another reason why a standardized testing method can be useful, but also why the testing solution has to make sense for both parties independently.

If the acquired security team is encouraged to make their own decisions post-integration, an M&A assessment provider that offers multiple different testing solutions can accelerate transition timelines and reduce procurement headaches.

If preserving the relationship between the acquirer and acquiree is a primary concern, organizations should ensure prospective solutions can:

  • Provide standardized testing options that reduce launch friction with the acquisition target
  • Deliver a plan for providing gapless coverage through and beyond integration activities
  • Provide size and industry-specific testing options that enable the acquired company to continue to leverage the vendor post-sale

Bugcrowd M&A Assessment

Bugcrowd M&A Assessment was designed to fill the gap in M&A security assessments, helping organizations make quick, yet informed decisions about potential acquisitions and partnerships. Our advanced pen testing service is combined with the continuous coverage of our software-based Asset Inventory solution to provide depth and breadth without delay. Programs launch in as little as 72 hours, with Day-1 access to streaming results via the Bugcrowd platform, and final results and expert recommendations delivered within 3 weeks. Learn more about M&A Assessment on our website, or contact us today!