Originally published on LinkedIn · November 2024.
Definitions
- Security: Prevention, detection, and response to a crime or violation
- Safety: Prevention, detection, and response to an accident
- Converged Security: Operational integration of all security disciplines across the organization — physical, cyber, fraud, personnel, and more — working together rather than in silos
Field Story: Ideation Phase
During due diligence on a target, we discovered a company marketing itself as a “secure printing” provider that was operating out of a self-storage unit with no recognizable industry standards compliance. The early security assessment enabled quick elimination of that target from consideration — saving the acquiring organization significant risk and capital. This is what security engagement at the Ideation phase looks like when it works.
On Certifications and Due Diligence
Certifications — ISO, SOC2, NIST compliance attestations — are a moment in time. They represent what was true on the assessment date, within the scope of that assessment. They will not reveal insider threats. They will not reveal a breach that occurred and was not reported. They will not reveal the security debt accumulated since the last audit.
Comprehensive security assessments remain essential. Certifications inform them; they do not replace them.
Close Day + 1 Minute
This is a concept I use in every M&A security engagement. The moment a transaction closes, all existing security risks and vulnerabilities of the acquired entity transfer to the buyer. Every unresolved finding. Every unpatched system. Every unaddressed access control gap. Every unknown insider threat. It transfers at Close Day + 1 minute.
The buyer who understands this prepares accordingly. The buyer who does not is surprised by it — and the surprises in M&A security are almost always expensive.
The Integration Tension
Business integration teams prioritize connectivity, access, and speed — get people working together, get systems talking, get the synergies realized. Security teams prioritize breach prevention across all converged domains — physical, cyber, personnel, fraud. Both are right. Both must be in the same room.
When security is a separate track that “reviews” integration decisions after they are made, you have already lost the integration security battle. Security must be embedded in every workstream from Day 1 of planning.
How Ask McConnell Helps
- M&A security program management and augmentation
- Due diligence support — across all converged security domains
- Integration cost development — so security is priced into the deal, not discovered after close
- Pre-close tabletop exercises — test your Day 1 readiness before Day 1
- Ongoing security metrics reporting through full integration