By Asma Zubair, Product Manager at Synopsys Software Integrity Group
You spend a large sum on your application security testing tool. You roll out an application security testing program across your organisation. Then one fine day, you learn that the vendor or the tool you’ve been using has been acquired. Now what?
Mergers and acquisitions bring a lot of uncertainty for customers. Personnel may change; terms of service may change. That shiny new feature that your vendor promised to implement in the next release may be in jeopardy. Not only that, but the product itself may be end-of-lifed!
If you’re running an application security program for a government agency, things may get even more complicated after a cyber security acquisition. What if your tool gets acquired by a company offshore? After all, we’re talking about potentially giving a foreign-located vendor access to vulnerabilities in your applications. Do you trust the vendor and their personnel to perform security testing on applications that handle sensitive or classified information?
What to do after a cyber security acquisition
If you find yourself in a sticky situation related to a cyber security merger or acquisition, follow these simple steps:
• Review your contract. Have your legal team look at the contract to understand your options, including the ability to revisit the contract in an M&A situation.
• Understand the drivers. Do some research to understand the drivers behind the acquisition. Sometimes companies acquire tools to shut them down and gain market share (e.g., Slack’s acquisition of HipChat). In such cases, you need to prepare for change.
• Know your standards and regulations. Some sectors, like government, have strict regulations for working with companies in particular countries. For example, Indian company HCL’s acquisition of AppScan may raise concerns for U.S. intelligence communities who share information only with select countries and may take issue with sensitive data being housed by companies outside that group.
• Assess the impact. Every merger or acquisition brings some changes. Assess the impact on your business. Were you waiting on any major product updates? Could product consolidations affect your existing integrations? Are you no longer able to fulfill certain regulation or compliance needs owing to the merger or acquisition of your vendor?
• Evaluate your options and make a decision. If you anticipate significant changes as a result of the merger or acquisition, this is your opportunity to move on to something better.
An acquisition can be an opportunity
If your AppSec tool or vendor has been acquired, you’re faced with an important decision. You may have to find a new vendor so you can obey regulations or meet your customers’ requirements. Or you may want to find a new tool to meet your own needs. Either way, a cyber security acquisition can be a golden opportunity for you to find better options.