Let the Buyer ‘Be Aware’ - Profectus Associates

My last Blog Post highlighted the Matilda Cloud Solutions assessment module called Discovery. Discovery provides agentless discovery and multi-dimensional visualization across data center and multi-vendor cloud environments in real time to profile your complete environment across network, components, services, API, databases, applications and clusters. It provides a tremendous amount of information about the client’s current IT environment and workloads for security, regulatory and financial compliance. The Discovery module looks at every workload, application and service in the IT environment and creates a complete inventory which includes hardware inventories (if attached to the network), software inventories and release levels, licensing information and patch levels of all applications. It provides information about clusters, storage allocations and traffic throughout the entire environment. It helps identify security vulnerabilities, application performance bottlenecks, asset outages and much more. This ability to discover the entire application environment and display the compute and network topology including relationships usage statistics and service details certainly is critical to any company whether contemplating a cloud migration or just getting a handle on their current IT assets. That capability can be useful in a variety of circumstances. I’d like to discuss a couple of those with you.

Over my career I have been responsible for corporate development in several companies. In addition, my operating roles have always included a focus on mergers and acquisitions. I therefore have a keen understanding of the M&A process and see tremendous value of having a tool like the Matilda’s Discovery module during due diligence and post merger integration.

As discussed in the last blog the increasing importance of the CIO’s role in any organization is without question. CIOs are also a critical member of any M&A deal team. It is their job to perform or contribute to the performance of the due diligence activities in the IT environment of an acquisition target. They should also be highly involved in the planning and execution of all post merger integration activity within the IT areas.

Technology, its use and management, within most companies can be a competitive differentiator and, in some companies, it may be the most critical element to the company’s ability to do what they do and grow. Therefore, the level of analysis applied against the IT environment could be as critical as the company’s contracts and relationships with it’s customers.

As companies consider an acquisition, the CIO should be involved to help identify the answers to the following questions: How critical is technology, delivered by the IT department, to the target company’s ability to deliver goods and services? Is the company’s IT environment a strategic asset which is efficiently managed (and invested in) or could it be a significant problem waiting to show itself in the future? Are IT systems adequately secured against intrusion or known vulnerabilities? Is there a disaster recovery plan? Are backup/recovery procedures implemented and tested? I will expand on these issues later in this paper. These are items which should be part of the initial due diligence efforts.

In the past technical due diligence was treated as part of the general activities performed by the accounting team. This is no longer a good practice if the professionals involved do not have in-depth knowledge of IT or routine experience conducting IT-specific due diligence. Again, the CIO should be heavily involved in post merger integration planning as well. This plan which focuses on all activities once the acquisition is closed, is critical to achieving the positive synergies that an acquiring company expects to gain through the acquisition of the target company. Questions here include: Will the target company run as a totally autonomous entity, or will it be merged into the current company? In either scenario understanding the status and inventory of all IT assets is critically important.

Today’s IT environments are complex. The number of network attached devices/hardware can be mind-boggling in a large organization with multiple locations, multiple data centers, and the utilization of one or many cloud platforms. The CIO must be able to ascertain if the target company’s IT department has applied the appropriate diligence to their environment to ensure that all software and firmware is fully compliant with both licensing and required upgrades and patches. In my research I came across a few facts which are, or should be, a wake-up message for any company contemplating or executing an acquisition without deep thought around how complete their IT due diligence plan.

Did you know that Equifax was hacked because it didn’t install a patch for its Apache web server that had been available two months previously? (https://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-failed-to-patch-was-to-blame-for-data-breach/). Here are some additional interesting and scary statistics:

80% of companies who had a data breach or a failed audit could have prevented it by patching on time or doing configuration updates – Voke Media survey, 2016.
20% of all vulnerabilities caused by unpatched software are classified as High Risk or Critical – Edgescan Stats Report, 2018.
18% of all network-level vulnerabilities are caused by unpatched applications – Apache, Cisco, Microsoft, WordPress, BSD, PHP, etc. – Edgescan Stats Report, 2018.
Microsoft reports that most of its customers are breached via vulnerabilities that had patches released years ago – Microsoft’s Security Intelligence Report, 2015.
Durham, N.C.-based Burt’s Bees paid a $110,000 fine to Washington-based BSA, a software industry watchdog group, after a software audit found unlicensed copies of applications from Adobe Systems, Apple Computer, and Microsoft on company computers. https://www.pcworld.com/article/124377/article.html.
BSA announced that Emeryville, Calif.-based Wham-O paid a $70,894 fine to settle claims that company employees had used unlicensed copies of Adobe and Microsoft software on office computers.

Any C- level executive or member of the Board of Directors of a company considering acquisitions should make sure their diligence includes a detailed evaluation of the status of the IT department assets before close. Otherwise the gains expected from the acquisition could become headaches, fines and severely impact organization/shareholder value. The impact of these discoveries when evaluating the IT department can be used as negotiating leverage in the final price. All too often these issues are not surfaced until much farther down the road when something bad happens.

To avoid these issues, part of any due diligence process on a medium to large size company should include a detail assessment of the IT and network environment as provided by the Matilda Discovery tool.

Having that information documented and available to the people who will develop the post merger integration plan for the IT assets is critical. Putting two large IT environments together is a significant challenge even if you have all the information. Absent some of the critical information, the process will take more time and cost more money than it needs to. No one wants to pay a high price later in unexpected conversion costs, out of date licenses, expensive hardware upgrades driven by capacity and environmental improvements.

Another area where having this information is critical to success is in Disaster Recovery and Business Continuity Planning and execution. I plan to cover that topic in a future post.

I took my hypothesis on the ability of Matilda’s Discovery module to provide the critical analysis and reporting necessary to evaluate the IT environment for both due diligence and post merger integration. Matilda’s executive management team indicated to me that several clients were already making use of the Discovery tool for support during their acquisitions. These clients were excited about the Discovery tool’s ability to provide insight into the target companies IT environment from an overall asset inventory as well as risk mitigation.

I hope my views on the critical need to incorporate sophisticated analysis tools into the IT due diligence and post merger integration processes can be of benefit to you. This is one of the areas which can all too often be minimized in importance during the fever that overtakes an organization during the overall acquisition process. With the growing importance of IT as a critical component of the success of any organization, coupled with challenges most organizations face to manage their own environments through software and hardware upgrades and patches, drives home the term ‘let the buyer beware’. I think it’s time, at least in IT due diligence, that we change that saying to let the buyer ‘Be Aware’!