Enterprises face significant challenges when it comes to acquiring and retaining top cybersecurity talent. Here are top challenges and how to address...
The Workforce Perils of Cyber M&A
Workforce considerations for CISOs and security leaders should take when going through mergers and acquisitions via review of Cisco's purchase of Splunk.
A few weeks ago, Cisco announced its intent to acquire Splunk, a cybersecurity company that monitors applications, servers, and networks. The $28 billion deal marks the largest technology transaction of 2023 and reinforces Cisco’s strategic reduction in reliance on its hardware business and increased focus on AI-driven security as a service.
Cybersecurity is a priority target of due diligence in any M&A (just ask any of the Big 4). Acquirers must understand the potential risks of data breaches and other cyber threats to their critical business assets and functions. And I’m only talking about companies doing M&A who view cybersecurity as a cost center. It takes on a whole new meaning here when the two companies are in the business of cybersecurity as a revenue source.
Beyond all the transaction details, like the $157 per share price and anticipated post-acquisition cash flow, one thing that struck me in the press announcement was the call out to the value of talent and teams in relation to the deal.
So what does this have to do with the cyber workforce?
The whole thing got me thinking about the implications of M&A for the overall security landscape, especially the risks when integrating teams to achieve those strategic objectives. Sure, there’s the technology stack each cybersecurity team uses, including firewalls, intrusion detection systems, antivirus software, and encryption tools. But what about the people strategy that the tech stack relies on to monitor the network and ultimately buy down risk to the organization?
How are we supposed to systematically and successfully execute a critical thrust like that in an industry that already struggles to take a team-based approach to cybersecurity? (For some perspective, read Rick Howard’s inspired essay on how the concept of Moneyball applies the cybersecurity first principles to the workforce gap.) We certainly don’t know how to post accurate job descriptions, let alone understand the core competencies needed to be successful in ever-evolving security roles.
Having gone through a merger of companies recently myself, I know firsthand how powerful it is to bring together two great cultures, sets of skills, and experiences. And how challenging it can be, too. Combining forces has exponential potential in the long run.
Still, failure to successfully integrate teams and cultures can be a death knell that undermines the strategic business drivers that made the deal worth pursuing in the first place. One critical aspect of this process is understanding team roles, functions, and skill sets within the two organizations. That challenge is even more critical when evaluating and optimizing cybersecurity teams.
With that in mind, here are some practical considerations Cisco should consider as they bring their newly acquired cybersecurity teams together:
Know What You Need
Chances are each cybersecurity team from Cisco and Splunk has its legacy definitions of job roles, levels, and corresponding job descriptions (JDs). In most stand-alone companies, JDs are still plagued by inconsistencies and are either an overrepresentation (or underrepresentation) of the articulated essential for the job.
The newly merged teams here have an opportunity to quickly and clearly define the functions, responsibilities, skills, and leveling required of each job role in the integrated cybersecurity team. Clarity in team structure and roles reduces confusion and enhances efficiency. An objective depiction of your cybersecurity workforce needs can help normalize and standardize job roles, allowing you to match the right people to the right roles.
Know What You Have
On a map, you can’t find a way to your destination if you don’t know your current location. You need a Point A before you can even start on your way to Point B. You can’t figure out how to bring two teams together if you don’t know what you have or what you’re working with. One of the first considerations when assessing cybersecurity teams in M&A is their members' expertise and skill sets, and evaluating the qualifications and certifications of cybersecurity professionals on both sides.
But if you really want to understand the skill sets of each team member, think of ways you can collect and evaluate player data in a way that allows you to produce measurable insights like baseball teams using sabermetrics do. We may not have the level of statistics professional sports have, but using assessments and other performance measures relative to the job profiles and competency expectations can serve as a starting proxy.
Mind Your Gap [Analysis]
Conducting a gap analysis means comparing where you are now (your current Point A) with where you want to be (your destination Point B). It helps you identify the differences or "gaps" between the two so you can figure out how to bridge them and reach your goal. Simply put, it's like making a checklist of what's missing or needs improvement to achieve your target.
Measuring human output is trickier business, but if you have data on skill strengths, weaknesses, and overall competencies of the players on your cyber team, you can measure performance against job expectations to gain data-informed insights on the collective state of the new organization. The most exciting part is that now we can start making decisions that allow us to channel our inner Billy Beanes!
Buy Down Your Risk [Strategy]
The beauty of using a systematic and data-driven approach to looking at the people that comprise the integrated team is it provides a wealth of information a cybersecurity executive can use to make informed decisions. Especially in an environment bringing two units together with two different histories and sets of experiences, the ultimate goal is to become a workforce architect and enhance the team’s collective ability to reduce the probability of material impact on the organization due to a cyber attack. Here are some decisions a cyber leader of a newly merged company can make when it comes to people:
- Workforce composition. Eliminate any redundancies or overlap in role coverage, ensure you have the right people in the right roles, and identify and mitigate any gaps in the team’s abilities.
- Recruitment and hiring. Determine the right mix and budget for how you spend money across attracting and hiring experienced hard-to-find talent, bringing on entry-level talent and investing in their development, or identifying alternative talent pools that maximize your operating budget in the long term.
- Employee development. Use data to inform training and development spending that addresses your organization's specific needs. Given the vast array of learning and development capabilities that exist (at an equally vast array of price points), tailor training paths and plans that align with organizational needs and prioritize training programs based on availability, cost, and quality versus trying to look to one vendor to do it all or require a huge lift to develop something on your own in house.
- Talent retention. Create career pathways for existing cybersecurity staff to upskill within a given role or to cross-skill for lateral movement from one position to another. Use data-informed technical, operational, professional, and leadership skills development recommendations to provide career advancement opportunities for your team members.
- Compensation and benefits. Design competitive compensation packages that are consistent for both teams, align with industry standards, and motivate employees.
Cisco and Splunk have a lot to figure out strategically before they begin to dig into the people that comprise the cybersecurity teams, but I hope they don’t wait too long to start. Just imagine this scenario if two professional baseball teams were merging into one. You’d suddenly have double the number of players for a set number of positions and two different sets of performance data to determine who makes the cut for the new role. This process is even more challenging in cybersecurity; we don’t exactly know how to compare the skills of the “first baseman” of Cisco to the “first baseman” of Splunk - because they’re not exactly the same.
A successful cybersecurity program should reflect the unique business strategy of the organization. Having worked with companies that have grappled with the combination of teams, roles, and skills as a result of a merger, I know firsthand that time is of the essence. The most effective cybersecurity leaders, especially those dealing with the complexities of an M&A environment, must have a future-focused talent strategy to meet the evolving skill needs of the combined enterprise.