This is a very small post, but I didn't want to put the thought out with the limitations of twitter. I was thinking about challenges around M&A and security and I realized that most of what is usually covered in the discussions about it is related to new assets that could be targeted by attacks and related vulnerabilities. That's quite easy to understand. You buy a company and their servers, with existent vulnerabilities and everything, are now yours to protect.

But as we know, Risk is not only composed of assets and vulnerabilities, right? What about THREATS?

That's something interesting to think about; when you acquire a company, you are not only getting their assets and vulnerabilities, you are also inheriting some of its threat profile.

A lot of information security nowadays is threat oriented. Monitoring threat intelligence feeds, information sharing about active threats, campaigns and TTPs. So, it's natural to consider that the threats that were targeting that company before acquired will continue to exist after the acquisition. For security (should I say 'cybersecurity'?) programs that are threat oriented, it's very important to quickly learn about those threats and ensure that any internal threat intelligence generated by the acquired company is properly absorbed by the acquiring organization.

Remember: you are not only acquiring assets and vulnerabilities, threats are also part of the deal ;-)