Merger and acquisition (M&A) advisors, and the clients they serve, pore over a seemingly endless amount of material to determine the suitability of a transaction. Ironically, one of the most important assets, data, gets little or no attention in the process. Developing a comprehensive understanding of a target’s data and information assets results in a transaction with substantially lower risk, especially cyber risk, and creates vast opportunities for value creation.
Here are seven questions you should address in your next transaction to determine the extent to which the target operates in a data centric manner.
1. Can you show me your data map?
You would think this a fairly simple request, but few organizations can produce a good one. It’s no wonder that the state of cybersecurity is so low. If you cannot locate your data and information assets, how can you possibly protect them or, for that matter, create the most value from them? Even the National Association of Corporate Directors’ Cyber Risk Handbook warns directors to make sure management has a data map. Creating and sustaining a data map is not a small undertaking for the disorganized organization, but it can and should be done.
2. What portion of your data is sensitive?
If the organization has not adequately mapped its data, it cannot accurately measure the portion deemed to be sensitive. An assessment of what is sensitive data is an essential exercise. Did Sony consider all the snarky emails about their celebrity clients to be “sensitive” or “crown jewels” and therefore worthy of special protection? Data and information assets are balkanized across an organization, and can be on paper, in data centers, on laptops and other mobile/portable devices, in the cloud, and elsewhere. There are compelling technologies and processes available today to classify these assets.
3. How many cloud-based services are your people using, and how risky are they?
Lots of companies work hard to protect their computer networks. They build hard domes, fortified by firewalls and other forms of protection, to keep bad things out. Yet, almost a third of the data today flows continuously through that dome to the cloud, and the shift from the use of traditional, on-premises, licensed software to software-as-a-service applications (SaaS apps) like Salesforce.com is accelerating. Companies’ visibility over the use of cloud-based services by employees and contractors today is very low, and that is a source of staggering security risk. There are over 16,000 SaaS apps floating around out there, and fewer than 10% of them are enterprise-ready. Millennials are especially inclined to pull down an app without first seeking permission from IT. Many SaaS apps are downright scary from a security standpoint. Fortunately, there are ways to discover, analyze and control the use of cloud-based services, but few companies so far have taken advantage of the enabling technology.
4. What is your level of cyber hygiene, and that of your vendors with network access?
The data breach experienced by the retailer Target Corporation highlights the notion that an organization’s security is only as strong as its weakest vendor’s ability to secure their data. Every organization should know what they look like from a hacker’s perspective so they can immediately address their shortcomings. There are services available today that create a level of understanding that goes far beyond the traditional vendor risk management methodologies such as questionnaires and penetration tests. We are entering the Age of Cyber Transparency where organizations carry cyber risk ratings like Moody’s and S&P assign credit risk ratings. How will your acquisition target compete in a world where poor cyber hygiene can cost them business?
5. What Data Analytics tools do you use, and who is using them?
The target’s level of sophistication is a function of the tools their people use to turn data into insights that generate revenue and shareholder value. We are now in the golden age of data analytics, though most organizations still struggle to get their systems to close the books quickly and generate rudimentary business intelligence for the next investor conference call. Is the CFO’s Financial Planning and Analysis team just forecasting the next quarter or are they shoulder-to-shoulder with business unit leadership, helping them mine vast amounts of structured and unstructured data at their finger tips? Maybe the business units are simply taking matters into their own hands and using data analytics tools on their own. Inventory the tools in use and you will get an indication of the extent to which the culture is data-driven and the value that you can create once you own the place.
6. How much of the target’s data is simply ROT?
Studies indicate that more than two-third’s of an organization’s data is redundant, obsolete or trivial (ROT). This ROT data can be in the form of old operational log files, data stored by departed employees, outdated drafts, copies of once important document that are no longer needed, etc. When was the last time you obeyed your organization’s records retention policy, assuming it even has one? Yet, there is a compelling case to reduce ROT data. Storage comes in many forms, from tapes to flash memory, and, contrary to popular belief, it’s not cheap. Organizations that are good at content management are much better able to find and protect data that isn’t ROT. You can get into related issues like data quality while you’re at it. You should know where your target is on its journey toward information governance maturity.
7. What data would be valuable to a third party, and what could you sell it for?
You want to buy a company for lots of reasons, and you may never want to sell any of the target’s data to someone else. However, the analysis involved in answering this question will yield remarkable insights that you probably had not considered. The target’s data is often overlooked as a motivation for an acquisition, but it can generate tremendous value in the right hands, with the right tools and skills.
Of course, this list isn’t meant to be exhaustive, but it should greatly improve your due diligence exercise. There is a tendency in M&A deals to treat data as just an IT issue that can get dealt with after the transaction closes, during the integration process. However, data is an asset of enterprise-wide consequence, representing considerable risk and reward. Make your transaction successful by treating data as the critical asset.