CISO Leadership in M&A – Balancing Speed, Security & Culture

In today’s high-stakes M&A environment, cybersecurity is more than a technical checkpoint – it’s a critical driver of deal success and enterprise value. As boards increasingly recognize the impact of cyber risk on M&A outcomes, the role of the CISO is evolving from operational guardian to strategic business partner. And when acquisitions cross international borders, the challenges of securing these transactions scale dramatically, introducing new complexities that CISOs must address alongside standard risks.

Chicago CISO Community members Derek Dixon, CISO at Fresenius Kabi, David Fagan, Director of Cybersecurity (CISO) at Ferrara, Frank McGovern, CISO at StoneX, and Matthew Zielinski, CISO at Corient led a panel discussion on security leadership during mergers and acquisitions at the recent Chicago CISO Community Executive Summit.

All of the CISOs on the panel have been navigating domestic and international M&A over the past year, and their companies are achieving growth through acquisitions at a rapid pace. They shared firsthand accounts of the unique challenges, surprises and successes they encountered. The security leaders also discussed how to balance swift deal execution with robust risk management, build playbooks to standardize due diligence and foster a unified security culture post-acquisition.

Here are 5 key takeaways from the discussion:

1. Involving IT and Security Early is Essential 

The panel of CISOs unanimously agreed that early involvement of IT and security teams in the M&A process is critical to avoiding unnecessary risks and complications. They discussed how, in many cases – especially with legacy or family-owned companies new to M&A – security teams are brought in too late, often after key decisions have been made. This late engagement leads to challenges, such as integrating outdated systems, navigating regulatory hurdles, and managing the complexities of standardizing technology across diverse environments. David Fagan shared that “we have lessons learned – we need earlier access to prevent surprises."

The CISOs agreed that engaging IT and security experts even before the letter of intent is signed allows for more thorough due diligence, smoother integration, and fewer surprises post-acquisition. They also highlighted the importance of developing standardized processes, while remaining flexible enough to address legacy and regulatory constraints. Matthew Zielinski shared that they implement standard solutions, which “avoids some complexity – standardizing and being involved early are key.”
 

1. Securing the New Attack Surface Post-Acquisition 

The CISOs agreed that preparing for the expanded attack surface following an acquisition starts with assessing the new risk landscape and understanding the inherited environment. They emphasized that, especially in operational technology (OT) settings, security teams must work within existing frameworks and collaborate with local teams to identify critical pain points and prioritize remediation efforts. Fagan explained that they are trying to understand “where are the pain points, and where are things we can push to the backburner?” Building relationships with local teams is essential for making this risk assessment. 

The panelists also shared practical strategies for securing the integration process, such as consolidating digital assets, managing unstructured data, and launching security awareness programs for new employees from day one. The consensus was that rapid integration of systems and processes, combined with a flexible, risk-based approach, is key to managing the increased attack surface effectively. As Derek Dixon said, “Getting on their systems as fast as possible is helpful.” 
 

1. Balancing Standardization with Flexibility in M&A

The CISOs on the panel shared that while they have developed playbooks, checklists, and standard questionnaires to guide due diligence, every acquisition presents unique challenges, which often involve ancillary systems or business units that require special consideration. Most of the due diligence occurs after the letter of intent is signed, with dedicated cross-functional teams – including security, operations, and HR – working together to address each item on their lists. The panelists agreed that standardization remains a work in progress due to exceptions and the need for flexibility. As Fagan said, “We’ve been building lists, but they have a lot of footnotes and exceptions. We’re still trying to standardize them.”

Frank McGovern highlighted the use of tailored playbooks for small, medium and large acquisitions, but also shared that while the business side has embraced this approach, “IT needs to catch up a bit.” The overall process is becoming more efficient as organizations refine their playbooks. As Dixon put it, having playbooks makes things easier – but never easy.
 

1. Addressing the Hurdles in International Deals 

The panelists shared that they are “not able to follow the standard playbook” when it comes to international M&A because of different legal and regulatory requirements across territories. There are challenges in deploying security frameworks like zero trust, which often need to be tailored to local firms and must account for differences in network access and endpoint controls. Data residency requirements can further constrain operations, as certain types of data must remain within specific jurisdictions.

Legal compliance is another hurdle, sometimes requiring the involvement of third-party legal experts to navigate unfamiliar regulations. Despite these challenges, the panelists noted that their legal teams are well-versed in international regulations and have established processes to manage compliance.
 

1. Navigating the Human Side of M&A Integration

The CISOs on the panel emphasized that managing human factors and resistance to change is also an important consideration during M&A. They agreed that ongoing dialogue and transparency are essential, explaining that setting clear expectations from the start helps prevent surprises and builds trust. Establishing strong relationships with the technology leaders of acquired companies is crucial, as well, as these leaders can help model adoption for their teams. One panelist shared that they test something with IT and then apply it to the CEO, noting, “That way, the CEO can say, ‘I’m doing it, and it works’ when there is resistance.”

The CISOs also highlighted the importance of focusing on end users, acknowledging that concerns about job security can sometimes lead to insider threats or pushback against new systems. By prioritizing user engagement and ensuring IT and security teams work closely together, organizations can better manage resistance, foster cooperation, and support a smoother integration.

When asked to sum up their top advice at the end, the panelists shared the following:

Be transparent on what your expectations are for acquired partners, and bring them along on the journey.

Focus on face time and building relationships with leaders at the acquired company.

Create a playbook, so you don’t have to think on the fly.

Get engaged – the sooner, the better.

To participate in more sessions on cybersecurity and risk management in M&A, as well as other critical topics for security leaders, join your local Gartner CISO Community. Or, if you are already a community member, sign in to the app to explore upcoming opportunities to get together and exchange ideas and best practices with your CISO peers.