Mergers and acquisitions are fast-moving, high-stakes, and rarely tidy. Cybersecurity, unfortunately, still tends to be an afterthought in many of these deals, but the risks aren’t getting any smaller. And that’s okay. That’s why I was pleased to contribute to this recent Help Net Security article by Mirko Zorz, which dives into the specific cyber challenges that come with M&A activity. It was also great to see perspectives from peers I respect deeply, including Michael Miora and Sean Turner.
A Shared Perspective: Prioritize What Matters Most
One of the things that stood out to me in the article was the clear alignment among those quoted. Michael Miora emphasized the need for prioritization and collaboration, and I couldn’t agree more. During an acquisition, especially in the first 100 days post-close, it’s tempting to try to implement sweeping changes to align every PortCo with a common toolset and policy framework.
But trying to “boil the ocean” rarely works, especially when you haven’t yet assessed what’s most critical to protect. (you can read more about this in my other blog: Fries with That? Why Big CyberSec Firms Upsell You Stuff You Don’t Really Need)
I often work with PE groups managing 20–30 portfolio companies, many of which have vastly different risk profiles and levels of cyber maturity. If you treat them all the same, you’re going to over-invest in some and under-protect others. Prioritization isn’t just smart, it’s essential. Which of the PortCos should you start with and what should be each PortCo’s top priority?
Small Teams, Big Complexity
Sean Turner also made a great point about the operational complexity of trying to standardize processes and tools post-close. This is especially challenging for smaller companies, which often operate with lean IT teams and limited security expertise.
This is where the concept of the Cyber Poverty Line* comes into play, and something I often talk about with clients. It refers to that invisible threshold below which a company simply doesn’t have the resources (or in some cases, the awareness) to implement basic cybersecurity hygiene. It’s not meant to be a criticism, just a reality check.
During M&A, those gaps can quickly become liabilities. And too often, I see companies spend money on security certifications or tech solutions they’re not ready to operationalize, simply because it “looks good” in the data room or post-close transition plan.
Black Creek’s deep experience using the Cyber Poverty Line provides essential simplicity and clarity. It’s how we get comfortable that almost anything cyber-related that pops up during due diligence can be managed post close, even if/when the target has an incident
*A note on the Cyber Poverty Line: While it’s a fairly common phrase in the industry now, this is my own, more pragmatic take on capturing the Top 7 security controls that need to be implemented as baseline in any organization.
Our Role at Black Creek
At Black Creek Cybersecurity, we don’t sell products, and we’re not incentivized to push services you don’t need. We sit on your side of the table, helping you sort through the noise, make right-sized decisions, and build practical security strategies that actually fit your business reality.
So I appreciated being part of this article—not just because of the coverage, but because it reflected a broader shift I hope to see continue: more practical thinking, more honest conversations, and less buzzword-driven panic when it comes to cybersecurity in M&A.
If you’re in PE Ops on the deal team or with a PE owned company trying to make sense of your cyber priorities post-deal, I’d be glad to have a no-pressure conversation. Helping teams navigate this space with clarity and confidence is what we do best. Contact me here, and let’s chat.