Why buying a car is a lot like buying a business.
I bought a new car last week. Of course I didn’t know much about this particular Car so I got a friend of mine to take a look at it. He said he knew this particular kind of Car so could tell me if it was operating effectively.
For me it looked perfect. Previously I had been shown round the Car and it was clean, looked impressive and the owner explained that they had maintained it extremely well. The price they were asking was quite high, but not outside of my budget. I asked if the vehicle had ever had any incidents and they said no. So I was happy, but wanted my friend to take a look.
The week came for the owner to show my friend around the vehicle and immediately he began looking under the bonnet at how the vehicle truly operated. He explained that it’s all well and good looking at the things the owner is showing you, but they will tell you what you want to hear, and of course they can only tell you what they know (if they are being completely honest!). But he explained that there could be problems beneath the surface that either the current owner isn’t aware of or they’re not willing to admit to. That made perfect sense to me so off he went looking at every aspect of the vehicle’s capabilities.
Asking lots of technical questions that I didn’t understand he discovered a number of small issues that made me believe that whilst the Car had a few issues it was fundamentally sound.
Two weeks later I was signing on the bottom line and taking possession of my new Car. I was happy. However…
A Month Later
I was sat talking to a colleague about the new Car and explained that it had been involved in a major incident, and the costs were going to be quite heavy. I couldn’t understand why it had happened. My colleague asked about the Cars background, its history and about the previous owners. “Had it ever been involved in any incidents? What checks have been done on the Car?” I explained I had a friend look at the vehicle and he had looked under the bonnet and given it a clean bill of health.
“What about the rest of the Car?” she asked. “Was this a vehicle problem or a driver issue? Who was in the driving seat when the incident occurred? What training had they received? Are you taking this to places it had never been before? Could this have been avoided or foreseen? The Car is made up of technology, electronics, third-parties and humans, and the failure could be at any one of these points. All you did was have someone ‘kick the tyres’ and tell you it was ok. No wonder this happened.” (My friend does not mince her words).
Who’s at fault?
By now you may be wondering what this has to do with Cyber Security and Data Protection?! So go back to the start and re-read the story and replace the word ‘Car’ with Business, ‘Vehicle’ with Technology, and ‘Friend’ for IT Specialist, and you’ll begin to see where we’re headed.
It worries me that PE Houses approach Mergers and Acquisitions (M&A) and Cyber Due Diligence with a similar approach to how I might buy a car; Checking only the mechanics (the technology) without looking deeper at what could truly cause an issue.
Good Due Diligence when going through M&A requires a complete understanding of an organisations use of Data, not just the technology it sits on. Technology is merely a vehicle to move Data around, and whilst technology is important it is not the whole picture.
If you’re involved in the M&A industry, perhaps within a PE House, or helping organisations prepare for sale then please do yourselves a favour and start looking beyond the obvious. The Vehicle may look road worthy but the issues may go deeper.
If you don’t know what questions you should be asking please drop me a line and I’ll send you a paper on some of the key things to be looking for and questions to be asking. Because if you don’t start asking these questions you may be the one picking up the cost for any incidents or accidents.
And as they say in the car trading industry… Buyer beware!