In this episode of Chasing Entropy, I sit down with Cole Grolmus, founder of Strategy of Security, to explore the often-overlooked world where cybersecurity and mergers & acquisitions (M&A) collide.
The Journey to Strategy of Security
Cole shares his path from early sysadmin roles in Iowa to a decade at PwC, where he worked on large-scale cybersecurity transformations. Along the way, he blended business acumen with technical expertise, ultimately founding Strategy of Security to bridge the gap between practitioners and the commercial side of the industry.
M&A and Cybersecurity: Where Risk Meets Value
The conversation dives deep into the realities of cybersecurity in M&A:
- The real “gotchas” - Rarely do deals fall apart solely due to security issues, but identifying problems early can shape budgets and integration strategies.
- Integration challenges - From identity platforms to logging, customer management systems, and vendor contracts, successful acquisitions depend on planning for forward-looking integration, not just current posture.
- Reasonable assurance - Much like audits, due diligence can only go so far. Complete certainty is impossible, and security leaders must manage risk with contingencies like holdbacks and clawbacks.
The AI Wild West
Cole and Dave touch on the rising role of agentic AI in enterprises. Whether it’s ephemeral developer tools or standing customer-facing agents, the lack of maturity and consistency makes integration during M&A even more complex.
Advice for Security Leaders
For CISOs facing M&A, Cole emphasizes:
- Have a playbook - Not all M&A is bad, but leaders must prepare to handle inherited risks.
- Factor M&A into your vendor strategy - The cybersecurity industry itself is consolidating rapidly, with billion-dollar deals becoming common. Vendor stability (or lack thereof) is now a core risk to manage.
- Pay attention to the business side - As careers progress, understanding the industry landscape matters as much as technical defenses.
Key Takeaway
M&A in cybersecurity isn’t just about dollars and deals, it’s about managing complexity, risk, and people. Whether you’re a CISO preparing for an acquisition or a practitioner navigating vendor shakeups, the ability to translate between business imperatives and technical realities is critical.
