Chasing Entropy Podcast 23: Cybersecurity Meets M&A with Cole Grolmus

Sep 30, 2025

Cole Grolmus, founder of Strategy of Security, discusses the intricate relationship between cybersecurity and mergers & acquisitions. He shares insights from his journey from sysadmin to industry analyst, stressing that security concerns rarely derail deals but can greatly influence budgets and integration strategies. The conversation also touches on the challenges of integrating AI in M&A, highlighting the need for forward-looking plans. Grolmus offers practical advice for CISOs to effectively navigate these complexities and manage risks.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

From Sysadmin To Industry Translator

Cole describes his path from junior sysadmin in Iowa to a decade at PwC and then founding Strategy of Security.
He framed his role as a translator between practitioners and the commercial side of cybersecurity.

INSIGHT

Security Shapes Budgets More Than Price

Security rarely kills a deal once it's well advanced; due diligence usually shapes budgets and integration plans instead.
Acquirers plan for remediation costs and bake them into post-close budgets rather than always changing price.

ADVICE

Plan For Post-Close Integration

Prioritize forward-looking integration, not only current posture, when assessing targets.
Plan how to fold their identity, network, and platforms into your core enterprise systems.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this episode of Chasing Entropy, I sit down with Cole Grolmus, founder of Strategy of Security, to explore the often-overlooked world where cybersecurity and mergers & acquisitions (M&A) collide.

The Journey to Strategy of Security

Cole shares his path from early sysadmin roles in Iowa to a decade at PwC, where he worked on large-scale cybersecurity transformations. Along the way, he blended business acumen with technical expertise, ultimately founding Strategy of Security to bridge the gap between practitioners and the commercial side of the industry.

M&A and Cybersecurity: Where Risk Meets Value

The conversation dives deep into the realities of cybersecurity in M&A:

The real “gotchas” - Rarely do deals fall apart solely due to security issues, but identifying problems early can shape budgets and integration strategies.
Integration challenges - From identity platforms to logging, customer management systems, and vendor contracts, successful acquisitions depend on planning for forward-looking integration, not just current posture.
Reasonable assurance - Much like audits, due diligence can only go so far. Complete certainty is impossible, and security leaders must manage risk with contingencies like holdbacks and clawbacks.

The AI Wild West

Cole and Dave touch on the rising role of agentic AI in enterprises. Whether it’s ephemeral developer tools or standing customer-facing agents, the lack of maturity and consistency makes integration during M&A even more complex.

Advice for Security Leaders

For CISOs facing M&A, Cole emphasizes:

Have a playbook - Not all M&A is bad, but leaders must prepare to handle inherited risks.
Factor M&A into your vendor strategy - The cybersecurity industry itself is consolidating rapidly, with billion-dollar deals becoming common. Vendor stability (or lack thereof) is now a core risk to manage.
Pay attention to the business side - As careers progress, understanding the industry landscape matters as much as technical defenses.

Key Takeaway

M&A in cybersecurity isn’t just about dollars and deals, it’s about managing complexity, risk, and people. Whether you’re a CISO preparing for an acquisition or a practitioner navigating vendor shakeups, the ability to translate between business imperatives and technical realities is critical.