The last few years have been record-breaking in terms of the number of mergers and acquisitions. And the technology sector has been driving much of that growth, with 21.3% of global M&A volume. Watching these mergers and acquisitions has prompted me to think about SafePaaS' growth strategy and the strategy I experienced working with other large technology companies that used mergers and acquisitions to grow. 

As your business grows, you either serve your customer's needs by buying the necessary technology, or you can build it in-house. Over the last two decades, I learned five main takeaways that led me to conclude that organic platform growth was the better option for our customers.

"Fragmented technology shouldn't 

be used when it comes to governance 

because the purpose of governance is to have

enterprise-wide integrity of control execution."

Governance is different

Governance by nature is pervasive, more than any other objective in the organization. To effectively implement governance, you need a consistent top-down set of internal controls, policies, and procedures that ensure the business's strategy is aligned with its execution, as the stakeholders have chartered management to perform. To accomplish that, you need to govern the organization with complete alignment. That alignment is achieved by having your strategic objectives coordinated with the nitty-gritty detail of execution across the enterprise on multiple continents and with thousands of users. And that's the struggle with systems designed to govern the enterprise. Often, you lose the ability to have a “single source of truth” when governance is managed through multiple point solutions acquired by various departments or provided by a vendor solution that’s patched together with multiple acquisitions and mergers.  

An Access Governance system needs to be enterprise-wide because your controls have to be complete, accurate, and timely across the enterprise. This is hard to achieve when you have information from disparate applications on your governance platform that are not integrated and in accordance. Having applications with different data is like going to sea with two compasses. Which compass do you rely on to guide you if they're not in agreement? And that's the importance of proper governance. 

An integrated governance system is critical for aligning strategy to execution, and governance systems are uniquely positioned to solve some of the most strategic problems businesses face. When performed correctly, governance oversees the proper execution of business processes to produce the results promised to stakeholders.

How mergers and acquisitions affect software

There is no denying that mergers and acquisitions create tremendous opportunities and benefits in the software industry. However, governance software is unique. 

When you make acquisitions to grow your platform, you end up with multiple products jumbled into the platform. And that impacts the customer. Customers may not see what's happening behind the scenes, but they will  notice it in their level of service. Often organizations struggle through their merger, focusing inward, not outward, on the customer. 

Assuming the company gets past the first hurdle and successfully merges, it can then decide to integrate the new technologies or leave them alone. But often, the technology's frameworks are very different and difficult to integrate. So in most cases, companies decide to leave the technologies independent and shift the burden of integrating their products to the customer.

During my time working with a giant tech company offering GRC management and SOX certification audits, they acquired another company for their SoD access controls, change tracking, process controls, and other capabilities But when they added the new applications into their product, it resulted in four different systems because they were built on separate platforms and were different tools that never integrated. The equivalent of this platform was like buying four point-solutions from one vendor.

Merged platforms create confusion for the customer, and they end up with the monumental task of integrating the vendor's technologies. Customers buy solutions to solve a problem, but merged solutions create inefficiencies that outweigh the solution. When buying an access governance solution, the key is orchestration and centralization, but when you have multiple data sources from a platform, there's not a single source of truth. Acquired technology platforms create fragmentation between the GRC systems on the platform with no internal means of reconciling the data in each of its applications.

In today's market, there is a convergence of access governance solutions. There are nine use cases for access governance, including segregation of duties, identity management, lifecycle management, provisioning, de-provisioning, audit analytics, etc. If they are in different systems, the challenge is that there is no single source of truth. The burden is now on the customer to reconcile these systems.

Main challenges with M&A platforms learned from my experience

The first challenge when using a platform built from acquired technologies is the challenge of access and security administration. Platforms built from acquired technologies behave like individual point solutions and require users to log in to each system separately. This is because they are different systems and require the customer to maintain multiple security profiles and multiple security systems. This raises the cost of ownership because you need administrators to support these different security models. You also have to perform access certifications on each system. Right off the bat, this creates a headwind for your company in maintaining its security to access these systems. And if one system supports single sign-on and the other doesn't, then you also have multiple user IDs, which puts a burden on the user to change passwords to comply with your password policy. 

There is increased management, administration, and maintenance of merged systems because you have different technology layers, meaning you need the expertise to maintain these systems in-house. One system may be in the cloud, another may be on-premise, and they may have different technologies requiring specialized administrators.

Another issue with maintaining disparate systems is pulling reports. To generate a report covering all these systems in your platform, you'll have to create a third-party reporting tool to access a report of all your risks and controls for your auditor. Or, if you need data for consolidated reporting, you'll need to build a customized reporting tool across multiple systems. And that was the case with some of our customers, who spent almost as much time and money on building those custom reports as implementing the platform because each system had its own database, schemas, tables, structures, and infrastructure. So the customer had to find a tool to go across multiple systems and pull reports. 

The fourth challenge we've seen with having these heterogeneous or incompatible systems is that you end up with synchronization issues. When you have a user that comes through your Access Request management system, like Azure, it picks up the request through an API in a tool like ServiceNow that comes into your identity governance system. The request is provisioned, but your segregation of duties system is unaware of the update. At this point, you need to synchronize that data with your SOD system, which creates a reconciliation problem. One system says a user has specific access, while the other doesn't. That's a data integration problem because the data is in multiple systems. To overcome that issue, you have to integrate the information manually or, worst case, create an overhead to reconcile the data. Without data integration, you end up out of sync and don't know which system to trust. And you end up with another problem to solve. 

The fifth challenge is upgrading and patching multiple systems. You may have one application on the platform that is patched more frequently, which changes the behavior of that application. Mismatched patching cycles also complicate your change management processes, causing you to do change management across multiple systems. Having unsynchronized pathing schedules also increases the cost of ownership due to the high administrative costs. 

At SafePaaS, we don't want to shift the burden to our customers. We offer a fully integrated platform that eliminates the hassle and risk I have witnessed throughout my career. I firmly believe that technology has the potential to improve commerce and communities through transparency in business. To SafePaaS, the main challenge is not the technology but raising awareness about alternatives to inefficient solutions.