Your One Easy Button for IT During Mergers and Acquisitions

Peter Elliman, Director of Product Marketing

The world of mergers and acquisitions (M&A) is changing. In 2024, it’s much more difficult to deliver the same value as before. Companies that rapidly adapt to the changing conditions that occur with a merger are the ones that maximize the expected benefits. As the financial landscape shifts and the importance of technology differentiation increases, the role of IT leaders and Chief Information Security Officers (CISOs) becomes increasingly vital in the new organization. In this blog post, we'll explore the changing M&A landscape, the critical importance of data security in the M&A process, and the strategic opportunities for executives to retire legacy systems and reduce both cyber and data loss risks during and after a merger.

Opportunity in an Evolving M&A Landscape

The environment and nature of mergers and acquisitions (M&A) are more complex in a high-interest rate environment and necessitate greater efficiency and speed. As companies look to the future, they must adapt to changing financial and technological environments. A recent PWC report encapsulates this shift: "Although credit markets have reopened, financing is more expensive than it has been for a decade. The higher cost of capital will put downward pressure on valuations and require dealmakers to create more value to deliver the same return as before."

In this dynamic environment, M&A presents a unique opportunity for IT leaders and Chief Information Security Officers (CISOs) to assert their vision and expertise. Managing enterprise IT risks and the data of both merging organizations should be a top priority. 

One common challenge post-M&A is deciding which systems and applications to retain. Often, the default choice is to go with the system that has the most users and data, assuming this will be less disruptive. Data Gravity often wins. However, in many situations, this is the wrong approach, especially for data protection. While it might seem logical to choose the more widely used system, this approach can overlook critical gaps in data protection and security. The merger presents an opportunity to step up enterprise capabilities, especially if it reduces multiple risks. For this reason,  it’s crucial to evaluate existing solutions based on long-term security and risk mitigation rather than short-term operational convenience.

Asserting IT Leadership with Data Security Awareness

In today's climate, ransomware and cybersecurity threats are top priorities for boards and C-level executives. A recent Proofpoint report highlights that over two-thirds (70%) of those surveyed feel at risk of a significant cyberattack within the next year. Therefore, prioritizing data security and protection in any cybersecurity review is essential. According to the NIST framework, this involves acknowledging the critical roles of data classification, incident response, and data recovery in managing IT risk.

Why is this so crucial? Ransomware actors often target backup systems, attempting to compromise them during attacks. According to Sophos, a staggering 94% of organizations hit by ransomware last year reported that cybercriminals tried to compromise their backups, with this figure rising to 99% in certain sectors such as state and local government, media and entertainment.

IT leaders and CISOs should use the merger and acquisition as an opportunity to assert their vision and help other top executives understand the importance of data security in the unified organization. 

Understanding Your Risk Profile

With a merger, the IT infrastructure—and consequently, the risk profile—doubles. This includes data protection. Given that most organizations have between three to five data protection services, IT leaders now face increased risk to data loss, fines, and decreased brand confidence in the event of a cyberattack. 

The options for the newly formed company include:

  1. Maintaining the status quo and keeping separate data protection silos, potentially ending up with six to ten different systems.

  2. Consolidating and concentrating data onto an existing platform, assuming its security is adequate.

  3. Migrating to a SaaS-based data protection platform to improve security, operational efficiency, and cost structure.

Making the Right Decision for Data Security

It's tempting to rely on past data security experiences to inform future decisions. However, maintaining the status quo or assuming current systems are sufficient might not align with the new organization's goals. Before finalizing any decisions, IT leaders should map future organizational goals to the requirements for their data protection platforms. Consider the following questions:

  • What opportunities exist for improving data security?

  • Can IT complexity be reduced with a new platform, freeing up valuable resources?

  • What are the potential hard and soft savings with a SaaS-based solution?

Customer Example - Suez Water

When Suez Water Technologies and Solutions acquired GE Water, Suez’s IT needed to move data on 60 servers — VMware virtual machines (VMs) and physical file servers — off of GE’s network and onto its own network. The company then had to find a way to efficiently back up that data — all on an aggressive schedule.

With the ultimate goal of moving as much infrastructure to the cloud as possible, the team, which was already using several services from Amazon Web Services (AWS), turned to the cloud-native data protection provided by the Druva Cloud Platform. While it was able to migrate backups of the data from its 60 servers efficiently to the Druva platform, it simultaneously noticed that storage costs were escalating for its AWS workloads. The culprits were discovered to be, in part, snapshot sprawl and limited backup visibility.

In less than a year, Suez Water could cut its Amazon EBS costs in half.  This is thanks to the visibility Druva offers relating to all backups — VMs, physical file servers, Oracle and SQL databases, and EC2 instances.

Learn why Timothy Loranger (Cloud Infrastructure Services Leader at Suez Water) thinks “Choosing Druva was the smartest decision we could have made”.

Uncover the value of Druva

Druva makes data security autonomous with a 100% SaaS, fully managed platform to secure and recover your data from any threat.

  • Improve security out of the gate with built-in air-gap, immutability and Managed Data Detection and Response (MDDR).

  • Reduce IT complexity by removing the hardware and software requirements and centralizing data center, cloud, SaaS, and endpoint data protection with one cloud. 

  • Find hard savings by eliminating redundant hardware and storage, switching to a pay-as-you-consume model, and unique storage efficiencies from global deduplication, compression, and auto-storage tiering.

  • Simplify data governance, enhance visibility, standardize policy enforcement, and mitigate risks. Druva enables organizations to monitor, track, and notify users of compliance risks, manage legal holds, and reduce the time and cost of eDiscovery requests. 

How much can you save with Druva? Try our TCO calculator to see the savings potential when moving from legacy backup to Druva. 


The future of M&A demands a proactive approach from IT leaders and CISOs. By prioritizing data security and thoughtfully evaluating IT systems, companies can navigate the complexities of mergers more effectively. This strategic focus not only protects valuable data but also positions the organization for long-term success in an increasingly digital world.