Mind the Gaps: How A Cybersecurity Pro Manages M&A Risk

He’s the IT exec managing thousands of disparate endpoints for the ever-growing (through M&As) heating, ventilation, and air conditioning enterprise Service Logic – and, thanks to a slew of acquisitions in recent years, he’s charged with bringing each new purchased firm into the family, security-wise.

It’s not the typical M&A model, Dan Ronco explains.

In the realm of corporate mergers and acquisitions, Service Logic – the largest, privately held energy and HVAC services company in North America – practices a form of management that is best described as, well, the polar opposite of helicopter parenting.

Learn the status of all your devices – those you know and those you don’t – in real time (and in seconds) with this comprehensive inventory of hardware and software assets.

Unlike many publicly traded companies, Service Logic takes a tailored approach to acquisitions, helping their companies preserve their legacy. While this organizational style allows acquisitions to thrive and seems to serve well the bottom line (Service Logic is now at 119 locations and counting), it raises certain challenges in terms of cybersecurity.

From its headquarters in Charlotte, North Carolina, Service Logic acquires or invests in regional HVAC businesses and helps them scale while maintaining some degree of their independence so they can continue to operate as they were before. The businesses can be anything from a small mom-and-pop to a dominant HVAC service provider in a large market – which means that Ronco, as director of enterprise security architecture, is dealing with vastly different levels on the security-maturity scale.

Ronco sat down to share how he manages this ever-growing number of endpoints so all the businesses under the Service Logic umbrella can focus on keeping data centers cool in the summer and offices warm in the winter.

(The following interview is adapted from a conversation with Ronco on Tanium Podcast, produced by Tanium, which publishes this magazine. It has been edited for space and clarity.)

First, Service Logic has that interesting, decentralized business model. Can you explain more about it?

Sure. So, we acquire businesses specifically in the HVAC commercial and industrial services industry in the U.S. and in Canada. We’re about 52 business units right now, and over 100 locations.

Our model is a little bit different than your standard acquisition model…. We offer them financial backing, but we also give them an avenue to expand their security posture.

Our model is a little bit different than your standard acquisition model, where maybe they’re underperforming or need a large investment of capital. We acquire very successful businesses, in such a way that they can continue to do what’s made them successful, and we offer them financial backing, but we also give them an avenue to expand their security posture, in such a way that it protects our investment but then also gives them that launching pad to the next step of success as it pertains to their business.

This must present some unique operational and security challenges, right?

In a decentralized model, you deal with things like shadow IT, where people might not be aligning with the business on what tools can be used, what practices or what licenses can be purchased, underutilized software, things like that.

[Read also: The CISO’s M&A survival guide]

So it’s important for us to identify those gaps in such a way that we can facilitate a conversation around [reining] that in – from an operational perspective but also from a cost perspective.

And that starts by…

We have a small introductory call to introduce ourselves, the team, our CIO joins, and we begin [with overall endpoint management]. We have to get visibility into all of the assets … understand what are those assets, the related vulnerabilities, and develop a plan to attack that.

In a decentralized model, you deal with things like shadow IT, where people might not be aligning with the business on what tools can be used.

We kind of accept them where they’re at [in terms of their security posture], knowing that we have a very solid integration plan in place to account for any of those gaps.

You still want them to be operating in their own ways and serving their communities in their own ways.

We want to enable them to continue to do what has made them successful, and assimilating them is not going to facilitate that, so that’s not our focus…. We do a lot of compliance checks. We’re a CIS [Center for Internet Security] shop. We adhere to the CIS controls [a framework of 18 best practices for enhanced cybersecurity].

[Read also: What is IT compliance? Basic overview and guidelines]

It’s really just a conversation about where they are now and how we can get them to where they need to be. It helps us to steer those conversations in the right directions. For instance, we’ve come across integrations where we see a Windows 97 machine…

Oh, wow.

…sitting on the network. And it can be there for any number of reasons. Maybe it’s just a machine that helps facilitate some business process, and it’ll cost them $100,000 to upgrade that process. So they can’t decommission that Windows 97 device. Just being able to convey that to the business as a risk [makes them] better informed so they can make a better risk decision.

What about automation, machine learning, AI? How do you see that affecting the business?

I think it’s only going to keep gaining steam. As it relates to IT,… I would love to see an advancement where there’s some automation around… things like IOCs – indicators of compromise. [I’d like to] teach [a cybersecurity platform] specifically what indicators of compromise we’re looking for and then develop a workflow or playbook around that, like: “If you see this, what are the expected responses?”

If a system operates at a baseline level 90% of the time, can AI detect a change in that baseline and then offer up some type of remediation?

Because from a security incident-response perspective, there are a core set of functions that have to take place in terms of an incident. Isolation would be immediate – regardless of what the compromise is, your immediate action is to isolate whatever’s compromised. And then you have the flexibility, if you know that that system is compromised and no longer spreading throughout the network, you have the time to further investigate.

Most technology leaders we’ve talked to are excited about what AI can bring to their business, while IT workers worry it might take over jobs.

I don’t see that specifically. I think I see a lot of enthusiasm … for uses like enhanced monitoring or predictive maintenance, so if a system operates at a baseline level 90% of the time, can AI detect a change in that baseline and then offer up some type of remediation? Or maybe it’s a disc-space usage or memory-utilization issue. Can it bubble that information up for response? Or maybe we can develop a baseline response. So if you see this, then do this. So we can identify that playbook.

[Read also: What is AI vibe coding? The pros, cons, and controversies]

Which can then really help people do their jobs quicker and more effectively.

Absolutely. And thinking about other avenues for AI, looking at things like user behavior to, say, identify instances of insider risk. Say a user and their respective machine perform a subset of functions 90% of the time, and then all of a sudden you see … they’re downloading files or they sent a huge email with a huge file attachment, that can be an indicator of compromise. So having AI present that information at the right time would help us to protect the business even further.