At Mindbody, we’ve expanded locally and globally through acquisitions—11 to be precise, six of those in the past four years. Today, we provide 58,000 health and wellness businesses (gyms, salons, spas, and others) in more than 130 countries and territories with our cloud-based online scheduling and other business management software.
As a result of all these acquisitions, we’ve learned a thing or two about how to streamline and speed up the process of integrating a newly acquired company into our enterprise. We have developed and honed stringent M&A plans—with 30-, 60-, and 90-day targets—and we typically achieve full migration within three months.
Below is some advice gleaned from our experience.
Save time onboarding the new employees and boost security with Zscaler
By providing easy, zero trust access to applications and other cloud resources that newly-acquired employees need, the Zscaler Zero Trust Exchange and its Zscaler Private Access (ZPA) service have helped our operations team fully migrate companies to Mindbody within a matter of weeks. In part, that’s because the Zero Trust Exchange has no hardware to manage. Integration with our single sign-on and multi-factor authentication solutions and deployment of the Zscaler agent have been straightforward and seamless.
ZPA has become an integral part of our M&A integration process. Recently, we acquired a company with more than 500 users. Using the Zscaler cloud-based service took half as much time as traditional VPNs—all while providing zero trust access to network and cloud resources.
In addition, if new-to-Mindbody employees only need to access specific private applications, we can use Zscaler Cloud Browser Isolation to give them secure web browser access instantly, without having to deal with any additional endpoint agents or plugins, so they can get to work right away.
Stick with one access solution and create a detailed roadmap
If the acquired company invested a lot in its own remote access tool, employees may want to continue using it. However, standardizing on one solution—preferably, ZPA—across your entire expanded enterprise reduces complexity, both for operations and for users. Having one way to access network and cloud resources will save you a lot of hassle in the long run.
You also need a very clear integration roadmap, with realistic timelines and milestones, specifying how you will transition the acquired company’s employees to the chosen access solution. For instance, you may have the very reasonable goals of having all users migrated within 60 days and decommissioning the incumbent solution within 90 days.
In the roadmap, be sure to allow for a few weeks—depending on the size of the acquisition—in which both the acquired company’s existing tool for accessing network resources and ZPA coexist. You’ll want to have a discovery phase, during which acquired apps are added into the Zero Trust Exchange, followed by testing, and then decommissioning of the legacy tool.
Spell out the security assessment process and allow for discovery time
Regardless of the solution you use to enable your newly acquired employees to access resources on your network, your roadmap will include a list of action items to assess the overall security posture of the acquired company. This list should include things like figuring out how many additional ZPA or other licenses you’ll need for the new employees, and what types of resources each category or job role will need access to.
Be sure to build in plenty of time to determine who needs access to what, since users often don’t know exactly what they need. Employees can do their jobs without ever knowing the name of all the applications they use. This is not a technology problem; it’s a people and process issue. It will take time to figure out who is using which resources, and to which resources they should be granted access.
Help acquisitions embrace zero trust
If the company being acquired has not yet begun its zero trust journey, incorporating it into your enterprise gives you the perfect opportunity to explain that zero trust is not just a cool buzzword. You can explain the value of a zero trust, least-privileged access approach to security.
It’s also important to share the benefits of a zero trust approach with the acquired company’s employees, especially if they will have more limited access to resources than they had before. But, as Deloitte and as many other firms validate, the 'transform while transact' approach—that is, tackling integration and transformation simultaneously—makes a lot of sense.
Promote the value of reduced risk to senior leadership
Using a zero trust network access (ZTNA) solution for secure, remote access and having a clear roadmap will greatly increase the chances of meeting the board’s time-to-value goals. And with no network-to-network access required by ZPA, the acquired sites’ hardware and network infrastructure can be decommissioned sooner, and unneeded sites closed more quickly.
If you are proposing using the Zscaler Zero Trust Exchange, your senior leadership team should also appreciate how—by shrinking your company’s attack surface and eliminating the threat of lateral movement from cyberattacks—this approach slashes the risk associated with integrating new employees. The Zero Trust Exchange minimizes threat exposure from acquired entities starting on day one.
Plan with scaling in mind and pay attention to details
Today’s merger or acquisition may not be your organization’s only merger or acquisition, so why start over if there is another one down the road? Figure out your deployment topology and make the steps of your roadmap ones that can be easily replicated. With the Zero Trust Exchange as a foundation, we essentially created a highly repeatable template that shaves weeks off onboarding new employees.
In addition, create explicit naming conventions for your applications and be consistent in your application segmentation and access policies. This advice may seem like overkill, but doing so will save you a lot of headaches later. Trust me. In general, being extremely detail-oriented and recording your steps, and even your thought process, will save you time in the future.
To learn more about how our zero trust journey and how Zscaler is helping us with acquisitions and more, I invite you to read the accompanying Mindbody case study.