Mining Technical Debt for Fun and Profit: M&A Strategies

[Music] hey it's good to be talking to all of you in some weird way that i get no feedback in the usual laughter so i'll assume you're all finding me amusing or something um this is a talk i've been wanting to give for a while since a lot of my work is now in the help to companies make a you know merge together kind of like a version of agar.io that doesn't freeze as much and there's money involved so this is what i've been doing for the last couple of months it helps i could twitch through okay who am i i'm sure you've all seen the slide before uh i am now the mergers and acquisition

practice lead for my employer leviathan security um i also do a lot of grc and strategy work outside of that i'm also a lawyer i've got a new disclaimer now this is not investment nor tax advice it's not legal advice and i don't get to see a lot outside of my bento box so don't ask me for like is this a good idea to invest my money because i still hold pets.com stock still to this day i mean because they're eventually going to turn it around so uh an overview of why do we have mergers and acquisitions you're uh imagine you're a startup you're 35 people you've got a good idea and it's not as good as you thought it

was uh sometimes selling out is better than remaining independent um you aren't growing you aren't getting the traction you wanted in the market are your big new product is just taking longer and costing more money to finally get it ready so you are you need more runway you need more money to finally like go and take on the market and you're just not getting it your existing investors aren't interested and from the buyer side sometimes there are assets within a company that are more valuable not in that company a customer list a brand uh a code base a product a lot of times you'll see these smaller startups so they'll start with like we're going to go revolutionize this

industry and it gets narrower narrower and there until you go that's a really good tool for an edge case and someone who's in the business similar to yours that's much larger may say that's a great tool within our suite of products so you may get an offer from them saying we would like to buy your company because that tool would be really cool to have sometimes it's an aqua hire you have a talented team of people that you want to buy you want to acquire the whole team and say you can do great things so that's why there's a market it's not just people going out of business it might be existing companies that are someone says

hey you would be more valuable as a part of us so valuation this is where you're finally coming to the idea of i would like to buy your company or we would like to sell our company what's the value what's the price and that's a little bit outside of the work i do since my thin niche of that is basically saying here's where your baby's ugly um here's where the price is a little too high um i think of myself as a housing inspector you may love the house it's great it's got great light it's got great bones whatever that means the school district isn't you know voted most dangerous in the county for five years in a row uh

my job is to come in and go well the foundation's also damaged well you probably want new you probably want to replace the electrical system because the existing stuff is dangerous so let's take some money off the table to remediate those problems so due diligence multiple teams come in looking at the deal and say let's ask questions about the company to find out what the buyer is actually getting there are financial ones they're going to go look over the books they're teams of accountants who are going to make sure that every time you say you've made a sale you actually made that sale there will be people who go over your assets you have real estate you have

patent rights you have copyrights is that worth what you say it is is that worth that much to us can you actually say you own that thing so they crawl over that and then a part of due diligence is this undiscovered or undisclosed risks are there problems with your company that don't appear on the balance sheet this is the category of where i live some examples litigation risks right um your product may have infringed on somebody else's patent um your customers some of them may love you some of them may hate you so much they've sued you or you may have done something stupid and thus justified some kind of litigation your products actually kill some people

well that's bad um more importantly to us and cyber security is breach and privacy risks is there a unknown breach risk like consider when verizon bought yahoo and yahoo failed to disclose some fairly large breaches along the way well that's something nice to know if you're the buying company to go i'm getting these things am i also getting something has negative value like an undiscovered breach are we're starting to see where there are privacy risks have you gathered too much information unlawfully that is going to make you look like a schmuck a couple years from now if it get once it gets out right your company has certain amount of value if it appears on krebs amazingly enough

it's worth less i wonder why so product risks um these are this if you're thinking of like a software company a sas company or platform company you've got the the stuff you're buying isn't just the trademark it's this actual mass of code that makes it run is that code worse than you expected is it is it vulnerable is it crafty is it a bunch of tech debt in a box that you're going to have to clean up once you buy it if you want to continue operating stuff are there missing controls in your infrastructure that you're worried about right uh are there things that you're expected to have that you don't like a sim like maybe vulnerability

management maybe your infra is not up to snuff and is it going to be really hard to fix all this stuff therefore expensive therefore does that take some money off the valuation when you actually go to sign a deal so tech debt i like to think of it as remember that temporary work workaround that's eight years old um now you rely on it there are people who actually are writing code that uses that because it works better now you you that work around you you clutched in there is now a part of your life and to if you fix anything you're gonna break their their stuff um everyone has deferred maintenance right out of support hardware are operating

systems in your production environment um that happens it's when your entire production infrastructure is running on obsolete operating systems and when you go why don't you patch these and bring them up it's like well that breaks the application oh so you've got to rip out a bunch of stuff are uh a lot of times i see this where it's it's not patched not only because you didn't have the time is that you don't even have the orchestration to do it the number of clients i've seen where how do you do patches and it's when i have time i run patch i you know i click through software update like no orchestration no push out a

patch test run nah if i have time i'd do it so i like to think of those guys as we patch once a year whether we need to or not missing parts you know i think of a particular client of ours who when i asked about a sim they explained that they had a budget for that sin and that it's like well when was that well that was two years ago it's like well what happened and instead they bought something for trade shows and that is not actually a picture of it that i could not get a picture of it because that would disclose who the client was but all i can describe it was was a

large suv with a bump and stereo and you know the return of investment for a bump and stereo on a cool ride that's instant the sim does not pay off as well until you needed it so on the buy side you are the people buying us another company you want to know what you're getting um so you're looking for discounts and deal stoppers discounts right you're just looking for is there something that we're going to have to fix to make this operational that we take off the sale because we're going to have to use that money to instead fix that problem right stuff you have to put in place to meet some minimal standards for that industry

are you gonna have to hire people because you don't have anyone doing that work do you have to go through your existing code base and refactor it because you're using no longer supported languages are no longer supported operating systems or something like that where you just have to fix the old stuff do you have existing breach or liability offsets that you have to you have to pay for right you've got um you've got a litigation risk and you know you're going to get sued your lawyers say it's going to be between a 6 and 8 million payoff well you take that off the sale price and then integration costs if this is a purchase that you hope to merge with

your existing company because you want what they've got well if they're a pile of clues it's going to be really hard to integrate that with your hopefully better stuff so that just is is a discount right you've gone to the car dealership and you said i want that car kelly blue book puts it at 11 000 but i need new tires and i need this so i'll pay you 10. fine the deal's still going to happen you're just paying a little less then you've got deal stoppers where the the people on the buy side want to say wait a minute we need to reconsider even making this transaction uh examples i've seen in this space are

code our core capabilities their vaporware the capabilities that are it's that are in your marketing materials don't actually work i'm sure no one has ever seen that before in this space or you have significant liabilities that you haven't disclosed or haven't even found so how do we find this stuff uh testing the number of times we've just sent a couple pen testers at their infer to go find things what's wrong there right take the code base and shove it through some static review tool um do a pen test from the outside if we've got time um i hate to say something nice about a competitor but ncc scout suite is a brilliant tool for finding out what do

you do wrong in your cloud intra and i'm not recommending these as gotchas i'm recommending if you run if you run a tool against your code base or your public facing infrastructure or your cloud infra and you're finding repeated problems that gives us ideas about other things the analogy i like to use is you go to a you go to a restaurant and the bathroom's dirty well i can't go into the kitchen but if i if i say that you're not keeping the bathroom clean there probably are bigger problems and since i only have a a week to look at this stuff i want to look where i can find dirt and extrapolate that if you if

you didn't fix this and i can find it there's other stuff hidden so what else am i doing are our teams doing you're doing documentation reviews i want to see what your architecture looks like what's your bug backlog look like how quickly do you clear it how quickly do to identify problems right if you've got a small backlog but we found bugs means that your ability to find stuff is broken or lacking and i would like to question why um look at existing incidents did you learn anything from that past incident right you got popped three years ago did you learn from that did you update your instant response you put some defenses in place

what are you doing and that gets a holistic idea of what you are as a company and then the final bit is we play being the bobs from office space i talk to your infra people i talk to your devs i talk to your compliance people i talk to your sales people i learn about your market i learn about how you produce your goods and services i learn how you do things and i find out if you have the ability to find new risks in your environment maybe you don't and i get a sense of also your management team do these people know what they're doing and sometimes those are recommendations back to the buyers to say

when we're done this is what you're gonna get if that's still something you're interested in you know we're we're signing off on what we found this is what it's going to cause to fix and we have some impressions so what do we find if the target company is as mature and well together as we'd expect you know nobody's close to perfect and that's okay i don't expect to find really really mature aspects in a 50 person company that's three years old right there are gonna things you're missing that's fine that's expected i might still recommend that they fix that and that's offsets your cost but i'm not horrified if you're a 5000 person shop in a regulated environment and you're

missing core things that's another category but i'm really curious about do you does this make sense did you know what you were doing if there's a problem sometimes i've walked into places and i see like things you should have aren't there that makes us dig further because why didn't you think of doing that where's why don't why don't you have a sim why can't you do a learning sometimes i've seen tons of tech debt there is nothing like finding out your core application runs in cold fusion and i think wow you know you you'd hire more devs but they're all dead um potential breaches is there something that says you are so incapable of finding an event

that someone could have popped you taken what they wanted and left and just gone right are they still there but you have no ability to detect it unless something goes down or until visa calls you up and says we're seeing a lot of fraud by people who used your store and then sometimes there's really big problems that that want us to make you question the deal entirely you know the that you only move the headstones you didn't move the bodies so arguing over findings that's the next step once we find everything we want to go and identify to write them up in a coherent doc and go back to everyone involved and say this is what we found this is what we

think you should do this is what it's going to cost to fix handle appropriately right how much they're going to cost to fix what's the impact if you don't how would we order them how would we prioritize these things because we know that you're probably not going to immediately fix everything you're going to fix what you have to do and continue on in the business discussing with the deal team right we're going to answer questions so they understand what it is is wrong with the company we're buying or they're buying really and then post sale um often usually afterwards the the purchase occurs and the new acquisition is saying how do we fix the problems you

identified and we'll try to give them some useful advice and keep on going so i realize that none of this ever makes sense unless you do it as hypotheticals so we have a client uh our the target is a online lifestyle fashion seller so they sell uh jewelry accessories clothing um high-end hippie-esque um expensive i've got a very strong social media presence they're on the ground they've got influencers a lot of really lush pictures of of people enjoying themselves outside um very political social bent they're they're pushing a lifestyle good for them they've got a very premium sales model uh high touch high margin they know your name when you call they would really like you

to remain a customer of theirs that's the company we go and they've we we go and take a look at them and their sales organization is great their intra is a mess it's amateur hour they're doing everything wrong with pci everything's in one database that's world accessible or at least not you know not all the rules you're suspecting to see out of the pci you know pci sac d they're holding credit card numbers in plain text like all the things that make everyone in our industry cringe and there is what i like to think of as a high delta between the truth and reality here they're doing a lot of things wrong but they're all the documentation

they're kicking to their credit card processors is everything's fine please go away so what do we do what could they have done better before we showed up because we took a fair amount of money off the table for that sale do a quick look around do a pre-audit audit hire somebody bring somebody in who isn't you just to say what would you fix here that's usually a cheap consulting engagement less than you know less than ten thousand dollars um if you have documentation you needed do it now before you're really in the market because there's nothing like seeing documentation that was done literally the night before everybody knows that the time to do homework is on the bus on the way to

school not here do the cheap stuff right run your patch just make sure your systems are up to date make sure basic scans are fine fine stuff like run nmap against your external network um right you know stuff stuff your code through a static analyzer and fix something because everything we can ding you on is price taken off and we're going to bump up that cost because we're trying to find as much money to take off the table to justify our existence show improvement show that you as an organization can find and fix your own things and that it doesn't take the fear of an audit or an assessment our due diligence to force you to clean these things up

right so put your stuff in a backlog and then show that you're cleaning up the backlog make it seem like you're more of an adult than you actually are so second hypothetical is an actual deal stopper target companies and advertising technology um they're a small eastern european shop that does some kind of we do better big data against what we you know against the cookies we've sucked off of your browser some magic some you know hand waving but they can they claim that they can more effectively go from view to add to purchase than anyone else can the buyer's very interested in this capability they have been in marketing since direct mail they're still in direct mail but they also have

an effect of online they've already got a bunch of data scientists doing this work but they really like this little company's technology most of their clients are in the eu or japan or canada where we actually care about privacy so they're that's a that's sort of the asterisk around their concerns is this other little company doing anything that's scary and well yes every question we give them means more questions they're based in eastern europe but their internal policies are all in english which is a clear red flag like no one puts your internal notes in a language you don't speak nothing they describe actually happens they handed us a hardening guidelines for windows as they're hardening hardening

proof that they hardened systems and we then asked and they had no windows systems so like you have documentation that has nothing to do with you you know it's it's like if you went through for you know i i need proof that you own things you went through the all the old manuals in the back of your filing cabinet for like old pieces of technology that you bought you've not thrown away and handed it to people like huh i didn't realize you still had this stove oh that's two stoves ago so everything about them felt wrong and then we asked some more questions and find out that they're storing everything they get they are violating gdpr they're

violating a canadian privacy act this is a risk back to our buyer and we realize like look if if you buy them under the gdpr it's now two percent of your revenue not theirs so you have a problem and we then talking to them when they when they said well really not interested in their existing customers what we are interested in just this technology and we came up with an idea of like don't buy them just license the technology buy the license to the stuff that they're doing hire some devs away and like make it very clear that you're doing that so you're paying that company enough money that they don't come around and do

anything about it and that way you get what you actually wanted out of this you didn't want the company you wanted the magic so they got that and we were able to help that client not have to take on all this tech debt because these guys are doing everything wrong with this like algorithm this this this these this this big data magic they had was actually valuable to them that's all they wanted so that's what i got