In this episode of The New CISO, Steve is joined by guest Ash Hunt, Global CISO at Apex Group Ltd. Today, Steve and Ash dive into the action of M&A (mergers and acquisitions) and how to conduct it well. As a CISO at one of the world’s largest administrators, Ash shares his valuable insight on loss, risk, and revenue generation in a constantly changing IT environment. Tune in to learn more about what causes loss during a merger, why decision management and risk management are one and the same, and the cultural changes in the security industry.  Listen to Steve and Ash discuss how to quantify loss and what jaywalking and cyber security have in common. Meet Ash (1:34) Ash shares that he is proud to work for a fast-moving organization that has expanded worldwide. This growth has led to an exciting time from a technology and cybersecurity perspective. Successful M&A (5:16) Steve presses Ash on how to conduct M&A successfully. What hurts a business during an acquisition is when there are breaks in infrastructure that get overlooked. Luckily for Ash, he has a strong team that prioritizes infrastructure integration to avoid loss and increase revenue. Things in Common (12:25) Ash reveals what jaywalking and risk have in common. For example, everyone in London jaywalks, but like in cyber security, there is a degree of risk.  Risk Management (15:10) According to Ash, risk management is decision management. Decision science is a critical part of Ash’s approach to security. Psychological barriers in the workplace halt optimal investment decisions that can generate revenue. Adding Value (25:36) Ash acknowledges that his most significant contribution toward his company is successfully integrating their infrastructure into one operating platform. He knows it will rationalize his tool stacks and clean up his budget, amongst other benefits. He has seen other companies experience operation inefficiency, access control failure, and inadvertent data disclosure, which he actively prevents. Changing the Operation Process (30:48) Steve and Ash marvel at the operational changes that need to be done in security. For example, many people still default to email versus a more secure portal for data exchange. In order to mitigate risk, cultural changes need to be made to operational processes.  Links: LinkedIn