IT services are rapidly moving to the cloud. Assets on the balance sheet are turning into subscriptions. Ransomware has executive-level attention. Data breaches cost companies millions in fines, customer retention and hidden costs.
If technology is changing rapidly, IT Due Diligence should too
Unless the acquisition concerns a technology company, IT Due Diligence usually does not play a major role. IT is complex and the integration can be dealt with after the deal. But because the future of non-tech companies also relies on digitisation, and because information security and privacy can no longer be ignored, they must be included in the Due Diligence process. IT Due Diligence should focus on assessing the technology backlog in the deal, and the risks that lie beneath the surface. Technological backlog slows down the realisation of a digitisation strategy. Risks can be quantified. This provides information that you want to include in valuing the deal.
The real focus of IT Due Diligence is to assess the technological debt that is included in the deal, and the risks that are hiding under the surface.
IT Due Diligence requires a different approach
IT is not a regulated industry. There is no set way of organising or a reporting regime that must be met. There are best practices and ISO standards, but they leave a lot of room for interpretation. And with trends like virtualisation and cloud contracts, what is an 'asset' anyway? IT Due Diligence is no longer an exercise where a junior in the team simply processes a meaningless checklist. The result being a list of acronyms and network diagrams that suggest detail and expertise, but lacking interpretation.
IT is no longer about technology, but much more about data and security
IT gaat niet langer over technologie, maar veel meer over data en beveiliging. Het is zo abstract geworden dat het vaardigheid en vakkennis vergt om te weten waarnaar je moet zoeken.
Real risks and technology gaps can be exposed by looking at:
- Software
- Contracts and licences
- Information Security
- Privacy and GDPR
- Planned IT Investments
- Human Capital
- Hardware and Network Design
What should IT Due Diligence look for in 2022?
Risk-based, tailored to the transaction, this should include at least:
Software
With off-the-shelf software, the emphasis is on software compliance; is all software licensed? Custom software may require a Quick Scan of the code or a thorough code review. Is the software built to last, or a bunch of spaghetti that is only understood by the local hero who built it? The one who will retire in a year. Also determine the ownership of the intellectual property. Who actually owns the code? With SaaS software, it is all about the contract terms.
Contracts and licences
Start with an overview of all current contracts (...), determine the renewal dates of contracts, and check the General Terms and Conditions for selected contracts for clauses referring to transfer of ownership. This is not self-evident. Also, most software products and cloud services are dependent on underlying Big Tech services. This results in sometimes undetected back-to-back contracts. Are these aligned?
Information Security
Estimate the risk profile of the organisation by applying one of the many available frameworks, such as the NIST Cyber Security Framework, the SANS Top 20 Critical Controls or ISO27002. This is still a desk research approach. If critical, a RED team or ethical hackers could test the practical strength of the security controls.
Privacy and GDPR
This is one of the most misunderstood and misinterpreted topics around information systems. Many have an opinion about the GDPR, few have taken the time to read the EU and local legislation. But it is not that complicated. The GDPR prescribes a series of measures and controls that must be implemented to secure personal data. These can be checked in a structured way. No wizardry required.
Planned IT investments
Assess the current IT architecture and project portfolio. Are the planned investments delivering value, or is it "keeping the lights on"? How big is the gap between the As-Is and To-Be IT landscape. Be wary of ERP implementations and Integration Layer projects. These are notorious for creating too little value.
Human Capital
Assess the professionalism of the IT department. IT is only as good as the people who organise it. A quick look is enough as a starting point; identified positions and average seniority, internal training materials and procedures, certificates and formal training courses. Who are the key people and are they on the payroll or freelance?
Hardware and network design
A list of all assets should be easily retrievable from the inventory system or the CMDB. A simple analysis will quickly give an impression of their completeness and accuracy. Remember that if you don't have all the assets in view, you can't know whether they are adequately protected. The IT department, by the way, should frown when asked about hardware. Most IT hardware will have been virtualised (and then run on other, more powerful computers).
How the network is designed says a lot about the maturity level of the IT organisation. Modern networks are, like the hardware, also virtual, the so-called 'software defined network'. An assessment of this topic gives a clear indication of any technological debt.
If an overview of all assets cannot be provided quickly, there is smoke and therefore fire...
I have managed IT departments and IT programmes in various sectors for many years. I am a certified Information Architect and a Certified Information Systems Security Professional (CISSP). With an extensive network of specialised professionals and companies to call on, I keep the team small and dedicated. A small organisation without overhead to ensure short turnaround times.
If you want to assess the risk and technology debt in your next M&A deal and need it done quickly, I can help.
English 
Dutch
Digitale dijkverzwaring voor het waterschap
/in Blog, Information Security, Government/by Ronald van der MeulenWaterschap Drents Overijsselse Delta
Het werkgebied van Drents Overijsselse Delta loopt van Assen tot Deventer en beslaat 7.001 kilometer aan rivieren, kanalen, wetering en sloten, 16 rioolwaterzuiveringen, 363 gemalen, 1.972 stuwen en ruim 1.000 kilometer aan dijken en kades.
NIS2 en BIO2
Het Nederlandse waterbeheer is van vitaal belang voor onze samenleving en economie. Waterschappen spelen een cruciale rol in het waarborgen van de waterveiligheid, het beheer van waterkwaliteit en de bescherming van onze natte infrastructuur. In dit digitale tijdperk zijn waterschappen echter ook blootgesteld aan toenemende cyberdreigingen. De Europese NIS2 (Network and Information Security) wetgeving en de daarvan afgeleide BIO2 (oktober 2024) zijn ontwikkeld om deze uitdagingen aan te pakken en de digitale weerbaarheid van essentieel aanbieders te versterken.
Bijdrage als Interim CISO
Na onvoorzien verloop in de CISO en ISO rol is het zaak om in korte tijd informatiebeveiliging als competentie op niveau te krijgen.
Beleidsontwikkeling: Robuust beleid ontwikkelen en implementeren dat voldoet aan de NIS2 vereisten.
Risicobeheer: Risicoanalyses om kwetsbaarheden te identificeren en te evalueren, en maatregelen implementeren om deze risico’s te verminderen of te elimineren. Starten met continuïteit- uitwijk en herstel.
Incident Response: Het coördineren van de respons en herstelinspanningen om een operationele verstoring tot een minimum te beperken.
Bewustwording en Training: Ervoor zorgen dat het bestuur en medewerkers van het waterschap zich bewust zijn van de risico’s van cyberaanvallen.
Samenwerking: Ik werk samen met relevante overheidsinstanties, het Waterschapshuis en partners in de watersector om informatie en expertise uit te wisselen en de algehele cyberweerbaarheid van Waterschap Drents en Overijsselse Deltta te versterken.
Van actieplan naar een beheerst proces
/in Blog, Information Security, Government/by Ronald van der MeulenVroeg of laat krijgt iedere organisatie te maken met een cyber event van de buitencategorie. Voor Senzer was dat moment 9 maart 2021. Een ransomware aanval legde de organisatie lam. Gelukkig was een backup voorhanden en door adequaat handelen en ondersteuning van Northwave bleef de schade beperkt. Een omvangrijk actieplan is in de steigers gezet en tot uitvoering gebracht.
De vraag aan Takeshape: “Help ons het actieplan af te ronden en leidt de transitie naar een beheerst proces”.
Het actieplan hangt op de samenwerking met Northwave. Northwave verzorgt de Managed Detection en Response diensten voor Senzer. Het actieplan is medio 2023 afgerond en omgezet in een geplande beheerste meerjarige aanpak.
Focus – “Er is meer dan compliance”
Overheidsorganisaties zoals Senzer zijn onderhavig aan een streng compliance regime. De BIO, die wordt aangepast aan NIS2, zal meer verplichtend worden. Jaarlijkse externe audits zoals op het gebruik van de DigiD aansluiting en inzage in Suwinet zullen blijven doorgaan. Maar dit moet niet leiden tot het idee dat als de vinkjes zijn gehaald de organisatie ook daadwerkelijk veilig is.
De focus ligt daarom om het realistisch en continu in beeld hebben van de mate van informatieveiligheid en de risico’s (de security posture). Vervolgens die maatregelen nemen die de hoogste bijdrage leveren. De invoering van een ISMS moet bijdragen aan het overzicht en de werklast van het rapporteren sterk verminderen. In plaats van alles inzetten op het voorkomen van risico’s zal vooral aandacht worden besteed aan weerbaarheid en veerkracht van de organisatie.
Senzer – Gemeenschappelijke Regeling in Helmond en omgeving
Senzer voert de Participatiewet uit in opdracht van 7 gemeentes: Helmond, Laarbeek, Gemert-Bakel, Geldrop-Mierlo, Someren, Asten, Deurne met in totaal 250.000 inwoners. Er werken ruim 2000 mensen en Senzer is verantwoordelijk voor de maatschappelijke participatie voor honderden mensen en inkomensondersteuning voor 4800 bijstandscliënten.
Advising Start Up - Lifelong Learning Portfolio
/in Blog, Higher Education, Information Security/by Ronald van der MeulenA veterinarian is a veterinarian? Not quite. Besides the fact that there are various specialisations in education, there are numerous follow-up courses that ensure further specialisation. However, everything that takes place after graduation is not centrally registered anywhere. Nor does an examination mark provide any insight into how skilled a professional is in an procedure. What if every graduated veterinarian could carry an online portfolio to have all this information together?
Contribution Takeshape: From POC to Platform
A first version of this online portfolio platform has been published and is slowly but surely being expanded. I was able to help the founders make a plan to scale from proof of concept to a fully-fledged IT platform. This sometimes involves technology, but often not. Small matters, such as the use of freeware, which is permitted in a personal sense but not in a commercial sense, is such an example.
Advising Start Up - Zero Emission Last Mile Delivery
/in Higher Education/by Ronald van der MeulenThe Last Mile... In logistical terms, this refers to the transport of products to their final destination, usually from a distribution centre in a city. This logistic chain is still hopelessly inefficient. For example, on the Dutch motorway 25% of the trucks are empty. The average load factor is 45%. So we mainly transport air. What if these large and mostly empty trucks unload their cargo at the edge of a city and small emission-free vehicles deliver these goods in the city? That would save a lot of transport movements of empty and polluting trucks into the city. Cleaner and safer. Such a 'hub' is planned around Utrecht, in Bilthoven.
One would think this is all about physical goods, delivery vans and parcels. However, the beating heart is an IT system that controls this complex chain. Complex because there are 6,000 transporters in the Netherlands and many parties use their own Wharehouse Management and Transport Management System.
The software that the Utrecht Hub will be working with is a fairly new development that can be layered on top of all Warehouse Management and Transport Management systems in order to maintain a total overview.
The question to Takeshape: "Is this software a solid basis for further growth?".
The following aspects were evaluated:
Based on this analysis, the hub's management team was able to make a well-founded decision.
IT Due Diligence - know what to look for in 2022
/in Blog, M&A/by Ronald van der MeulenIT services are rapidly moving to the cloud. Assets on the balance sheet are turning into subscriptions. Ransomware has executive-level attention. Data breaches cost companies millions in fines, customer retention and hidden costs.
Unless the acquisition concerns a technology company, IT Due Diligence usually does not play a major role. IT is complex and the integration can be dealt with after the deal. But because the future of non-tech companies also relies on digitisation, and because information security and privacy can no longer be ignored, they must be included in the Due Diligence process. IT Due Diligence should focus on assessing the technology backlog in the deal, and the risks that lie beneath the surface. Technological backlog slows down the realisation of a digitisation strategy. Risks can be quantified. This provides information that you want to include in valuing the deal.
IT Due Diligence requires a different approach
IT is not a regulated industry. There is no set way of organising or a reporting regime that must be met. There are best practices and ISO standards, but they leave a lot of room for interpretation. And with trends like virtualisation and cloud contracts, what is an 'asset' anyway? IT Due Diligence is no longer an exercise where a junior in the team simply processes a meaningless checklist. The result being a list of acronyms and network diagrams that suggest detail and expertise, but lacking interpretation.
IT gaat niet langer over technologie, maar veel meer over data en beveiliging. Het is zo abstract geworden dat het vaardigheid en vakkennis vergt om te weten waarnaar je moet zoeken.
Real risks and technology gaps can be exposed by looking at:
What should IT Due Diligence look for in 2022?
Risk-based, tailored to the transaction, this should include at least:
Software
With off-the-shelf software, the emphasis is on software compliance; is all software licensed? Custom software may require a Quick Scan of the code or a thorough code review. Is the software built to last, or a bunch of spaghetti that is only understood by the local hero who built it? The one who will retire in a year. Also determine the ownership of the intellectual property. Who actually owns the code? With SaaS software, it is all about the contract terms.
Contracts and licences
Start with an overview of all current contracts (...), determine the renewal dates of contracts, and check the General Terms and Conditions for selected contracts for clauses referring to transfer of ownership. This is not self-evident. Also, most software products and cloud services are dependent on underlying Big Tech services. This results in sometimes undetected back-to-back contracts. Are these aligned?
Information Security
Estimate the risk profile of the organisation by applying one of the many available frameworks, such as the NIST Cyber Security Framework, the SANS Top 20 Critical Controls or ISO27002. This is still a desk research approach. If critical, a RED team or ethical hackers could test the practical strength of the security controls.
Privacy and GDPR
This is one of the most misunderstood and misinterpreted topics around information systems. Many have an opinion about the GDPR, few have taken the time to read the EU and local legislation. But it is not that complicated. The GDPR prescribes a series of measures and controls that must be implemented to secure personal data. These can be checked in a structured way. No wizardry required.
Planned IT investments
Assess the current IT architecture and project portfolio. Are the planned investments delivering value, or is it "keeping the lights on"? How big is the gap between the As-Is and To-Be IT landscape. Be wary of ERP implementations and Integration Layer projects. These are notorious for creating too little value.
Human Capital
Assess the professionalism of the IT department. IT is only as good as the people who organise it. A quick look is enough as a starting point; identified positions and average seniority, internal training materials and procedures, certificates and formal training courses. Who are the key people and are they on the payroll or freelance?
Hardware and network design
A list of all assets should be easily retrievable from the inventory system or the CMDB. A simple analysis will quickly give an impression of their completeness and accuracy. Remember that if you don't have all the assets in view, you can't know whether they are adequately protected. The IT department, by the way, should frown when asked about hardware. Most IT hardware will have been virtualised (and then run on other, more powerful computers).
How the network is designed says a lot about the maturity level of the IT organisation. Modern networks are, like the hardware, also virtual, the so-called 'software defined network'. An assessment of this topic gives a clear indication of any technological debt.
I have managed IT departments and IT programmes in various sectors for many years. I am a certified Information Architect and a Certified Information Systems Security Professional (CISSP). With an extensive network of specialised professionals and companies to call on, I keep the team small and dedicated. A small organisation without overhead to ensure short turnaround times.
If you want to assess the risk and technology debt in your next M&A deal and need it done quickly, I can help.
More efficient project collaboration with TenneT
/in Blog, Energy/by Ronald van der MeulenTenneT manages the Dutch high-voltage grid and in Germany, TenneT is the largest electricity transmission system operator (TSO) and manages a route from the North Sea to the Alps. TenneT serves around 40 million households. The energy transition calls for an accelerated strengthening and expansion of the current infrastructure. TenneT's investment programme will amount to tens of billions of euros in the coming decades. Executing these programmes requires enormous coordination between TenneT and its contractors.
The challenge
Through a European tender, the contract was awarded in May 2021 to an Indian party to provide software and support for project collaboration. The SaaS software is now considered a crucial part of the application landscape. Both the project organisation and the application landscape are developing rapidly. The project collaboration system must fit in seamlessly and connect to the developing data standards. Meanwhile, the evolution from document-driven to data-driven working is progressing much faster than anticipated. The system must be able to handle both worlds.
Takeshape contribution - Seamless transition from tendering to contract and realisation
A European tender is a project in itself. It is not unusual for the project team to fall apart after the winner has been contracted and for an entirely new team to be set up for the implementation. By supervising both the tendering process and the implementation, there has been no light between the intention of the tender and the execution of the contract. In this respect TenneT retained maximum control.
The SaaS software is an off-the-shelf package. This is not where the challenge lies. Some of the characteristics of this assignment:
Quality Assurance for Municipality of Amersfoort
/in Blog, Government/by Ronald van der MeulenThe Digital Case-Oriented Work File got off to a rough start. Nothing is as radical as a system that changes your daily work. The system used was 'end-of-life' but proved difficult to deploy. The new system promised much but was technically complex. The Management Board felt the need for a critical outside view to assist with this programme. As an 'insurance premium'.
Contribution of Takeshape - Quality Assurance to the Amersfoort Digital Programme
In recent years, I have been commissioned by the Management Board of the Municipality of Amersfoort to perform the Quality Assurance role on the programme Digital Case-oriented Working, which has meanwhile changed into "Amersfoort Digital". From the sidelines, I was able to assist the programme with my 'view from the outside'. A unique opportunity to contribute to my own city. Much appreciation for the challenges that the IT/IV organisation of a municipality has to deal with.
CISSP - Information Security Certificate obtained!
/in Blog, Information Security/by Ronald van der MeulenIt is a regularly recurring discussion within organisations. When do you really know something? Organising information provision has become enormously complex. Clients cannot oversee this forest of three-letter abbreviations and have to rely on advice. I see too many professionals bluffing their way through the field based on 'a dose of common sense' and a smooth talk. I like to go one spade deeper. When a client asked me in 2019 if I could assist them in making their organisation ISO27001-proof, I replied; "yes, but". Yes, but I am going to pass the Certified Information Systems Security Professional exam first. I study for fun and this was a means to force myself to keep up. No sooner said than done. I registered at FOX-IT in Delft and followed the training from January to July. Lovely to immerse yourself in such an uber-geek organisation.
Een CISSP certificering is drie jaar geldig. Intussen dient de professional aantoonbaar zijn vak bij te houden door zelfstudie en training. Inmiddels heb ik voldoende “CPE’s” gehaald om het CISSP label ook voor de periode 2023 – 2026 te kunnen dragen.
The right software for TenneT projects on- and offshore
/in Energy/by Ronald van der MeulenConnecting a wind farm to TenneT's fixed high-voltage grid easily involves more than 40 parties. The amount of coordination required to bring such a project to a successful conclusion is phenomenal. The Project Management Office of Offshore NL is in charge of this. On behalf of the PMO, I am investigating which systems are required to provide optimal support to the PMO and how these systems should be connected to the rest of the TenneT systems.
Contribution Takeshape - European Tender Project Management
After a market consultation, I led the European tender that resulted in a contract with an Indian party in May 2021. As is customary with Takeshape and complex projects, this did not happen in a straight line. During the tender process, more business units showed an interest in participating. Under the OneTenneT development, the tender was anchored higher up in the organisation so that the system would become a TenneT-wide generic service. All future projects at the major project departments and at Grid Field Operations will use the system.
In close cooperation with the IT department, architects and service managers, we were able to draw up a future-proof contract with maketype pricing. In the meantime, we had to start working with the entire team online in March 2020. In the small, well-established team, this went fantastically well. Negotiations with large teams of software providers also went well, even better, online.
In the meantime, the contract has been put on hold and implementation is in full swing.
An own IM organisation for the Dutch Transplant Foundation
/in Healthcare/by Ronald van der MeulenTaking charge yourself, but how?
Vision development
Putting our money where our mouth is
In the autumn of 2018, I actually implemented the plan. In an interim management role, I built up the Information Management department and the Management Team was expanded with the role of Information Manager. A new technology was chosen and a training programme was initiated with the help of external specialists.