Me again. Marriott is on everyone's minds today, but it's not Bonvoy that's doing it. If you haven't heard it yet, Marriott was fined $124M US by the IOC for GDPR violations resulting from their breach. 

Here's the thing: they inherited that breach from the Starwood Alliance. It wasn't Marriott who suffered the breach, but their acquisition. 

Remember Colin Powell's "Pottery Barn" aphorism? "You break it, own it"? This is a variation on a theme. You buy it...you own it. 

The US, and the world, are M&A crazy right now. Companies are spinning off business units and selling them to others, or acquiring smaller startups and competitors, or giants are combining in hopes of maintaining their advantage in the marketplace. 

The issue today is that security issues generally aren't included in the due diligence of those transactions. 

I think that's about to change, partly because of today's ruling; organizations might be able to weather the bad press, but there will be consequences. There will be more attention paid to the Infosec posture and stability on both sides of the transaction, where in the past IT and Infosec organizations were just told to make it work after the deal's been inked. 

Again, it's going to come back to visibility. Seeing the anomaly and knowing what your (and your new partner's) application environment looks like will become--had better become--as much a part of M&A due diligence as dotting the fiduciary i's has been in the past.