A couple of other issues will simply take some time to evaluate. One is that the company runs virtually all of its major corporate applications as software as a service, and it uses cloud-based file storage for sensitive data. SaaS and the cloud aren't problems in themselves; we use both ourselves. But we evaluate all of our cloud vendors so that we fully understand their security posture and the nature of the integration between us and them.
Finally, there's the consideration that the acquired company uses more than 30 partners around the world for things like software development, help desk and other corporate functions. That's a significant number for a company with just 40 or so employees. The thing about all those partnerships is that we have a very stringent review process for taking on partners, especially those who work in countries that are considered risky. We're going to need to review all existing contract agreements, nondisclosure agreements and the like to ensure that they meet our standards.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.