Why security makes or breaks M&As, with Matt O’Leary

Security is tied to business operations in many (often unappreciated) ways, but the connection is rarely more visible or consequential than during an acquisition or partnership. In those deals, a company stakes its reputation and finances on another company, and a lapse in security can throw the whole thing into chaos.

That’s the subject of this episode of Chasing Entropy, in which Dave Lewis talks with Matt O'Leary, 1Password’s Vice President of Corporate Development and Strategic Partnerships. They discuss what changes about M&As and partnerships when security is tied directly to the product, the brand, and the deal itself.

Caveat emptor in M&As

O’Leary’s core idea is simple: when a company makes an acquisition, it inherits the whole business, not just the part that looked attractive in the pitch. That includes the technology, the team, the process gaps, the legal exposure, and any security weaknesses that were not obvious at first glance. O'Leary makes the case that strong dealmaking starts with risk discipline, because a transaction only creates value if the company can integrate what it buys without importing problems that slow everything down.

He also explains that good corporate development starts with the roadmap, not the deal. An acquisition makes sense when it helps the company move faster than building on its own. That is why corp dev has to stay tightly aligned with product, engineering, and security leadership. In a cybersecurity company, technical diligence carries extra weight. If a target has a serious security or technology issue, that is not a detail to clean up later. It is a reason to walk away.

Go as deep as you possibly can, before you cut the proverbial check…If there is any major issue with the technology, if there is any significant exposure to cybersecurity risks in a company we are targeting, those are deal killers.” - Matt O'Leary

The risks and rewards of partnerships

The conversation also sharpens the distinction between partnerships and acquisitions. O'Leary argues that deep partnerships can create major leverage because they expand reach, increase product value, and connect a platform to the tools customers already use. But they also transfer risk. If two companies are tightly integrated, trust becomes shared. A failure on one side can damage both. In that sense, partnerships may be lighter than acquisitions, but they still demand the same seriousness around diligence, reputation, and customer impact.

When you’re doing an integration partnership, you’re tying your brand, and the trust that you stand for with another company’s. So you really need to be thoughtful about how you go about that.” - Matt O'Leary

After the deal: integration and communication

One of the strongest parts of the episode is the discussion about integration. O'Leary is clear that post-close integration is the hardest part of M&A. Retaining key people, understanding founder motivation, aligning technical architecture, and planning how products and teams will come together all matter before the announcement, not after. Dave Lewis brings home this lesson by sharing a story of a botched M&A, where the acquiring company failed to lock in the engineering staff. “We had the big celebration party and none of the engineering team were there, and we were like, ‘What’s going on?’” 

He also emphasizes the importance of customer communication, since M&As can raise questions and trigger concerns. “You want to communicate to customers that the standards that we apply to ourselves – that are the reason they bought our product – are the same standards that we will apply to the new product and service that we have acquired.”

For anyone interested in corporate development, O'Leary’s advice is direct. Curiosity matters more than a fixed career path. The best operators learn across functions, ask better questions, and build enough context to understand how product, security, legal, and finance decisions connect. For founders, his advice is just as clear. Build relationships with corp dev teams before you want an outcome. Trust and credibility take time, and good deals depend on both.