Why cybersecurity is usually the first service a buyer should stand up standalone — and why most exit plans get the order exactly backwards.
Most TSA exit plans sequence by ease: kill the small, simple services first and save the hard ones for last. That instinct is wrong on one service in particular. Security should usually go first, not last.
Two reasons. First, control: as long as the seller runs your detection, identity, and endpoint protection, they hold the keys to your environment after they have sold the business. Every week of shared security is a week of shared blast radius. Second, leverage: security is a high-control, comparatively low-dependency service. You can stand it up without waiting for the ERP or the data migration to finish.
| Common order | Buyer-side order |
|---|---|
| Exit cheap/simple services first | Exit by control risk × monthly cost |
| Security last (it feels hard) | Security first (highest control value) |
| ERP/data early (it feels urgent) | ERP/data on their true dependency |
On the representative nine-function estate in the TSA Exit Playbook, security exits in month 3 and NewCo shared ops in month 11 — the reverse of the intuitive order. The principle: sequence by what the seller still controls, not by what is easy to unplug.
One letter every two weeks. One tactic, one benchmark, one pattern. Short, signal heavy, buyer-side.
Subscribe free →