What I Learned Auditing a Corporate Merger

What really happens to the digital infrastructure when two giant companies merge? Even though Maverik's acquisition of Kum & Go happened in 2023, the process of securely integrating their technologies is a marathon, not a sprint. I joined the ITGC internal audit team at FJ Management (Maverik's parent company) in 2025, stepping right into the middle of this challenge.

The Great Tool Inventory

My first task was to be a fly on the wall in the discussions about the great "tool inventory." It was my job to listen and learn as senior members of the team analyzed the massive ecosystem of security tools each company used. It was like looking at two different toolboxes, both filled with wrenches and hammers, but from different brands and with different features.

I was amazed to learn just how many different SaaS tools can be pieced together to protect every little aspect of a company's security posture.

The Firewall Dilemma: A Lesson in Business vs. Security

The most interesting part of the audit was witnessing a classic debate unfold in real time. The situation was simple: Kum & Go used a different brand of firewalls than Maverik.

The Security Problem

For the security team, managing two different firewall systems was a major headache. It meant:

• Double the training
• Slower response time
• Higher chance of misconfigurations that could leave a gap for attackers

The Business Problem

From the business side, the firewalls they had were working just fine. The idea of spending a significant amount of money to replace perfectly functional equipment was, to put it mildly, not popular.

As an intern, I had a front-row seat to one of the most fundamental challenges in our field: showing the business why a necessary security change is worth the cost.

My Key Takeaway

My biggest lesson from this project wasn't about which firewall brand was better. It was that cybersecurity is as much about communication and business acumen as it is about technology.

The best security tool in the world is useless if you can't articulate its value and get the business to support it. You have to learn to speak the language of risk and efficiency, not just the language of tech.

This experience was a great introduction to the world of GRC, and it helped shape how I view the role of a security professional.

What's Coming Next

Next week, I'll shift from high-level strategy to the nuts and bolts of modern development as I share my experience auditing a CI/CD pipeline.

This is part of a series about my cybersecurity internship experiences. Read the first post to understand the context of my journey through both GRC and Security Operations roles.