Acquisition-Grade Security and IP Remediation

In spring 2024, I took over a portfolio-wide security and IP remediation function at Spirent after the first attempt had failed. The previous effort had been rebuffed by the individual programs within a month—each team had their own priorities, and nobody wanted to take on remediation work that felt like overhead. Meanwhile, Keysight and Viavi were both circling for acquisition, and the diligence clock was ticking. The portfolio had accumulated years of technical debt: unpatched vulnerabilities, unclear license provenance, and inconsistent security practices across teams.

- Built a single narrative that framed remediation as acquisition-readiness rather than compliance overhead - Used the contested Keysight and Viavi acquisition as the forcing function—this wasn't optional work, it was existential - Created a unified playbook with clear standards, tooling, and timelines that applied across all programs - Established weekly executive visibility into remediation progress, making it impossible for teams to quietly deprioritize - Ran remediation as a portfolio-wide program rather than negotiating with each team separately

The first remediation attempt failed because it asked teams to prioritize security over their existing commitments. The second attempt succeeded because it made security synonymous with the acquisition that everyone cared about. Organizational pressure is a tool—used well, it aligns incentives without requiring constant negotiation. The programs that resisted hardest in round one became the most thorough in round two once they understood the stakes.