Mergers and acquisitions present extra challenges for IT network security. Inevitably, a merger combines security organisations with different security philosophies, policies, technologies and needs. "If one company has a policy that all security needs to stay in-house and the other has outsourced its security apparatus, obviously they have a conflict," says Chris Ellerman, national security practice director at Dimension Data North America. And that presumes that the merging organisations are in the same vertical industries. When the merger crosses verticals, the differences can be even greater and in some cases aren't completely reconcilable. "I've seen mergers that resulted in two divisions permanently operating on different security levels on a single IT backbone due to the requirements of their vertical industries," Ellerman says.
He offers the following tips for organisations that are either preparing for possible mergers in the coming year, or are now involved in a merger.
1. Do not approach a merger of security systems lightly. The large number of security device vendors in the market guarantees that each partner in the merger will have a very different mix of security devices and technologies, even if their business structures and IT infrastructures are otherwise similar. "Security is often linked directly to specific applications," Ellerman says. "Disrupting those security systems can shut down vital business services, possibly bringing the business of one of the acquisition partners to a halt. Obviously, you cannot do that."
Instead, he recommends that the two organisations continue to operate separately, possibly with extra security in the links between their IT organisations, while a security team that should include experts from both organisations evaluates the situation.
2. Enter the merger with a plan. "Companies like Oracle that are experienced in handling acquisitions have a plan that they can put into effect the day the merger is finalised," Ellerman says. "Based on the size of the acquisition, they can call their vendors and order the devices they need as soon as they are notified of the merger. The speed with which these organisations can absorb a new acquisition can be astounding."
3. Start with a self-assessment that focuses on identifying business drivers. When global consultant Dimension Data is called in to aid in the process, it begins by facilitating a day-long self-assessment that focuses first on identifying the business drivers in each of the merger partners. Usually key members of senior business and IT management from both partners, including both CIOs and representatives from both CEO offices, are among those involved.
By the end of the day, they have a clear understanding of the key elements of each organisation's security policies and standing, including their weak points, and the business logic behind the infrastructure. This becomes the basis for the definition of a goal-state for the eventual merged security operation. Senior management is open to participating in this exercise because they want the results to reflect the needs of their post-merger business plan.
4. Identify key security personnel from the acquired organisation and get them on the team. This is not and should not be allowed to degenerate into an "us vs them" war of internal politics. "After all, who knows the acquired entity's security architecture, and its weaknesses, better than their CSO?" Ellerman says. "You certainly hope that the goal of the acquisition for the IT organisation is more than just acquiring more equipment. You want to integrate the best people from both organisations to create the strongest possible IT department, and that includes the security group."
Outsourcing IT security is a common strategy today, and if one of the organisations is outsourced, then the service provider's security team obviously needs to be involved at this point. These individuals are usually very experienced due to the nature of the outsourcer's position providing security for numerous clients, often in different verticals, and this knowledge can be very valuable.
Often in this case, the merged company ends up outsourcing security for both parts of the acquisition, provided that the service provider has good relations with the organisation it originally worked with. However, that is not the only possible strategy, and management should evaluate taking security in-house or leaving the situation as it is, with one organisation's security outsourced and the other's not, before making a final decision.
5. Proceed with caution. It's not uncommon for the two organisations in a merger to be operating at different security levels. One, for instance, may require two-factor authentication to access its network, while the other uses simple password authentication. Until the security infrastructure can be merged and the organisation with the lower security brought up to the higher standards, presuming that is the eventual plan, the company will want to put extra security in the links between the two organisations, treating the organisation with the lower security level as a semi-trusted partner.
If the two organisations are going to remain as separate divisions and not be merged, and particularly if they operate in two different verticals with different security needs, this arrangement may become permanent. If the two organisations are to be merged at the operational level, the team will want to impose a standard set of security technologies wherever possible. However, they need to be careful to minimise disruption to business processes during the transition.
6. Evaluate the impact of planned changes in security procedures and levels before implementing them. Security is always a trade-off between protection of and access to the information and applications that the business needs to operate. The most secure system, as security experts are wont to remark, is one that is totally disconnected from everything in a locked vault that no one can access. But such a system does the business little good.
When evaluating security policies, levels and technologies, it's important to ask some key questions: How much disruption will this cause in the business? How much will the extra time and effort required to access IT resources cost the company? Is the added protection worth the price in terms of its impact on how the business operates? Is higher security justified by the extent of the risk or by compliance issues, despite the disruption it may cause?
Just because one of the merger partners operates at a higher security level than the other, that doesn't automatically mean the higher level is the better option for the merged organisation.
Management must evaluate all the sides of security issues to make the best overall decision for the company.
© Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.