The information security practitioner’s role is key to mergers and acquisitions (M&A) activity. The starting point is to understand what information/data each party to the M&A activity has, where that information/data is held and in what form, and what is the value of the information/data.
It goes without saying that the value-setting exercise needs to be consistent across all organisations involved in the M&A, and is often not measured in pure monetary terms.
Value is relative, depending on where it falls in the following categories:
- Publicly available (e.g. brochure ware)
- Company internal, but sharable (e.g. client project documentation)
- Company internal, but not sharable (e.g. client data, company projects)
- Sensitive client data (e.g. credit card or bank account details gained from e-commerce activities)
- Restricted distribution (e.g. human resources records and the like)
- Board-only (e.g. strategic planning)
Read more from the Computer Weekly Security Think Tank about security and M&As
Once the information/data held by the organisations involved in the M&A activity are known and appropriately valued, priorities can be set on which information/data sets are to be made available first in a merged form based on the necessity to maintain business and business processes of all parties.
For example, are the back-office human resources and accounting functions the first to be integrated, or the sales and marketing departments and their systems?
This in turn should lead to planning and budgetary decisions addressing a merger of organisational technology in a way that supports both the business imperatives and the need to maintain an appropriate level of information security during the whole merging exercise.
To summarise, the questions that an information security professional needs to ask are:
- What information or data is held? (generally in blocks)
- Where is it held? (often distributed)
- In what form is it held? (or what technology is used)
- What is the value of each piece or block of information or data?
- What is the priority of getting to merged information or data for the new organisation?
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.
This was first published in November 2012