Businesses evolve, grow and shrink as market opportunities present themselves. Security professionals need to be ready for this change and it is important to understand the role of information security in mergers and acquisitions (M&As).
The primary rationale is that the information security function should form a vital part of the business process: to be included in the planning process of all M&A activities, thereby ensuring that the current posture is not undermined.
It is advisable to review the security architecture, especially the network topography and identity and access management (IAM), for its readiness for M&A, both in the role of acquiree and acquirer.
For example, designing the network and security control points, so that the network/ICT infrastructure can be segregated appropriately or accept new connections to preserve the security layers.
The IAM preparedness is even more important. By having a well-designed and documented centralised directory, single sign-on and identity federation capability, an organisation is better prepared for changes ahead.
Read more about security and M&As
Depending on the organisation’s size, there may be several security suppliers supporting your ICT activities. It is therefore fundamental to have contracts formulated so they can be expanded or shortened in volume of services being delivered.
For example, managed service provider (MSP) contracts are typically two to three years in duration.
Discussion with executives is key to understanding the likelihood of M&A during that period, so that the contract can be correctly and appropriately formulated.
In some cases, the information gleaned from that discussion may indicate the unsuitability of continuing with that particular MSP partner and lead to selection of a more suitable partner.
In summary, whether the organisation is the acquirer or the one being acquired, bringing the Information Security team on side will ensure that appropriate due-diligence forms part of a successful M&A.
They will be able to identify any issues early on and avoid any areas where regulatory or legislation obligations, especially regarding data, may be in jeopardy.
Vladimir Jirasek, director of research, UK chapter Cloud Security Alliance
This was first published in November 2012