The IT Security professional is there to ensure that an organisation’s information is not compromised, whether you are an acquirer, a target or a party to a merger.
From the acquirer’s perspective, there are some very simple questions that need to be asked:
- Is the structure of the target and its IT and information security centralised or decentralised?
- What relationship does information security have in the target and how good is it?
- Is there an information security governance framework in place and how mature is it?
- What is the status of information security policies, standards and procedures?
- What are the target’s main legal and regulatory requirements?
- Who are the target’s key suppliers?
- How complex is the IT and security infrastructure?
- Can the target demonstrate compliance or certification with information security standards?
- Are there any major IT/information security projects running or starting in the next 12 months?
A thorough audit will answer these questions and assist with post-acquisition activities.
From the target’s perspective, the key activities are the reverse of the questions above: you need to show the acquirer that you are directing, managing and monitoring your organisation’s information security, based on standards and measurement tools, such as the ISF Standard of Good Practice and ISF Benchmark.
Additionally, highlight your risk appetite, tolerance and acceptance and show how these factors link with information security.
Finally, there is the perspective of the two parties in a merger. This can be the most difficult of the three perspectives as both parties will need to adopt both acquirer and target positions at different times. The approach here is one of communication and collaboration, not competition.
Whether target or acquirer, the end goal is the same: integrated policies, standards and information security controls and a secure, new organisation.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).