Security Think Tank: Security often overlooked in M&As

What role do IT security professionals play in mergers and acquisitions?

The role of the IT security professional in a merger or acquisition is an important though often overlooked one, as it is not always obvious to the mergers and acquisitions (M&A) team leadership that security is a consideration, or that involvement needs to occur at the earliest stage in the process.

Unfortunately for many information security managers, the first they hear about their own company's merger is in the press, by which time most of security's opportunity to add value has already passed.

Information security professionals need to pre-emptively engage in personal or team profile-building with the heads of function who will be involved in putting together a team when the time comes. They need to sell the benefits of their involvement up front, with emphasis on cost reduction and smooth transition. 

As with all key selling points, the best ones are directly linked to cost benefits – of which the following one is by far the biggest.

When companies merge it is rare to find that both have equally strong security cultures, technology and controls in place. More often they are at differing levels of maturity and there will be costs in bringing one or other up to a required standard by integrating policies and technologies, without incurring unacceptable risks or disruption to business-as-usual operations. 

Early involvement of security on the team helps with early identification of the likely remedial costs and impacts – which might be factored into the price paid for the acquisition and into future profitability projections.

More from the Computer Weekly Security Think Tank about security and M&As

Checklist of key actions:

  1. Pre-emptively sell the benefits and seek assurances regarding security involvement in future M&A activity.
  2. Understand the structure, business and geographical locations of the acquired or acquiring company. Identify key people that you may need to be working with.
  3. Determine if the acquired entity will continue to operate autonomously or be wholly absorbed into the parent company and plan your security strategy accordingly.
  4. Start with good communication. Involve stakeholders on both sides in discussions on consolidation of security policies, technology and culture.
  5. Anticipate becoming more of a target both internally and from outside, due to being in the headlines and possible insider threats from disgruntled employees. Bolster controls to prevent data leakage, malicious code and database intrusions.
  6. Establish a timeline for change. If integration is going to be gradual or deferred, use that time to introduce change in phases without disrupting business or ruffling too many feathers.
  7. Be mindful of the human and political issues. It can be hard for employees to move from a loosely controlled environment to a more tightly controlled one. Each organisation may be wedded to its own policies and way of doing things. Appoint a single coordinator to negotiate the delicate political issues.

Adrian Wright is director of projects, UK Chapter of the Information Systems Security Association (ISSA)


Read more on Privacy and data protection