Security Think Tank: Added burden for information systems professionals in M&As

What role do IT security professionals play in mergers and acquisitions?

The time prior to and during a merger of businesses is often a time filled with uncertainty and doubt for employees of both businesses. 

During these times, the information security professional's workload will increase significantly as managers want to know what their staff are doing and who is copying what data as security becomes more of an issue.

Management will be worried about how the M&A is going to affect operations, and will not be thinking about safeguarding information in the normal manner, but rather the fast free-flow of data to the other parties.

Putting aside the operational concerns of managers, the IS professional needs to complete roughly the same work as any other manager in a business undergoing an M&A – and then a little more on top.

The IS professional will need to ensure their business unit is running smoothly and efficiently and that they have in place all the assets needed to aid the business in a smooth transformation. They will also need to ensure the safe and secure transportation of data between the businesses, often at very short notice.

Below is an example of the key actions for the IS professional during an M&A:

  • Review the profile of the information security team and reassess their background and qualifications;
  • Revisit the assets register and determine the effect of an influx of foreign systems;
  • Audit software licences to ensure sufficient coverage is in place;
  • Review leasing, rental and maintenance contracts, and determine if amendments to these are needed;
  • Complete a policy and procedure review in preparation for the mass adoption of new workers;
  • Plan a new security awareness programme and prepare a delivery mechanism with the least impact on business operations;
  • Review the information security management system and bring it up to date;
  • Recheck the security metrics and key performance indicators used to giving the baseline indicators, such as violations, breaches, compliance, etc.
  • Develop an integration plan for the merging of the two entities and provide with it good cost indictors for the prevailing budgets,

The IS professional should always consider whose ethos will be most prevalent and which policies are going to be a better fit for the workforce.

Peter Bassill is a member of the ISACA London Chapter Security Advisory Group

Read more on Business continuity planning