Security Think Tank: In M&As, watch the exits

What is the role of IT security professionals in mergers and acquisitions?

Viewed through an IT lens, the merging of two organisations is often a complex process, but a business cannot stop just because a major change programme is underway. 

Indeed, there is inevitably an expectation that it will continue to run without a hitch and that IT transitions will be smooth and mostly transparent. Of course, reality is not always that simple.

There are three main reasons why merging two environments threatens business as usual:

  • It involves the merging of separate cultures, risk appetites, policy approaches, process and service portfolios, user communities, applications and infrastructures. None of these are trivial to combine.
  • Every merger generates winners and losers. Some people will lose their jobs and others will be disappointed in their new roles. This can easily translate into unhelpful or malicious activity by individual employees or contractors.
  • Mergers do not always occur as a result of a convivial meeting of minds. Hostility and suspicion may lead to intrusive intelligence-gathering by one party against another, using techniques such as technical attacks and social engineering. Similar activities may result if the merger is of interest to media.

Although the usual security controls that are, or should be, in place still apply, a little extra attention is necessary in some areas.

Before the merger's completion, look for escalated or unusual changes in traffic in and out of your network, especially to or from counterparties, the media and other organisations that may stand to lose or gain from the merger. 

If you have technology to prevent data leakage, use it to watch for sensitive documents exiting the organisation over the network or via transportable media.

Once the merger has taken place, do not rush the integration of technical infrastructure – get the governance and management components right first. 

This might slow the integration, but it will enable more informed decisions, which increases the chance of a successful and incident-free result.

Finally, pay close attention to your people. This is a stressful time. Watch for unusually erratic or negative behaviour and provide the support necessary to ensure that the result for each individual, whether it is a personal win or a loss, does not generate avoidable long-term problems for those individuals and for the new organisation.

Rob McMillan is a research director at Gartner

Read more on Business continuity planning