Security Think Tank: Use M&As to reinvigorate security policy

What role do IT security professionals play in mergers and acquisitions?

The days when organisations had a lot of money to throw at merger and acquisition (M&A) activity are long gone. Investor expectations have changed after they wised up to the fact that many M&As failed to deliver on promised benefits. 

This means stakeholders are now inclined to ask much more searching questions as to the rationale behind such purchases than was previously the case. As a result, if an organisation decides to go on the acquisition trail, it needs to prepare itself thoroughly because the price of failure is high.

An often little thought-of consideration relates to deal secrecy, particularly among members of the M&A team itself. Despite signing "blood-curdling" non-disclosure agreements, team members may be inclined to send out allegedly secret but unencrypted email missives over the public internet without thinking about the security implications or realising that they can be discovered using sniffer technology.

It is only once the deal has been signed and publicised, however, that the real work begins. 

The first thing to do is to check the answers that were obtained during the due diligence process to ensure accuracy. In reality, a security audit, jointly undertaken by the integration and security teams, is crucial following deal completion.

You have to follow your own due diligence before you plug someone else's network into yours. You'd expect that both sides would be looking at each other's, but you can't make an assumption that their security policies or practices will be up to the level that you would have yourself or vice-versa.

More from the Computer Weekly Security Think Tank about security and M&As

A further challenge, however, is that once the deal is closed and moves to the "squeezing out synergies" stage, the business managers who have been involved in the deal can end up running out of stamina as their minds turn back to "business as usual" mode. 

In many instances, they will have been undertaking both their day job and acquisition-related activity, possibly for months, and may be exhausted. The problem now is ensuring day-to-day security practices do not slip. 

Take advantage of the merger to reinvigorate policies and user awareness of them. Undertake a campaign as part of the integration to remind staff, and inform new staff, of the policies that work is governed by and the processes they need to be mindful of. As with all business adventures, communication is vital to success.

The Corporate IT Forum’s members have been discussing the finer details of M&A activity frequently over the past 15 years. Their most recent findings can be found online, which cover further discussion on due diligence including tips such as:

  1. Understand the deal drivers;
  2. Get IT involvement at the due diligence stage or sooner;
  3. Due diligence should contain an outline integration plan;
  4. Have a list of 5–10 major questions;
  5. Estimate IT costs during due diligence using a few key factors;
  6. Architecture gives clues as to the state of IT and the business;
  7. Report on costs and risks: turn risks into costs.

Dani Briscoe is research services manager at The Corporate IT Forum.

Read more on Privacy and data protection