Feature

Perspectives: Mergers and acquisitions open security risks

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: What's the best IT security advice you've ever received?."

Download it now to read this article plus other related content.

More than once I've had the shock of arriving at work to learn that a newly acquired company was connected to the network the prior evening. Instantly, the mind starts racing: Where did it get connected? How was it connected? What access was granted and to whom?

The overarching concern is how much additional risk was just created for both businesses, and it's a concern we all share once a merger or acquisition takes place.

In my experience with mergers and acquisitions--and I've had plenty--the solution has been to connect the new business directly into the core network as quickly as possible. But, that's the wrong solution.

Such swiftness prevents the comprehensive security assessment needed to understand what risks are being taken on with the addition of this new network. Standardization of hardware and consolidation of processes also are often left to be completed post-connection. That's dangerous, as the known risk in the business is now compounded with the additional unknown risks of the other business.

The challenge, then, is how to integrate the two infrastructures quickly and securely. Prior to initial connectivity, an assessment of what risks exist within the acquired business and an analysis of what it will take to mitigate those risks need to be conducted. Those risks include everything from disgruntled employees to network hackers/crackers that impact resources.

Three key management areas should build a platform for success:

    Requires Free Membership to View


1. An IT security assessment and management process is mandatory to consistently analyze risk across many integrations, provide recommendations, develop an initial connectivity solution and manage the process to completion. Risk mitigation management is typically where integrations fail because no one owns the accountability for ensuring the recommendations are completed.

2. Early engagement in the due diligence process is critical: The sooner IT security can assess the infrastructure and develop a connectivity solution, the better; more time allows for better analysis, development of a solid solution and acquisition of hardware. All applications are not equal, and early engagement provides time to determine key critical applications (i.e., e-mail or intranet) that need connectivity first. Providing access to key applications relieves other integration time crunches.

3. Commitment and buy-in from executive-level management is vital. Businesses acquire or merge with other businesses for multiple reasons, but the one common requirement is to leverage the benefits quickly. You need to sell IT security as an enabler by focusing on business requirements, providing a cost-effective connectivity solution and ensuring regulatory compliance via an assessment.

IT security is no longer just a technology solution, but a vital management asset and requirement. The business folks need to understand that they play an important role in helping to secure and protect. With forethought, planning and executive support, risk can be reduced--not compounded--prior to connecting two networks. Ultimately, you will stand a better chance at protecting the businesses and brand names during the integration, which is exactly what you want--a chance.

David A. Meunier, CISSP, is vice president and CISO for Wisconsin-based CUNA Mutual Group.

This was first published in August 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: