M&A: Merging network security policies
This tip is part of SearchSecurity.com's Corporate Mergers and Acquisitions Security Learning Guide.
Mergers and acquisitions occur quite frequently among technology businesses.
Almost every day, the business news carries a headline about the merger of two firms or the acquisition of a smaller firm by a larger competitor. Each one of these deals involves a complex series of actions designed to consolidate operations and cut costs, as duplicative functions, procedures and resources are eliminated.
Frequently, though, the information security professionals are given the task of reconciling two potentially disparate sets of network security policies. It can be a trying task to say the least, but fortunately there are a number of tactics that can help a company succeed in this challenging M&A process.
When walking through the policy-consolidation process, it's important to remember the effects that a merger may have on the mindset of participants. A company merger can create an atmosphere of uncertainty, doubt and fear, and the sudden changes to the corporate environment can invoke quite a bit of stress among employees. So throughout the network security policy integration process, be mindful of the difficulty everyone is facing.
Let's take a look at some practical strategies that can be used to ease the transition:
Don't rush. Remember the adage: "Rome wasn't built in a day." Development of security policies is a complex undertaking, and it's deserving of a careful, methodical approach. Chances are that neither of the earlier security policies were written in a rush, so don't try to combine them in a hurried fashion either.
Consider all the options. There are basically three options on the table when consolidating the security policies of two different organizations: adopt one or the other wholesale, combine elements of the two into a new policy or write a new policy from scratch. When an organization begins the consolidation process, it's important to keep an open mind to all of these approaches, regardless of the circumstances surrounding the merger. Practically speaking, political considerations may influence an approach, but the entire team will benefit if the process is unaffected by these issues. For example, consider the case where two merging organizations have differing policies regarding the use of personal computers on corporate networks. One organization might prohibit it completely, while the other company might not impose any restrictions on such activity. The accepted action in this case might be to develop a compromise policy that allows limited use of such systems, provided they have passed an initial security controls test.
Involve a broad team. Policies written by a single person sitting behind a closed door are doomed to fail. Bringing a broad range of individuals (from both organizations!) to the policy-consolidation team ensures that multiple points of view are considered. Such an arrangement allows more individuals to feel a sense of ownership about the end result, making the organization more likely to accept the team's work. Consider again the case of a policy on connecting personally owned systems to the corporate network. If the organization decides to develop a compromise policy, having representatives from both organizations on the team will help provide all team members with a sense of ownership, increasing the likelihood of acceptance.
Communicate clearly. During any merger there's bound to be confusion, so it's critical that management communicates with employees about information security responsibilities. When consolidating policy, interim action should be taken to ensure that staff members know what is expected of them. On this matter, take a cue from the rest of the organization. Are the two organizations going to run with independent management structures for a period of time? If so, it may be possible to tell employees that they should simply follow the same security policies and procedures they've used in the past until they're instructed otherwise. Whatever the case, make points clearly and concisely, and communicate them throughout the organization.
Take a phased approach to change. If the consolidation of policies will result in dramatic changes to the way one or both companies conduct business, try to implement them in a phased fashion where possible. This will allow time for employees to adopt the new requirements in a measured way and will offer the opportunity to review compliance progress and ensure that the integration process remains on track. For example, if a staff wants to impose content filtering on an organization where unfettered outbound access was previously the norm, it may be best to consider phasing it in: launching an initial phase that blocks only the most egregious sites, followed by a notification phase where users are warned that the content they are accessing would be blocked under the new policy. This gives users the opportunity to test the waters and identify areas where the new policy might interfere with business requirements.
Company mergers result in a myriad of technical and business challenges. Consolidating network policies, however, is not always about technology. Successful M&A resolutions require effective communication with the two different organizations, as well as careful decisions that keep both sides' policies and staff in mind.
Corporate Mergers and Acquisitions Security Learning Guide
M&A: Merging network security policies
Best practices for compliance during a merger
Ensuring Web application security when companies merge
Mergers and acquisitions: Building up security after an M&A
About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in June 2007