More than once I've had the shock of arriving at work to learn that a newly acquired company was connected to the...
network the prior evening. Instantly, the mind starts racing: Where did it get connected? How was it connected? What access was granted and to whom?
The overarching concern is how much additional risk was just created for both businesses, and it's a concern we all share once a merger or acquisition takes place.
In my experience with mergers and acquisitions--and I've had plenty--the solution has been to connect the new business directly into the core network as quickly as possible. But, that's the wrong solution.
Such swiftness prevents the comprehensive security assessment needed to understand what risks are being taken on with the addition of this new network. Standardization of hardware and consolidation of processes also are often left to be completed post-connection. That's dangerous, as the known risk in the business is now compounded with the additional unknown risks of the other business.
The challenge, then, is how to integrate the two infrastructures quickly and securely. Prior to initial connectivity, an assessment of what risks exist within the acquired business and an analysis of what it will take to mitigate those risks need to be conducted. Those risks include everything from disgruntled employees to network hackers/crackers that impact resources.
Three key management areas should build a platform for success:1. An IT security assessment and management process is mandatory to consistently analyze risk across many integrations, provide recommendations, develop an initial connectivity solution and manage the process to completion. Risk mitigation management is typically where integrations fail because no one owns the accountability for ensuring the recommendations are completed.
2. Early engagement in the due diligence process is critical: The sooner IT security can assess the infrastructure and develop a connectivity solution, the better; more time allows for better analysis, development of a solid solution and acquisition of hardware. All applications are not equal, and early engagement provides time to determine key critical applications (i.e., e-mail or intranet) that need connectivity first. Providing access to key applications relieves other integration time crunches.
3. Commitment and buy-in from executive-level management is vital. Businesses acquire or merge with other businesses for multiple reasons, but the one common requirement is to leverage the benefits quickly. You need to sell IT security as an enabler by focusing on business requirements, providing a cost-effective connectivity solution and ensuring regulatory compliance via an assessment.
IT security is no longer just a technology solution, but a vital management asset and requirement. The business folks need to understand that they play an important role in helping to secure and protect. With forethought, planning and executive support, risk can be reduced--not compounded--prior to connecting two networks. Ultimately, you will stand a better chance at protecting the businesses and brand names during the integration, which is exactly what you want--a chance.
David A. Meunier, CISSP, is vice president and CISO for Wisconsin-based CUNA Mutual Group.