Corporate mergers and acquisitions are common, and information security professionals can be affected by the process like any other employee. Throughout the past 15 years, many successful or even market-leading companies have been acquired by larger entities that were looking to expand their offerings (and their earnings). In addition, the recession has spurred mergers and acquisitions in traditional industries, including financial services, health care, transportation and others.
When a company goes through a merger or acquisition, change is inevitable. To the information security professional, this can include changes in information security leadership, corporate commitment, key information security initiatives and business requirements. In addition to these, the way in which the organization views information security in general often changes. Information security can quickly go from a top priority with executive support to an afterthought, and vice versa.
An infosec pro's ability to manage his or her career through this change can be critical to one's professional future. What follows are some career success tips for managing this type of change.
Learn about the business
The time between an acquisition announcement and when a deal closes is significant. This process can traditionally take between 3-6 months. During this time period, make an attempt to learn as much as you can about the acquiring company's business, industry and why information security is (or is not) important to it. You can generally glean this information by reading press releases, mainstream news articles or quarterly reports (if the company is publicly held), that should help you uncover new business initiatives, past security events and the impact of regulations . The key is to read between the lines and ask yourself, "What does this tell me about the company's security strategy?" because while security may be rarely mentioned in these publications, it's not hard to piece together security strategy and philosophy from what is (and isn't) said.
As you do your research, begin to figure out how your specific strengths may be of value to them. For example, if the acquiring company has previously been a victim of an information security breach that involved theft of customer information, you may have specific skills that can directly benefit them. If you have recently been involved in implementing a DLP product, or if you have a background in computer forensics or incident response, your skills will have increased value. On the other side, if your company is a small regional bank that is being acquired by a larger financial services company, it is doubtful that your technical skills will not be duplicated. However, your knowledge of compliance with specific regulations may be unique and represent value. The key no matter what the situation is to identify the unique value you offer to the new business entity.
Independent of this, however, the more that you are able to learn about the business during this time, the more prepared you will be in terms of how the business operates, what the organization's infosec philosophy is and which people are likely the ones who will make key security-related decisions when the acquisition takes place. This preparation and education should provide you with a solid framework for future career decisions.
Don't rush to judgment
When an acquisition is announced, it is common to think about the effect it will have on your career. As information security professionals, we are programmed to think about risk and impact, and we often assume the worst. For example, when a large company purchases a smaller one, it is natural to think that the larger company will destroy the smaller company's culture, misunderstand the specific information security skills of its employees and force everyone to assimilate.
While these assumptions may turn out to be accurate, it is important to fully understand the business strategy behind the acquisition before jumping to your own conclusions. Many times, the strategy behind these acquisitions includes the acquirer's desire to purchase intellectual property and professional talent in a more efficient manner than it could otherwise, which can grant leverage to the employees of the company being acquired.
There may even be specific reasons why the skills of the information security staff may be critical to the company's long-term plan. For instance, the acquiring company has the framework for utilizing a greater breadth of your information security skills, and has the necessary resources to enable you to develop your career and support your goals. For example, large companies have broader customer offerings; if you have knowledge in a breadth of information security disciplines, like application security and network security, you may find that a larger company will see greater value in (and have greater application for) your skills, than either a specialized application security or network security company would.
Meet the management
During an acquisition there are two potential business management outcomes: Either your manager will remain the same, or your manager will change. If your department management remains intact, there is a good chance that you may have the opportunity to expand your role. However, if your management does change, you should not automatically assume it will negatively affect your information security career.
A new manager can provide an opportunity for professional development and career advancement, as he or she will come with different experiences, management styles and philosophies on information security. The better you are able to understand his or her way of thinking and managing and whether it's a good fit with your skills, personality and work habits, the better you will be able to determine if this change will be beneficial to your career.
For instance, the new manager may have a new mandate for the information security function that better aligns with your skills. Your new manager may also have philosophies around skill development and people management that align better with your goals and your work style. More specifically, you may have been frustrated with the amount of training that your past manager fostered, but your new manager may allow you discretionary budget to select information security-related training that aligns better with your interests.
It is important that you understand that managers are working through changes, too. They are under a good deal of pressure from new leadership to perform. If you can show your new leader that you appreciate this and attempt to make his or her transition easier by aiding the integration of the two information security groups, he or she will most likely appreciate your help, cementing your position as a valued member of the new team. One such tactic is to help the new manager understand the work environment and culture of your organization. You can do this by introducing him or her to key people in the organization (security, technology or business) who can ease the transition and enable them to be more productive. If you can be seen as a trusted resource, it's likely that you will receive better (and quicker) insight into the new manager's leadership style.
As information security professionals, we need to accept that mergers and acquisitions career management is a fact of life. Although these events cannot be controlled or predicted, they can be planned for. By dispelling preconceived notions and avoiding knee-jerk reactions, you can clearly evaluate these new opportunities for what they are: transitions that can have a positive effect on your career.