From people and organizations, to strategic alignment and governance, the complexity of M&As can be overwhelming. But more importantly, it can be a major security vulnerability for both companies coming together.
Today, the three biggest IT security risks in an M&A are:
Security postures. When you bring two organizations together that have different approaches to securing data, there’s a significant chance that you will create gaps. Prior to executing an M&A, organizations have a unique security profile and most likely secure their data differently. As you bring them together, you might create security holes that can be manipulated, jeopardizing the entire process. That said, rule number one in M&As is to never sacrifice your security posture. You need to have tight controls over how the two companies come together and share their data every step of the way. Knowledgeable security architects from each organization should be at the table very early in the engagement.
Data classification. It’s not uncommon for companies to classify their data differently, so establishing a common taxonomy of how data is regarded and classified is critical. For example, company A may classify its sensitive data as “classified/internal use only,” while company B may label those files “restricted.” You have to understand where the data exists, it’s importance, making sure that both organizations arrive at a common method of classifying information.
Security technologies. Technology can be a major risk as it determines the efficacy of your controls. In M&As, it’s common to find duplication, but also gaps. You should ask: What are the security capabilities of each organization? Does one organization possess a higher maturity in a specific security domain or domains? How do we bring these strengths together in the best way to ensure a robust and effective security program? Do both organizations have intrusion prevention systems? Do they have security incident and event management (SIEM)? A thorough review is in order to ensure that you have the right capabilities for the necessary controls.
Ultimately, it all comes down to priority.
IT leaders need to involve their security teams from day one and see to it that IT security is woven into every stage of the integration process. This means making sure each organization defines a process where they understand their risks and vulnerabilities, as well as the security controls at their disposal to mitigate them.
Finally, re-evaluate and retest your controls every step of the way as the merger or acquisition progresses. Be prepared to make adjustments to ensure your security posture remains sound without creating new security headaches.
David has over 20 years of experience with IT service delivery, with a track record in transformation and transition, IT cost optimization, sourcing, global operations, vendor management, strategy implementation, and data center migrations. He develops inventive opportunities for leveraging IT, in order to improve operational excellence and create competitive advantage.