David Malicoat
David Malicoat

From people and organizations, to strategic alignment and governance, the complexity of M&As can be overwhelming. But more importantly, it can be a major security vulnerability for both companies coming together.

Today, the three biggest IT security risks in an M&A are:

Security postures. When you bring two organizations together that have different approaches to securing data, there’s a significant chance that you will create gaps. Prior to executing an M&A, organizations have a unique security profile and most likely secure their data differently. As you bring them together, you might create security holes that can be manipulated, jeopardizing the entire process. That said, rule number one in M&As is to never sacrifice your security posture. You need to have tight controls over how the two companies come together and share their data every step of the way. Knowledgeable security architects from each organization should be at the table very early in the engagement.

Data classification. It’s not uncommon for companies to classify their data differently, so establishing a common taxonomy of how data is regarded and classified is critical. For example, company A may classify its sensitive data as “classified/internal use only,” while company B may label those files “restricted.” You have to understand where the data exists, it’s importance, making sure that both organizations arrive at a common method of classifying information.

Security technologies. Technology can be a major risk as it determines the efficacy of your controls. In M&As, it’s common to find duplication, but also gaps. You should ask: What are the security capabilities of each organization? Does one organization possess a higher maturity in a specific security domain or domains? How do we bring these strengths together in the best way to ensure a robust and effective security program? Do both organizations have intrusion prevention systems? Do they have security incident and event management (SIEM)? A thorough review is in order to ensure that you have the right capabilities for the necessary controls.

Ultimately, it all comes down to priority.

IT leaders need to involve their security teams from day one and see to it that IT security is woven into every stage of the integration process. This means making sure each organization defines a process where they understand their risks and vulnerabilities, as well as the security controls at their disposal to mitigate them.

Finally, re-evaluate and retest your controls every step of the way as the merger or acquisition progresses. Be prepared to make adjustments to ensure your security posture remains sound without creating new security headaches.

Download our M&A Playbook for IT to find out more about major integration challenges faced by IT leaders and a framework to handle them more effectively.

Read More

David Malicoat
CISSP

David has over 20 years of experience with IT service delivery, with a track record in transformation and transition, IT cost optimization, sourcing, global operations, vendor management, strategy implementation, and data center migrations. He develops inventive opportunities for leveraging IT, in order to improve operational excellence and create competitive advantage.

Artificial Intelligence as a solution to your complex issues in IT Operations

Nov 27, 2019

With the fast-growing technological innovations that enabled digital transformation across enterprises, Infrastructure and Operations as well as business leaders are facing the challenge of how to prioritize IT budget.

Unplanned Work: The Silent Enemy of Your Digital Transformation

Oct 15, 2019

Few organizations are ready to deal with the impact of inertia on the transformation agenda.

Have a Question? Just Ask


Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.

Ask Wavestone