Q. I am the Chief Information Security Officer at a company that is acquiring a major competitor under hostile conditions. There is clearly a lot of animosity on the part of the management and employees and, therefore, many concerns about the likelihood of damage to systems and information. What security controls would you recommend we put into place at this point – and later – to mitigate the potential for damage during the due diligence phase prior to the acquisition, as well as afterwards?
A. This is a good question and one that should be taken into account on every acquisition because while most of management and employees will seem congenial, there is always some uneasiness and even animosity. One has to keep in mind that a change is occurring to the people within the acquired company. They are questioning what their role will be, will they even have a role and for how long? That in its self creates a lot of tension for both parties. When assessing the situation as to what controls should be implemented there are a couple of questions that need to be answered:
First, what are the actual threats and to what?
• Is there threat of data/information exposure to external sources?
• Is there threat that the acquired company will sabotage their own systems?
• Is there threat that the acquired company will sabotage the acquiring company systems once connected?
Secondly, which related controls you put in place are dependent on what phase the due diligence process is in? Meaning, is the due diligence process in place to determine if the acquiring company still wants to acquire, or the company has been acquired and the due diligence is for the integration of IT?
The controls you put in place will be dependent on these answers and will determine what authority you have to implement required controls and when. In essence, the controls you normally use to protect information within your company are the same ones needed for mergers and acquisitions (M&A). The only difference is the controls during a M&A should be stricter and more enforced. My position has always been to treat, manage and control every acquisition in the same consistent manner (i.e., tighter controls at first and then loosened as the threats are mitigated), because you never know what will happen. This translates to: control changes to the infrastructure, modify authentication/authorization to systems and implement monitoring capabilities to validate what is going on.
One key point I have not touched on is the business approval of recommended controls. To truly be successful, the business must approve the controls you intend to implement. The business needs to be informed and educated as to what impact these controls will have on the productivity and how they will assist them. Always remember that while the business has concerns about risk, their first priority is making money; they need to be onboard with what controls you plan to implement. Once you have the authority to move forward you generally want to place a freeze on changes and ensure that there is a good change management process in place to account for any alterations during the integration. Additionally, given the ability to do so, implement monitoring technologies to flag unapproved activity and/or changes to the infrastructure. Both controls of change management and monitoring are ones you, as the acquiring company, will want and need to manage. Additional controls that should be incorporated are:
• Identify/secure all critical systems
• Identify/secure all critical data/information
• Identify/secure key employees
• Modify access for critical identified systems to only those who need it, to also include someone from acquiring company.
This way you have a clear picture as to who has the ability to modify systems and, therefore, who to hold accountable. While some of this may sound harsh and distrustful, reality is, it is vital to success, as you are most likely being held accountable for the secure and uninterrupted integration of this new business.
In summary, the most important controls to put in place as soon as permitted are change management, access control and monitoring to ensure all processes are being followed appropriately. Other than that, the only other option is to take full control of the systems, but this has major ramifications on both parties. Integration of M&As are challenging tasks and no two are the same. This is why it is important to establish a solid foundational approach with consistent controls to be used for all of them.
Answered provided by: David A. Meunier, CISSP, HISP – Security Executive Council Content Expert Faculty