By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Companies are constantly seeking opportunities to grow and expand their business, increase competitive edge and drive market value.  For many, this encompasses merging with, or acquiring, other companies.  Businesses are making big bets with enormous investments in hopes of being more than the sum of their parts. 

Delta Air Lines’ $2.8 billion acquisition of Northwest Airlines in October 2008 made it the largest carrier in the world.  However, this pales in comparison to the $19.6 billion offer Cadbury accepted from Kraft in January, despite being wooed by Hershey, a direct competitor.  There is a long list of M&A activities, and this is most true for the first decade of the 21^st Century, thanks in no small part to the global economic turmoil.

Regardless of how similar two companies may seem when they shake hands, it’s a complicated and challenging process to assure a meaningful union.  An important, underlying characteristic to realizing the vision of the merger’s architects is information security.  Information technology is a critical capability in virtually all companies today, and during the early phases of a merger, these environments are brought together to promote business integration.  From a security perspective, the understanding and predictability of the security posture established in each organization is greatly disrupted and can cause confusion at best and the introduction of new risks at worst. 

Security practices of one organization may not be similar to the other, and in most cases are not, creating a security posture initially founded on the lowest common denominator.  Security groups will seek to gain situational awareness to formulate a security strategy to encompass the new combined environment.  Meanwhile the business demands rapid, unfettered transformation and harmonization in order to exploit investments, which places a great deal of pressure on security groups to move quickly and effectively.

In many ways, security challenges of this nature are unavoidable in large scale mergers, but that doesn’t mean they have to be disorganized, confusing or disruptive to realize the vision of the merger. 

What can companies like Kraft and Cadbury, who are in the embryonic stages of a merger, do today to prepare for the challenges that lie ahead?  Here are six basic steps that should be at the tip of your fingers at the onset of a merger:

1. Establish an M&A security committee – Bringing together representatives from each organization to discuss, plan, communicate, and guide the integration of security is paramount.  Executive management, legal representation, human resources, and IT management should be included with the security leadership team in the committee.
2. Ensure security monitoring – Gaining security visibility, at least into the perimeter networks, is essential.  A high priority is to protect the environment from attack.  Attacks – either hackers or malware – can greatly impede an already challenging process and contribute to confusion.
3. Limit legal exposure – Compliance, or more specifically, non-compliance, can represent undue strain on companies coming together and can add unpredicted cost to the merger.  Security groups should quickly move to determine the state of compliance and create common practices that can be employed by resources throughout the environment to document current conditions, identify gaps and report back to the committee to feed an action plan.
4. Evaluate and compare security policies – Security policies typically embody the security culture, perspectives and expectations of a company.  By reviewing the policies from both organizations to compare and ultimately lay the groundwork for a unified policy is an important first step in understanding the scope of the challenges that may lie ahead — and such a review can lead to an effective integration plan. 
5. Establish a security standard – Although security standards will exist for each company, it will be necessary to create a collection of security standards specifically related to integration activities in other parts of the business.  At this point, it is not necessary to be overly concerned with the longevity of the standard, given its single, short-lived purpose.  The goal is to ensure alignment with expectations in tactical operations.  For example, what specific security requirements must be considered when establishing network connectivity, providing access to an application or making changes in key systems?
6. Federate identity and access management – One of the first demands from the business in the IT space will be around sharing resources.  Providing access for one community to the systems and services of another, similar community is not only inevitable, but necessary for the business to address strategic merger initiatives.  It is important for the security and IT groups to come together to develop a strategy to unify user credential management systems.  If this is started too late in the process, teams will have much less time later to approach the solution in a comprehensive manner. 

Of course, there are many other actions that will need to be taken throughout the merger to ensure security remains effectual for the business.  However, the intent here is to get to the basics.  During a merger, there are thousands of issues that surface regularly, and each will seem to have a priority. 

Therefore, the most difficult challenge that security management faces is to maintain focus.  If you’re not careful, you can become distracted with important, but not necessarily critical activities that draw your attention away from strategic and fundamental aspects of security.  So make certain it plays its part in ensuring the merger reaches its full potential.