In all stages of the economic cycle, one business activity seems to be constant: mergers and acquisitions (M&A).
As a technology company with a global footprint and growth as a strategic objective, we acquire companies often enough that our team has put into place protocols that govern how our IT and security teams approach each acquisition integration. And we've given considerable thought to the most important things security professionals must consider when managing an acquisition.
Below are our top recommendations for improved security in the age of acquisitions.
1. Engage security early: Make sure IT and security are represented during the due diligence phase of a potential merger or acquisition. Because a possible merger or acquisition is so sensitive and the need for confidentiality is paramount, it's not unusual for growth development executives to insist that the initial due diligence team be kept small. By developing relationships with those who identify and assess potential targets, you can educate them about the importance of involving representatives of your technology and security teams early.
2. Create a framework of standard processes for during and after an acquisition: This can make a significant difference for your own teams. Each acquisition is different, of course, depending on your country, industry, employment and market situation. But when it comes to security, there are enough consistent requirements to develop a framework of basic steps that you can follow and customize as needed.
3. Establish relationships with the target company: Often, relationships are key to being able to reach an agreement on how important certain risks are, which ones are solvable and which are not essential to address.
As early as possible, begin discussions with your counterparts at the target company to learn what security protocols they have in place and create an initial risk analysis. Establishing contacts at a relatively high level — on-site when possible — reassures the acquired company and helps you understand factors that may be unique to that business.
As you assess risk, learn to be thoughtful about what you determine to be non-negotiable. Working with your counterparts, prioritize the bottom-line non-negotiables and create a plan of action for each. Working with your counterparts in an atmosphere of trust and transparency will make those decisions easier and more effective.
4. Categorize and prioritize: Nothing can happen until the acquisition has closed, but if your relationships have been built and the information from your initial assessments are in place, you can go into the post-close period with a plan.
Some things need to be done in the first 15 to 30 days, while other items on your priority checklist could wait a year. These days, you'll rarely have to implement giant infrastructure changes all at once. With the advent of the cloud and other more modern security toolsets, you can do some level of security enhancement for an acquired company relatively quickly.
Guiding questions can include:
- How can you get some quick wins without impacting their business?
- How do you start to understand what they're doing relatively quickly without impacting them?
- Do they have sufficient workplace security procedures in place?
- What is the potential for external risk? A smaller acquired company may not have the resources to do some of the things a larger company can do.
- Where can you come in and quickly make a positive impact?
5. Take advantage of the cloud: Today, most companies' business infrastructure is at least partially in the cloud. That's good news from an IT and security perspective. Cloud-based systems can allow you to more quickly integrate the acquired company's processes and make changes with lower risk than if you were dealing with custom on-premise infrastructure. As the companies you looked to acquire become more cloud-based, it can help you be more efficient and more effective in your post-merger IT and security integrations.
If both companies are using the same basic systems, like Microsoft Office 365, or if they are using cloud-based business processes, integration can be even easier. A lot of M&A activity in IT involves integrating back-office systems (e.g., sales, finance, customer service, HR systems). Because the cloud is elastic and built on more open interfaces, it is easier to merge or consolidate cloud-based systems.
New tools coming to the marketplace now make cloud-to-cloud migrations even easier. You can take advantage of those to accelerate some of the IT migration work that naturally comes with acquisitions.
6. Don't neglect training and education: From your assessments, you'll know how savvy the acquired company's workforce is about security. Everyone joining your company should go through a curriculum of compliance training as part of the post-merger integration. Security protocols, user education and awareness, best practices and acceptable use should all be covered.
In addition, you should introduce your new colleagues to your company culture, to which security and data security are central. And because they are inundated with information in their early months, try setting up an ongoing communications program to help them keep security top of mind.
Even with the best advance planning, acquisitions are always labor-intensive for both the acquiring and the acquired companies. By standardizing as many processes as possible, putting security at the center of planning and using the power of the cloud, you'll be able to manage most integrations with limited business impact to either company. And reducing the risk associated with M&A integration will contribute to your ability to expand and grow as a business.
Bob Bruns is chief information & security officer (CISO) at Avanade. Read more Avanade blogs here.