CSOs: Mix Masters

Get involved early-and often-in your company's M&A strategy. If you leave security planning until the end, you may not have enough dollars in your budget to get you where you need to go.

What do you think about when you hear the word merger?

Maybe it conjures up notions of ROI. Perhaps it makes you think about market share or combined assets. It most certainly leads to thoughts of change and chaos. But, for most executives, security is probably not top of mind.

It should be. Bringing a new company into the fold, or being absorbed by another company, can be an untidy procedure where the goal is usually "let's just get through this thing.," And despite best-laid plans, anything can happen. When better to think about security?

Yet, if your company is anything like the ones we've talked to, you're sure to face an uphill battle when trying to get your security agenda into your company's merger and acquisition strategy. It's crucial, however, that the CSO get in on the M&A process right from the start. Addressing security issues early can help lay the foundation for a stronger, more efficient security organization once the M&A is complete. And doing so can help thwart digital intrusions, social engineering and threats from disgruntled employees during the final integration process. Sometimes early involvement can even prevent your company from doing business with a company whose ethics or corporate practices aren't up to your standards.

"Companies that don't allow security to play a major role in M&A plans are putting themselves in a position of increased risk," says Lynn Mattice, director of corporate security for biotech company Boston Scientific's global operations. In fact, there's evidence that, if the CSO has a voice early in the M&A process, he can actually help make the merger cost less for the company. "With enough due diligence, the CSO can help an already preoccupied CEO and executive board know as much about the target company as they know about their own company," Mattice says.Do DiligenceIt's easy to sum up why CSOs need to get involved in M&As: risk reduction. Merger or not, it's the aim of any security officer. But it becomes an especially important task when you're talking about joining forces with another company. If you don't do your homework, you can end up losing instead of adding value to the business, which is what the M&A is all about.

What does "managing risk" look like when considering a merger? For starters, the CSO should look at where the target company operates. A merger may mean you expand operations into new countries, some of which could have high-risk environments. If so, you'll need to incorporate specific evacuation and business continuity plans into the merger plans.

Also, CSOs should explore the target company itself. What is its reputation? Has there been any evidence of government payoffs? All U.S. companies with operations abroad must comply with the Foreign Corrupt Practices Act (FCPA), an antibribery law that prohibits U.S. companies from paying govern- ment officials in foreign countries to facilitate doing business. If staffers of a target company are discovered to have worked with dishonest business brokers at any timeeven if they didn't know itboth that company and the purchasing company can be prosecuted. "You have to be very, very careful when investigating [another company's] compliance with the FCPA," says Mattice. "Buying or merging with a company that's in violation of the FCPA means you'll probably be inheriting an investigation by the Securities and Exchange Commission or Department of Justice down the line."

What's the cost of keeping the company and its employees safe? In some countries, the cost of providing security can add up to 20 percent of operational costs, says Bobby Gilham, manager of global security for Conoco/Phillips.

And it's not enough to collect data about the potentially blended enterprise; you must gather and analyze the information early in the process. "Budgeting for security is like building a house," says consultant John McCarthy, former director of corporate security for Texaco. "The last thing to go up is the roof. If you don't budget enough money for that roof, then you'll end up with a leaky roof that doesn't cover you entirely," he warns. "Likewise, if you wait to look at the company after everything is put together, you'll understand why security should have been a priority. That's when the CEO will want your opinion about what should be done to build the security organization. But the budget plans and priorities will have already been set, so you won't get what you need because it would require a budget overhaul."

McCarthywho weathered three different mergers while at Texaco and was involved in the company's partnership with Shell in the late 1990ssays he insisted on getting involved early in the process to avoid such budgetary problems. "You can't be a shrinking violet," he says, because ultimately an inadequate security budget could leave the new entity vulnerable in many ways. "The more information you have," McCarthy says, "the better you can help protect the company'sand its shareholders'interests."

If you're worried that we're suggesting you do the kind of work that requires sifting through financial records or legal compliance histories, relax. Those tasks are typically handled by the legal and accounting teams. Instead, for the CSO due diligence means delving into the fine print of how the target company operates on a global scale. Ask what security practices, if any, the target company already has in place. What are its vulnerabilities? How effective are its IT protections and access control systems? Does it have controls to protect intellectual property? Does it educate employees about ethics? Will the merger create operations in new countries? If those kinds of questions are explored early in the process, Gilham says, a CSO can get a clear picture of what it will cost to upgradeor, if necessary, createa new security system.

Of course, it's clear why more information is better than less. And knowing about security issues up front can keep you from scrambling for budgetary crumbs later. But can your efforts to dig deep into an M&A project really help to reduce the costs related to that merger?

"Absolutely," says Mattice. With enough information prior to making an offer, the cost of related security can be factored into the actual costs of the M&A. "It's much more valuable if your CEO can go in with a lower bid because it's understood ahead of time what it will cost to protect the company," he says. "That's where the savvy CSO can help minimize costs."

And then, by tying the costs of security to the venture instead of making it a new item on the capital budget, the dollar amount has a different tax treatment. "That way, you don't have to go back and fight for those budget dollars later on," says Mattice.Getting Down to BusinessEven if you have a clear idea of the work that lies ahead in the nascent entity, you'll still face the task of actually creating the new security organization once the M&A is underway. That is a delicate process because the new security structure is based on at least two separate departmentseach with its own culture, processes and functions. As in any situation where multiple entities become one, the likelihood is high that toes will get stepped on.

To understand what the new security structure needs to be, security leaders from both companies should determine what their current security organization offers, says Gilham. "Be willing to share ideas," he says. "Start with a blank slate and try to picture what the new organization will look like. Then ferret out the gaps in what security is doing right now versus what it will need to do later."

When Conoco and Phillips began to discuss their possible merger in November 2001, Gilham (then manager of global security at Conoco) met with his counterpart at Phillips to begin the transition. Both men noted the different ways in which the two companies ran on a day-to-day basis. On the security side, Conoco had a larger global security organization that was involved in scoping out new business opportunities and working to protect domestic refineries. Phillips' security department was primarily focused on the company's domestic presence. Because the potential new company required attention to domestic and international operations, Gilham was given the go-ahead to expand the new security department in both size and function. He also kept an eye on cutting costs. For example, Conoco had global security centers with 24-hour operations in three states, and Gilham consolidated the centers to one location. He made careful decisions about whether to keep in-house such services as access-control monitoring, for instance, or to hire more building guards. He also created new positionsa full-time global security analyst, for one, whose job it would be to stay current on international events, manage travel approvals for high-risk areas and give guidance to the company's divisions overseas. Gilham also worked with the human resources, marketing and loss-prevention departments to facilitate an interdepartmental effort regarding security.

When it came to managing the transition of the security personnel, Gilham met with the security employees from both Phillips and Conoco to assess their career goals. He discussed with them their vision of where they fit into the new organization and whether they were willing to relocate (Phillips was based in Bartlesville, Okla.; Conoco in Houston, where the merged company is now headquartered). "You have to find out if people really want to be part of the new company and if their skills fit the new organization's needs," Gilham says. "Not everyone's will. And you have to handle each situation with sensitivity." Gilham also looked at who was eligible for retirement or severance packages. "These are good people, and I wanted to treat them well," he says.

Let's be honest. Mergers usually mean job cuts, and no one likes working under the shadow of the ax. And uncertainty can wreak its own brand of havoc. As a leader, it's up to you to keep the situation under control. Boston Scientific's Mattice offers the following advice to prevent or reduce the kind of employee fear and anxiety that often leads to people taking a swipe at their company's intellectual property or IT systems, and to ensure a smooth merger for both companies.

1. Communicate regularly. A company that respects its employees, communicates with them and keeps them updated on the status of the merger is at a much lower risk for internal threats than a company that appears uncaring and impersonal. Helping people and treating them with respect is the best way to protect yourself from the repercussions of employees' anger or fear.

2. Protect your assets. It's essential that all senior executives are aware of the potential for employees to launch an attack against the network. And you want to do everything in your power to prevent someone from walking away from the company with any intellectual property. CSOs should make certain that access-control systems are up to par. Plan ahead with your HR department to assess if a security representative should be present when an employee is informed of a layoff.

3. Get it in writing. When dealing with the inevitable (and not always voluntary) departure of employees after a merger or acquisition, have them sign mandatory noncompete agreements, Mattice recommends. Companies should also provide outplacement services and, in some cases, counseling for employees who may need help adjusting to the change.

4. Emphasize the ethical. For the employees who stick with the company, it's important to establish a culture emphasizing ethical business procedures. Make it clear to everyone what the philosophy of the new company will be and how you expect people to operate. The best way to mitigate any internal risks or misunderstandings is to have each employee sign an ethics statement.

"How many times has a CEO said, 'If I had only known...,'" Mattice says. "That's where the CSO's real value lies. You're one of the main sources of need-to-know information. Otherwise, it's all just a roll of the dice."

Copyright © 2003 IDG Communications, Inc.

The 10 most powerful cybersecurity companies