• United States




Supporting business transformations – mergers and acquisitions

Oct 23, 20173 mins
Data and Information SecurityIT LeadershipMergers and Acquisitions

Often, a CISO and security is not part of the planning process for a merger or acquisition. In the fast pace of executing a business deal, security details and priorities can be overlooked.

porting converting merge switch train track
Credit: Thinkstock

After taking a look at the top concerns of most Chief InfoSec Officers (“Aligning security with changing business strategy, goals and objectives“), it’s time to examine why CISOs should play an integral role when an enterprise undertakes a merger or an acquisition.

Most organizations strive for growth, but when a merger or acquisition happens too quickly, issues can arise. Company growth often causes growing pains and security-related issues that may or may not have been factored into a merger and acquisition process and an enterprise’s overall growth strategy.

Often, a CISO and security is not part of the planning process for a merger or acquisition. In the fast pace of executing a business deal, security details and priorities can be overlooked.

In addition, many companies continue to underestimate the true security and privacy cost implications of a targeted acquisition or merger. For example, many companies have operating systems that are out of date and contain numerous vulnerabilities. If those systems are not corrected or replaced prior to the merger or acquisition, that raises the risk of an expensive data breach that could also cause harm to a company’s brand image.

When companies identify an acquisition or merger target, security should be part of the initial discussion and during the due diligence phase. A CISO should be prepared to outline and implement plans to mitigate risk during the merger and acquisition process.

From a business transformation perspective, changing processes and procedures without a security plan in place could create vulnerabilities and exploitation paths that could be leveraged by external or internal malicious actors, which can also increase the reputational risk of the target company. By including security early in the discussion, security can create a viable security plan to reduce the risk through the negotiation process and the on-boarding process, as shown in the graphic here.

From an integration perspective, companies are most vulnerable as they begin to integrate systems and combine enterprise resources and structures. IT resources are tasked with integrating systems by a specific date. Security should be involved to make decisions that include whether or not to disable or remove security controls to eliminate barriers from the integration activity. In addition, it is essential to document all changes that have been made and turn a control back on once the integration activity is complete. IT personnel are responsible, but sometimes they miss turning security controls back on after an integration problem has been solved, Having security resources involved helps minimize the risk of holes being opened during transformation activities.

As a CISO, you should also be asking questions such as: are there proper security safeguards in place to ensure that if a security-related event occurs during the transition period that the enterprise and its brand will not be negatively affected? What is the outlook for the expansion for the security enterprise, and will the organization need to allocate more resources to it? How will the new organization’s expectations, standards and structure impact the security function?

In a merger of acquisition, a CISO should be involved with as much weight as other business units to identify and mitigate security risks, and to help a company achieve its goals and maximize value.



John Petrie is Chief Information Security Officer of NTT Security, responsible for information security strategy and security program management. Prior to NTT Security, Jon held senior information security and consulting roles at IBM, Harland Clarke Holdings Corp, and the University of Texas Health Science Center, San Antonio.

A graduate of the Defense Intelligence College, he maintains ties to the intelligence community as a charter member of the Marine Corps Intelligence Association.

The opinions expressed in this blog are those of John Petrie and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author