And that presumes that the merging organizations are in the same vertical industries. When the merger crosses verticals, the differences can be even greater and in some cases aren't completely reconcilable. "I've seen mergers that resulted in two divisions permanently operating on different security levels on a single IT backbone due to the requirements of their vertical industries," Ellerman said.
Ellerman offered the following tips for organizations that are either preparing for possible mergers in the coming year or are now involved in a merger process.
1. Do not approach a merger of security systems lightly. The large number of security device vendors in the market guarantees that each partner in the merger will have a very different mix of security devices and technologies, even if their business structures and IT infrastructures are otherwise similar.
"Security is often linked directly to specific applications," Ellerman said. "Disrupting those security systems can shut down vital business services, possibly bringing the business of one of the acquisition partners to a halt. Obviously, you cannot do that." Instead, he recommends that the two organizations continue to operate separately, possibly with extra security in the links between their IT organizations, while a security team that should include experts from both organizations evaluates the situation.
2. Enter the merger with a plan. "Companies like Oracle that are experienced in handling acquisitions have a plan that they can put into effect the day the merger is finalized," Ellerman says. "Based on the size of the acquisition, they can call their vendors and order the devices they need as soon as they are notified of the merger. The speed with which these organizations can absorb a new acquisition can be astounding."
3. Start with a self-assessment that focuses on identifying business drivers. When global consultant Dimension Data is called in to aid in the process, it begins by facilitating a daylong self-assessment that focuses first on identifying the business drivers in each of the merger partners. Usually key members of senior business and IT management from both partners -- including both CIOs and representatives from both CEO offices -- are among those involved.
By the end of the day, they have a clear understanding of the key elements of each organization's security policies and standing, including their weak points, and the business logic behind those infrastructures. This becomes the basis for the definition of a goal-state for the eventual merged security operation. Senior management is open to participating in this exercise because they want the results to reflect the needs of their postmerger business plan.
4. Identify key security personnel from the acquired organization and get them on the team. This is not and should not be allowed to degenerate into an "us vs. them" war of internal politics. "After all, who knows the acquired entity's security architecture, and its weaknesses, better than their CSO?" Ellerman said. "You certainly hope that the goal of the acquisition for the IT organization is more than just acquiring more equipment. You want to integrate the best people from both organizations to create the strongest possible IT department, and that includes the security group."
Outsourcing IT security is a common strategy today, and if one of the organizations is outsourced, then the service provider's security team obviously needs to be involved at this point. These individuals are usually very experienced due to the nature of the outsourcer's position providing security for numerous clients, often in different verticals, and this knowledge can be very valuable.
Often in this case the merged company ends up outsourcing security for both parts of the acquisition, provided that the service provider has good relations with the organization it originally worked with. However, that is not the only possible strategy, and management should evaluate taking security in-house or leaving the situation as it is, with one organization's security outsourced and the other's not, before making a final decision.
5. Proceed with caution. It's not uncommon for the two organizations in a merger to be operating at different security levels. One, for instance, may require two-factor authentication to access its network, while the other uses simple password authentication. Until the security infrastructures can be merged and the organization with the lower security brought up to the higher standards -- presuming that is the eventual plan -- the company will want to put extra security in the links between the two organizations, treating the organization with the lower security level as a semitrusted partner.
If the two organizations are going to remain as separate divisions and not be merged -- and particularly if they operate in two different verticals with different security needs -- this arrangement may become permanent. If the two organizations are to be merged at the operational level, the team will want to impose a standard set of security technologies wherever possible. However, they need to be careful to minimize disruption to business processes during the transition.
6. Evaluate the impact of planned changes in security procedures and levels before implementing them. Security is always a trade-off between protection of and access to the information and applications that the business needs in order to operate. The most secure system, as security experts are wont to remark, is one that is totally disconnected from everything in a locked vault that no one can access. But such a system does the business little good.
When evaluating security policies, levels and technologies, it's important to ask some key questions: How much disruption will this cause in the business? How much will the extra time and effort required to access IT resources cost the company? Is the added protection worth the price in terms of its impact on how the business operates? Is higher security justified by the extent of the risk or by compliance issues, despite the disruption it may cause?
Just because one of the merger partners operates at a higher security level than the other, that doesn't automatically mean the higher level is the better option for the merged organization. Management must evaluate all the sides of security issues to make the best overall decision for the company.
Bert Latamore is a journalist with 10 years' experience in daily newspapers and 25 in the computer industry. He has written for several computer industry and consumer publications. He lives in Linden, Va., with his wife, two parrots and a cat.