3. Start with a self-assessment that focuses on identifying business drivers. When global consultant Dimension Data is called in to aid in the process, it begins by facilitating a daylong self-assessment that focuses first on identifying the business drivers in each of the merger partners. Usually key members of senior business and IT management from both partners -- including both CIOs and representatives from both CEO offices -- are among those involved.
By the end of the day, they have a clear understanding of the key elements of each organization's security policies and standing, including their weak points, and the business logic behind those infrastructures. This becomes the basis for the definition of a goal-state for the eventual merged security operation. Senior management is open to participating in this exercise because they want the results to reflect the needs of their postmerger business plan.
4. Identify key security personnel from the acquired organization and get them on the team. This is not and should not be allowed to degenerate into an "us vs. them" war of internal politics. "After all, who knows the acquired entity's security architecture, and its weaknesses, better than their CSO?" Ellerman said. "You certainly hope that the goal of the acquisition for the IT organization is more than just acquiring more equipment. You want to integrate the best people from both organizations to create the strongest possible IT department, and that includes the security group."
Outsourcing IT security is a common strategy today, and if one of the organizations is outsourced, then the service provider's security team obviously needs to be involved at this point. These individuals are usually very experienced due to the nature of the outsourcer's position providing security for numerous clients, often in different verticals, and this knowledge can be very valuable.
Often in this case the merged company ends up outsourcing security for both parts of the acquisition, provided that the service provider has good relations with the organization it originally worked with. However, that is not the only possible strategy, and management should evaluate taking security in-house or leaving the situation as it is, with one organization's security outsourced and the other's not, before making a final decision.