Security Experts:

Managing Security and Network Implications of Mergers and Acquisitions

M&A Madness: Five Tips for Reconciling Your Data Security Posture When Going Through an Acquisition or Merger

M&A activity has been on the upswing over the past 18 months—highlighted by the Verizon-Yahoo merger, the LinkedIn acquisition by Microsoft, and the thousands of other agreements that may have flown under the radar. Market consolidations are in full effect as companies continue to combine resources and market share in an effort to drive efficiencies.

However, companies often neglect the security implications of their merger. After all, each company had theoretically been secure and in compliance before the merger. Why would the combined entity be any different?

Security Assessment During M&AIntegrating two disparate IT environments with varying security needs, policies, and infrastructures rarely satisfies the security requirements of the larger organization. It is a rare case of two plus two does not equal four.

Whether you are Microsoft buying LinkedIn, or a community credit union merging with a competitor, there are intricate security issues that need to be addressed. My company, Ixia, acquired six companies in the past eight years and was acquired by Keysight Technologies just a few months ago — so have first-hand experience on both sides of the fence. Needless to say, our integration team has had a busy two years of merging disparate networks and ensuring we are meeting all security requirements.

Here are five tips, based on our own experience, to help you manage the security and network implications of mergers and acquisitions:

1. Immediately conduct a robust security assessment

The first thing you should do—even before the ink dries—is to gather all stakeholders from both sides of the table and assess each companies’ existing network infrastructures. Differences in policies, procedures, and technology should be reviewed, and a plan put in place to standardize. For example, one company may require remote systems to access corporate information through a VPN while the other company may allow users more flexibility to log in via public Wi-Fi. A new risk assessment needs to be completed given the changing circumstances, and an agreement put into place to create a new policy or adhere to an existing structure.

2. Make sure the acquired company knows its responsibilities

Security should not be the sole responsibility of the acquiring company. The IT team at the acquired company needs to step up and educate their new colleagues on the security requirements that previously affected their business, and how they may affect the new entity. The acquired company may have operations in regions that the acquiring company does not—and needs to inform the combined team of any regulations or risks that must be addressed. If this burden of diligence is not taken seriously by all parties, it could impact the continuity of the business.

3. Ensure data security consistency

One of the hardest IT tasks associated with M&A is data integration. A plan to integrate both structured and unstructured data needs to be put into place so no data is lost, users continue to have access to pertinent information, and both companies remain compliant throughout the merging process. There are three options. A forklift solution would simply migrate one dataset to the other. If there is not an easy way to do that, IT may try to force a solution—which can be risky and expensive. The third option is to just simply maintain two separate datasets, but that would seriously affect workflows and create massive inefficiencies. Choosing what works for each situation requires an in-depth analysis of the overall cost, capabilities and effectiveness of each choice.

4. Check, double check and recheck all compliance requirements

Especially as individual companies, watchdog groups and governing bodies issue new regulations on data security and privacy, compliance needs to be an underlying consideration throughout the M&A process. Some regulations begin when an organization expands to a certain size—a benchmark that may be hit from the formation of the new company. The same is true for the regions within which the companies operate, and where the larger entity would be conducting business and storing their data.

5. Reconcile your cloud policies

Everyone is migrating to the cloud in some way, shape or form, but there is no standardized playbook for how to get there. As a result, merging companies likely have different policies and vendors when it comes to the cloud. IT teams need to identify the current cloud approach at each company, reassess risk, and develop a consistent strategy for the combined entity. It may make sense to stick to the public cloud, create a virtual private cloud or adopt a hybrid model. Again, it is all about identifying what works in the context of the new organization.

Merging or acquiring another company includes security implications. It is critical to the business that you assess how the merger will affect your company’s current security posture and how differences can be resolved. Data integration, security policies, compliance efforts, and cloud strategies, will need to be reassessed with the new combined entity in mind to ease the growing pains associated with M&A activity.

view counter
Marie Hattar is chief marketing officer (CMO) at Ixia. She drives Ixia’s corporate positioning, messaging and communications to both internal and external audiences. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before joining Ixia, Marie was CMO at Check Point Software Technologies. Prior to that, she was VP at Cisco where she led the company’s enterprise networking and security portfolio. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. She received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.