Opinions of Thursday, 12 March 2009

Columnist: Lari, Gordon

Mergers and Acquisitions: Implications for Information Security Stakeholders

Turbulent economic climates continue to experience structural adjustments in many facets of the social, economic and political paradigms of purposeful endeavor, necessitating sometimes radical measures that leave stakeholders of industry and their parallels in the social and political domain sometimes little time to react. In business, acquisitions and mergers have become a permanent feature of the global business landscape; more so when the economic markets become erratic in their behavior not only in the short term, but for the long term. Weaker and undercapitalized organizations quickly go under; a “respectable” exit route being, succumbing to acquisition by “stronger” business entities that exploit the opportunities that are availed to them or, the mergence of the balance sheets in the spirit of the term by two or more entities for the sake of survival. Information security practitioners as stakeholders of business and in particular, managers of information security who must continuously stand up for their organizations and practice, albeit a leaning towards creating value through continuous assessment of the technical implications of their information security infrastructure and policies on the business’ economic outcome, and who find their organizations a target of acquisitions or mergers, often rise up to the challenge even in an unprepared state; usually after a legally binding agreement has been reached to invoke the clauses of a merger/acquisition. This article qualitatively discusses some of the implications of a merger or acquisition of which the information security manager remains an important stakeholder and the necessary adoptive philosophies and actions necessary to emerge “after the dust has settled” with a coherent, defendable information technology security infrastructure and set of policies that remain dynamic and accountable to the vision, ideals and purpose of the organization. When two or more organizations become one entity for the sake of business, be it for profit or otherwise, a merger is said to have occurred. When one organization “absorbs” the other, taking over its assets and assuming ownership of such, an acquisition is said to have occurred. These trends in business often do not occur overnight to the extent that they are preceded by an expression of interest by one party and subsequently, preliminary and intense negotiations that conclude the ultimate action of a merger or acquisition. The information security manager must be an active analyst of “words” and discussions that emanate from the “grapevine”. The basis of this suggestion is the relegation of the information security component of items on the main agenda to the background with an assumption that regardless of the outcome, effective information technology security asset management and business protection will follow suit as a forgone conclusion without significant risks; analogous to pressing a button. Staying an active listener to negotiations and actions of the executive body and the progress being made provides a strong basis for planning purposes regardless of which end of the deal the security manager’s organization finds itself. It also becomes the cornerstone of a proactive and advantageous stance. For instance, the momentum gained and the direction of the negotiations will provide a basis for anticipating the likelihood of the event ultimately manifesting. From a strategic planning perspective, the manager then has a basis for drafting a tentative action plan that takes into consideration among others the following The future of the information security department as an absorbed or surviving entity within the new organization The structure, characteristics and nature of the emerging information security department A progressive timetable that takes into consideration the actions necessary to declare a fit security department ready for continuing asset defense and supporting the new business structure and objectives The structure of the new business entity and the necessary security infrastructure to support it A preliminary assessment of the number and caliber of information security personnel needed to manage the new business An assessment of the industry of the emerging organization if unrelated to the industry to which the information security analyst or manager’s organization belongs A reappraisal of trends in the common industry and the implications for a new surviving entity with merged and/or expanded information security and business assets for the sake of defense Efforts at researching cost components of an emerging information security department for the sake of creating a tentative budget if the manager has a strong basis for a valid set of assumptions that his or her organization becomes part of the surviving entity Even where the manager’s organization becomes the absorbed entity, some preliminary basis must exist for quantifying the cost component of a merger or acquisition and its implication for the new information security department The manager’s personal stake in events unfolding and the implications for his or her career The collective expectations of the stakeholders of all organizations involved in negotiations The information security manager is better positioned to be proactive if he or she is a member of an information security committee which often by industry standards should include important stakeholders of the organization such as the CFO and other key personnel. Clearly, such a forum if active provides an opportune platform for official enquiry about events unfolding for further analysis and preliminary strategic planning. Where such an outfit does not exist (for small organizations), the manager must leverage his or her political influence and relationships with key members of the organization. Why Bother? In fact, the manager must be proactive in lobbying to make information security an important item on the acquisition or merger agenda. Why bother? Trends in information security indicate threats that exploit loopholes often created by mergers and acquisitions due to lack of a clear grasp of emerging interrelationships between the merging entities and their related technologies, and ownership of company assets during transitional periods of acquisitions and mergers. These threats may come from both internal and external sources to include “Black Hats” (malicious hackers) who by their nature as devotees to the discipline of electronic surveillance and intelligence gathering may not have much difficulty knowing about mergers and acquisitions precedent to such events, and their subsequent intelligence probing and system compromise efforts. The business media carry stories of mergers and acquisitions between organizations and events preceding such on a regular basis. Intruders exploit the transition period to quickly ascertain which assets are not fully protected and the lack of vigilance for exploitation. Such intrusion may go unnoticed due to lack of vigilance by those responsible for asset protection and risk management. Some of the assets most vulnerable to compromise include intellectual property which from a lackadaisical perspective of an information security practitioner most likely no more becomes an important agenda when job loss or changes for the worse become imminent. Other assets include data such as financial and personal information of the organization which may have strategic importance to a competitor, and similar information about customers, which can have equally devastating consequences where identity theft is the objective. The security infrastructural components to include, the people, network cables and devices, databases, applications, telecommunication equipment, related business technologies and processes that collectively have some strategic and operational bearing on the organization’s data and information assets and resources clearly require top priority during periods of uncertainty and change. A calculated approach during the transition period therefore becomes absolute in a hierarchy of importance to the extent that a controlled transfer of assets applying change management methodologies on a broader scale yet granular in accountability for the sake of the integrity of all information assets must be employed. In other words, the defensive posture of a pre-merger period and a transition period should be the same unless the basis for such change has a foundation in strategy as part of creating the resultant organization and its related information security defense posture. It may not be uncommon and surprising to find that disgruntled employees are the most prone to executing malicious intentions for retaliatory reasons due to decisions made in the economic interest of the merger or acquisition. Personnel internal to the organization should necessitate the same attention from a security perspective as any threats emanating from the outside, for they logically have easier access to information assets; with “coveted” skills, escalation of account privileges for unwarranted information access can occur. Being proactive affords new management the requisite time to carefully plan a transition to a new organization that is defense in-depth oriented in its approach without losing value in posture, while supporting an integrated approach to other related functions that have their roots in management and finance to include budgeting and strategic planning. For instance, the demands of a new information security infrastructure and personnel when meticulously planned due to the time availability provides a stronger basis for accurately forecasting budgets and related constraints for more effective support of the transition to a new and stronger organization from an information security perspective. In the final analysis of quantifying value and overall merger implementation, proactive contribution from an information security perspective helps with the entire merger and acquisition plan and a realistic concept of accurately valuing the process. Getting involved in the merger process only when such a process is imminent and creating a perception of being vital to the process is not the optimal approach to controlling information security project outcomes during mergers and acquisitions. An effective information security manager must have been already involved in the organizational “politic” and be perceived as an important stakeholder in the business for contributory efforts to assume significant meaning and receive the deserving sponsorship. Such level of involvement would be perceived as genuine and not conceived solely as a personal strategy at job preservation in uncertain times. The criticality of information security requires active involvement in the interrelationships that exist between the organization’s people, systems and information assets as a whole. It remains the most effective method for identifying the vulnerable links in the sometimes complex infrastructural designs for threat identification and mitigation. For those in the business of risk management and information security to include, auditors, security officers and those in charge of governance among others, organizational politics becomes an imperative in driving visibility of the collective information security and risk management agenda to a level that justifies the timely and continuous allocation of adequate resources for effective risk management efforts. Today’s information security practitioner has been thrust into the organizational limelight not by will, but by the increasing dependence of business on information technology for basic functionality and survival in a global economy that continues to be networked in many ways hitherto unimaginable, amidst the increasing threats of an underground industry of malicious hackers and competitive intelligence practitioners. These trends clearly indicate the growing maturity of information technology and the functions charged with its protection. Information security therefore has a valid spot in the boardroom and on any contemporary organization’s holistic integrative analysis of what constitutes an evolving strategic and operational vision. Its sustenance is the responsibility of the information security manager and all who have a stake in risk management and information security.

GRC and Accountability Invoking the merger of information technology assets and the controlled and managed transfer of information assets require granular tracking by surviving information technology managers and those charged with governance, risk and compliance (GRC). Fortunately, change management methodologies and technologies exist in industry supportive of such transfers. Where movement of assets across different geographical locations is involved, the approach to building an entirely new network and system can be said to be appropriate since the same implementation methodology in a new environment becomes analogous to an expansion. Even then, the granular differences in platforms and computer systems and the migration of databases and devices require extensive preparation and research that consider the implication for a new and emerging information technology infrastructure. Where the new organization maintains the geographical location of an acquired or “absorbed” entity, and where such preservation of location is in alignment with the role of that unit of the business, minimal intervention may be necessary other than an update of information asset inventories and a clear understanding and control of the information security function and its alignment with business objectives; implementing information security accountability structures as part of the overall organizational governance and accountability structure. Even though these scenarios do not purport to cover every conceivable scenario, the objective of meeting accountability in information management are applicable to any conceivable scenario (See figure 1.0); controlled transfer and tracking and a sustained effort at maintaining and improving a desired and optimal information security posture must be performed in a manner that promotes the integrity and reliability of the organization’s information assets and renders accountability to the governance structures intended to preserve value. Figure 1.0 Asset Protection in a merger/acquisition

No information Security, No Gravy! An important aspect of the merger/acquisition process is the valuation of assets of the entities that are to be taken over, and specifically in the case of a merger an entire inventory of the value of assets of all organizations involved. A functional aspect of valuation from an accounting and finance perspective requires the projection of future cash flows as part of calculating the net present value of an organization. The high risk exposure during transitional periods as discussed in this document clearly jeopardizes these financial projections and the future growth of the organization. The information security manager must not be far removed from the implications of the financial future of the organization, a fertile climate for potential information breaches and the accountability spectrum of a desired emerging entity, for such projections can be rendered useless for those organizations whose critical business systems rely heavily on the globally networked economy. Considering that one “attack” executed by a highly skilled “Black Hat” can bankrupt some organizations, the information security function during the most vulnerable period of an organization’s evolution and transition through mergers remains more critical than ever. For modern organizations, no information security, no gravy sounds like an appropriate mantra. Conclusion Today’s information security manager must be aware of the constructs of business and industry that govern their organization’s survival in a highly competitive global economy. Proactive leadership, and during acquisitions and mergers will help prepare the organization to mitigate significant risks that stand to compromise an existing defensive posture. Knowing the business environment, the technologies that create a competitive advantage from a security standpoint, the threats to information assets, and relevant interdisciplinary paradigms hitherto not directly linked to the traditional concept of security, provides the leverage necessary for the information security stakeholder to rise up to the challenge, any time, well prepared even on short notice.

Brief Background Gordon Lari is the Information and Communications Technology Manager and Chief Information Security Officer (CISO) of TitanicMall, a retail company based in Greensboro, NC, USA. Gordon has a Bachelor of Science degree in information technology and an MBA in accounting from the University of Phoenix. He is a Certified Information Systems Auditor (CISA), a Financial Analyst Designate (FAD) and a Certified Ethical Hacker (C|EH). Organizations of affiliation and membership include the Information Systems Assurance and Control Association (ISACA), the American Institute of Certified Public Accountants (AICPA), the institute of internal auditors (IIA), the American Academy of Financial Management (AAFM) and the International Council of E-Commerce Consultants (EC-Council). He may be reached at larig@defendmyself.com. Gordon has spent the last twenty years in business. This article is his first professional journal publication.

By Gordon Lari,

MBA, BSIT, CISA, FAD, C|EH

ICT Manager/CISO, TitanicMall Trading Company Greensboro, NC United States of America March 4, 2009