I was recently asked to pull together a quick list of key information security learning's for Mergers & Acquisitions (M&A). This year I assumed responsibility for information security of Intel's M&A programs. M&A work is typically frantic, unpredictable, and ambiguous, involving the brightest engineering and integration management talent. It demands great flexibility and willingness to rapidly adapt creatively to emerging problems. This work is basically a recipe dreaded by us entrenched security types, who like the controllability of consistent, predicable, and structured activities. It can press the boundaries of good security practices and test the mettle of the strongest security organizations.
Top 5 Key Learning's for M&A Information Security
Security does not happen by default. As the complexities of divestitures emerge, smart people aggressively move to solve problems and security is likely not a consideration. Information Security must be involved both at the early planning stages and stay engaged until the last tactical maneuver is completed
Profiling the data is key. Knowing what data is involved, it's sensitivity, who has logical/physical access, and where it is physically located is necessary. It will be needed to insure regulatory, legal, and IP confidentiality protection
Technical and Behavioral considerations must be incorporated to prevail. Neither must be ignored, and in most cases the combination must be applied to every issue where information security is at risk. A security savvy M&A team is the first step to highly effective results
Logical and physical security aspects cannot be separated. Information security professionals can easily overlook the physical security factors which can jeopardize the confidentiality, integrity, and availability of the business just as logical based threats
Great attention must be paid to data retention, transfer, and destruction. ‘Deal data' can be a vague and changingconcept which may be interpreted differently over time, especially in larger deals. Understanding the scope, expectations, and commitments is a necessity
After reviewing the list, I had an interesting observation. It occurred to me there was a glaring omission. The unwavering support of information security by management is absolutely crucial. To be honest, I left it out as I am spoiled. The Intel culture and chain of management is very supportive of information security. So for those of you less fortunate, add it to the list.