By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services
Just when we thought we’d seen everything, Intel’s bombshell announcement that they are acquiring McAfee stands to shake up the security industry all over again. Aside from the potential impact on the security vendor space (as far as all the downstream corporate customers are concerned), it’s interesting to imagine the alignment issues which will surely arise between these two massively security-conscious firms.
As a security officer, should you invest significant effort into building a set of practices and policies which somehow enable integration with a completely different set? For example, at the easy end of the scale, you might have two different standards for how many failed logins trigger an account lockout, so you reconcile the two and come up with a new standard which everybody is meant to adopt. Far more difficult are issues to do with internal failures and when/how they might ultimately require documentation in SEC filings.
The security officer’s role in such negotiations is likely to be much less technical and more financial – building models to track costs, measure risk exposures, and the like – and the output from such efforts will probably end up on the desks of Legal and Accounting more so than IT or Operations. Ultimately the decisions surrounding how to combine policies will be driven by business and risk considerations, first and foremost, but it’s a dangerous path for the acquiring firm simply to say the target firm shall inherit all the parent’s policies.
This is primarily because the policies in place are usually a function of all sorts of local contextual issues, which are then mapped against whatever subset of industry best practices make sense for the business in question. For example, if a development team is distributed globally while working on a single project, a firm needs to make a decision about using private WANs for data exchange, or instead, relying on local internet access at each facility and coupling that with a strong VPN. If the immutable policy point at the acquiring firm says that no internal R&D data shall traverse the internet — and it was never written to consider whether VPNs are an acceptable carve-out — then the disruptive effect might be significant for all the IT and network teams which have to scramble to catch up.
As with most things, there is no simple answer – the point is to ensure that M&A activities don’t simply assume “the IT stuff will sort itself out.” The integration teams need to give an equal seat at the table to the security officer, the IT architect and whoever else is responsible for the glue that drives how the firms get things done behind the scenes. It’s not just about operating synergies and reduced cost of sales anymore.