Page 11 - Cyber Warnings
P. 11
Assess the cybersecurity programs of both organizations. The breadth and depth of the
two programs will indicate whether we have a “perfect match”, or a potentially disharmonious
pairing. Develop a questionnaire that will gauge a wide range of relevant issues about the
respective information security policies.
The questionnaire should lead to discussions about which compliance activities both
organizations are legally bound to, and what the internal controls look like.
Compare the governance models too – does one company employ an entire governance unit,
while the other has simply designated a couple of IT guys who do governance in their spare
time? Ultimately, you’re seeking to assess the information assurance maturity of both
businesses, to ensure they align.
As part of this, you should appoint a person of influence as your primary M&A cybersecurity
leader. This person will take charge of the process, driving the needed inquiries and working
with CIOs, their IT teams and line of business leaders on both sides to collect the required
information.
You may consider hiring a respected, outside third party to do this, to lend a sense of objectivity
and authority.
Take a deep dive into the tech. Somewhere within the pre-announcement phase, you must
carefully examine the technologies which support the programs/policies. Among the key
questions to ask:
Do you encrypt your “crown jewels,” i.e. confidential and sensitive data about customers, key
corporate functions and strategies? Where is it kept? Do you classify it? If you’re merging with a
company committed to the latter, you can probably conclude that it’s doing a good job overall.
In addition, inquire as to whether the other organization has the right tools to conduct
vulnerability assessments. IT teams need to “see” – and understand – what the inside of the
network looks like.
They should be capable of determining if internal user activity on the internet and outbound
network traffic is consistent with policies.
Talk to the people. Clearly, the awareness and practices of employees greatly impacts the
safety of your data. Whether via all-hands meetings, group discussions or training sessions,
proactively launch conversations with staffers about this topic.
Let them know that – once the deal is announced – it is highly likely that hackers will hatch
phishing and social engineering schemes, posing as someone from the other organization.
These crooks may, for instance, ask for a confidential report and/or gain users’ trust in order to
compromise the network.
11 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide