My company has bought another company. Those of you who have been through a merger or acquisition know how challenging these things can be.
I’ve been through several corporate mergers in my career, on the side of both the acquired and the acquirer, so I have a good idea of what to expect. That gives me a head start, but it doesn’t necessarily make things easier. I know that a certain amount of autonomy will be given to the company we have acquired, so right away I know we need some firewalls. I’ll explain why in a moment. I also know that we’re going to have some duplication in our computing infrastructure, so we’re going to need a budget. And it’s best to keep in mind that the employees from the company we acquired are going to be touchy about their new role, which can get in the way of a quick, successful integration. So I have a running start on this thing.
As usual in these situations, there are some obstacles to overcome. For starters, I’m not the integration manager. I don’t have any defined responsibility in the merger except for making sure that my company’s information security is protected. But now that the other company will be part of my company, I need to take responsibility for its interests as well. It doesn’t have an information security manager, so I’ll need to help a lot. In fact, there is not even an integration manager. Integrating two companies’ networks just isn’t something our executives thought about when they made this deal. So it’s mad-scramble time for IT. And of course, our executives are telling us to just get it done quickly — don’t bother them with the details, and by the way, don’t spend a lot of money.
A recipe for disaster? It might seem that way, but in my experience these things tend to work themselves out. Mergers can go smoothly if they are well managed, but I haven’t been in many that were. But even if a merger is poorly managed, eventually the acquired company will be part of the team. The people from the acquired company may harbor some resentment, especially if we don’t look out for their interests and keep their business running smoothly, but I can’t do much about that. What I can do is raise awareness about the situation and the potential issues we’ll encounter.
That’s why I mentioned the firewalls right away. The other company’s IT people will be managing IT services at their site, and we’ll continue managing ours. They will leverage some of our IT services, and keep some of their existing ones. Since we won’t have control over their environment, at least not anytime soon, I’ll want to enforce some stateful separation between our networks. They want the same thing. This means two firewalls, facing each other, one managed by my team, and the other managed by the other company. The two firewalls will perform the same functions, but will be controlled by each side. This will help ensure that changes are controlled and approved, and it will help block bad behavior. This is a standard approach to mergers.
Our Active Directory and e-mail systems will maintain separate identities, but of course the business will want the ability for employees to access resources in each domain, and for e-mail to be forwarded from the acquired company’s old e-mail servers to ours. This means we will need an Active Directory domain trust.
This is just the tip of the iceberg. There’s a lot more planning needed, so right now I’m spending a lot of time walking the teams through the steps. Not just because I’m a security manager, but also because I have some experience in this area. Which means I’m even more insanely busy than usual. I’ll keep you posted on how things go.
This week’s journal is written by a real security manager, “J.F. Rice,” whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.