Mergers and Acquisitions: Look Before You Leap!

Mergers and acquisitions are taking place constantly. Companies combine with other companies (either amicably or forcibly) to fill some perceived strategic business need or to gain a foothold in a new market. M&As are most often driven by individual high ranking company executives, not by the company as a whole. If successful, such deals can be the highpoint in a CEOs career. If unsuccessful, they can lead to ignominy and professional doom.

Of course this level of risk/reward is irresistible to many at the top, and executives are constantly on the lookout for companies to take over or merge with. And the competition is fierce! So when they do spot a likely candidate, these individuals are naturally loath to hesitate or over question. They want to pull the trigger right away before conditions change or someone else beats them to the draw. Because of this, deal-drivers often limit their research of the target company to surface information that lacks depth and scope, but that can be gathered relatively quickly.

However, it is an unfortunate fact that just over half of all M&As fail. And one of the reasons this is true is that companies fail to gain adequate information about their acquisitions, the people that are really responsible for their successes and the current state of the marketplace they operate in before they negotiate terms and complete deals. Today more than ever, knowledge truly is power; power that can spell the difference between success and failure.

Fortunately, technology and innovation continues to march forward. MSIs TigerTraxTM intelligence engine can provide the information and analysis you need to make informed decisions, and they can get it to you fast. TigerTraxTM can quickly sift through and analyze multiple sources and billions of records to provide insights into the security posture and intellectual property integrity of the company in question. It can also be used to provide restricted individual tracing, supply chain analysis, key stakeholder profiling, history of compromise research and a myriad of other services. So why not take advantage of this boon and lookbefore you leap into your next M&A? 

This post courtesy of John Davis.

Tips for Writing Good Security Policies

Almost all organizations dread writing security policies. When I ask people why this process is so intimidating, the answer I get most often is that the task just seems overwhelming and they don’t know where to start. But this chore does not have to be as onerous or difficult as most people think. The key is pre-planning and taking one step at a time.

First you should outline all the policies you are going to need for your particular organization. Now this step itself is what I think intimidates people most. How are they supposed to ensure that they have all the policies they should have without going overboard and burdening the organization with too many and too restrictive policies? There are a few steps you can take to answer these questions:

  • Examine existing information security policies used by other, similar organizations and open source information security policy templates such as those available at SANS. You can find these easily online. However, you should resist simply copying such policies and adopting them as your own. Just use them for ideas. Every organization is unique and security policies should always reflect the culture of the organization and be pertinent, usable and enforceable across the board.
  • In reality, you should have information security policies for all of the business processes, facilities and equipment used by the organization. A good way to find out what these are is to look at the organizations business impact analysis (BIA). This most valuable of risk management studies will include all essential business processes and equipment needed to maintain business continuity. If the organization does not have a current BIA, you may have to interview personnel from all of the different business departments to get this information. 
  • If the organization is subject to information security or privacy regulation, such as financial institutions or health care concerns, you can easily download all of the information security policies mandated by these regulations and ensure that you include them in the organization’s security policy. 
  • You should also familiarize yourself with the available information security guidance such as ISO 27002, NIST 800-35, the Critical Security Controls for Effective Cyber Defense, etc. This guidance will give you a pool of available security controls that you can apply to fit your particular security needs and organizational culture.

Once you have the outline of your security needs in front of you it is time to start writing. You should begin with broad brush stroke, high level policies first and then add detail as you go along. Remember information security “policy” really includes policies, standards, guidelines and procedures. I’ve found it a very good idea to write “policy” in just that order.

Remember to constantly refer back to your outline and to consult with the business departments and users as you go along. It will take some adjustments and rewrites to make your policy complete and useable. Once you reach that stage, however, it is just a matter of keeping your policy current. Review and amend your security policy regularly to ensure it remains useable and enforceable. That way you won’t have to go through the whole process again!

Thanks to John Davis for this post.

Three Danger Signs I Look for when Scoping Risk Assessments

Scoping an enterprise-level risk assessment can be a real guessing game. One of the main problems is that it’s much more difficult and time consuming to do competent risk assessments of organizations with shoddy, disorganized information security programs than it is organizations with complete, well organized information security programs. There are many reasons why this is true, but generally it is because attaining accurate information is more difficult and because one must dig more deeply to ascertain the truth. So when I want to quickly judge the state of an organization’s information security program, I look for “danger” signs in three areas.

First, I’ll find out what kinds of network security assessments the organization undertakes. Is external network security assessment limited to vulnerability studies, or are penetration testing and social engineering exercises also performed on occasion? Does the organization also perform regular vulnerability assessments of the internal network? Is internal penetration testing also done? How about software application security testing? Are configuration and network architecture security reviews ever done?

Second, I look to see how complete and well maintained their written information security program is. Does the organization have a complete set of written information security policies that cover all of the business processes, IT processes and equipment used by the organization? Are there detailed network diagrams, inventories and data flow maps in place? Does the organization have written vendor management, incident response and business continuity plans? Are there written procedures in place for all of the above? Are all of these documents updated and refined on a regular basis? 

Third, I’ll look at the organization’s security awareness and training program. Does the organization provide security training to all personnel on a recurring basis? Is this training “real world”? Are security awareness reminders generously provided throughout the year? If asked, will general employees be able to tell you what their information security responsibilities are? Do they know how to keep their work areas, laptops and passwords safe? Do they know how to recognize and resist social engineering tricks like phishing emails? Do they know how to recognize and report a security incident, and do they know their responsibilities in case a disaster of some kind occurs?

I’ve found that if the answer to all of these questions is “yes”, you will have a pretty easy time conducting a thorough risk assessment of the organization in question. All of the information you need will be readily available and employees will be knowledgeable and cooperative. Conversely I’ve found that if the answer to most (or even some) of these questions is “no” you are going to have more problems and delays to deal with. And if the answers to all of these questions is “no”, you should really build in plenty of extra time for the assessment. You will need it!

Thanks to John Davis for this post.