Mergers, acquisitions and divestitures are one of the most dynamic and complex events in the lifetime of any company. They impact finances, product portfolios, marketing, HR – and, of course, IT infrastructure. And it’s often the case that managing IT through an M&A process is one of the most complex challenges of all.
This is because companies will typically need to move at least some of their applications to a different data center or to the cloud following the merger or acquisition. They may also need to merge duplicate applications, or replicate applications to new entities, and decommission the unnecessary ones in order to streamline operations and costs.
In turn, this means that security policies will need to be changed or migrated to support the new connectivity, applications, servers and security controls – and all without creating security risks, outages or compliance violations. This creates a mass of complexity which, if not planned and implemented properly, can have a very serious impact on business operations.
The extent of this complexity and the challenges organizations will face will depend on the specific M&A scenario they are working through.
The first, and most common, happens when a large company acquires a smaller one. This often involves adding branch offices and, usually, discarding applications used by the acquired business. A second, less common scenario is the merger of two equal companies. Here, the two teams are roughly the same size and scale, and the applications and datacenters from across the two organizations need to be consolidated.
Finally, there is the scenario where a company is split, and it’s necessary to spin out one or more divisions. This involves replicating applications across the newly divested companies, and splitting existing datacenters and teams, meaning that the existing infrastructure has to be replicated.
Each of these scenarios will pan out slightly differently in terms of the precise applications and policies to be migrated, replicated, duplicated (or de-duplicated), yet the same broad challenges remain. The goal is to ensure that the business entity emerging from the change process has all the applications and IT infrastructure it needs to carry out day-to-day operations –without creating new IT security risks or problems with application connectivity.
Working in practice
So how can companies successfully manage application connectivity through an M&A or divestiture process?
The essential starting point is to generate full visibility into the current inventory – which business applications are being used, where they are, what they do and their connectivity requirements – for both of the organizations involved. This will provide an application map that gives a clear picture of which applications need to be maintained, decommissioned and/or replicated.
To give you an idea of the complexity of this task, an enterprise organization comprising 20,000 – 50,000 people is likely to have more than 1,500 applications in use. As such, manually mapping applications is an enormous, resource-intensive process. In AlgoSec’s experience, a skilled IT consultant can map between 5 and 10 applications in a week: few organizations would be able to afford the time or IT resource that manual mapping would demand.
Furthermore, even once the mapping has been completed, all those applications still need to be migrated. Attempting to do this manually across all of the firewalls and security controls in both organizations’ networks, while ensuring that no security risks or compliance gaps are created in the process, is error-prone at best, and completely unmanageable at worst.
Why automation matters
This is where automation comes in, as an automated security policy management solution will dramatically decrease the time and resource required to map the connectivity requirements of all of the applications that are in use across the organizations.
Additionally, the solution it will also be capable of automating the migration process as well, ensuring that security is ‘baked in’ from the outset – while logging changes for auditing purposes throughout.
Furthermore an automation solution will provide the single pane of glass visibility into the network infrastructures of the organizations involved in the M&A process. This visibility is essential for day-to-day, routine security management, and is absolutely critical when IT infrastructures are changing dramatically, as it enables IT and security teams to monitor the new environments, identify newly-created security gaps and remediate them.
By automating the processes of application discovery, mapping, migration and security management, organizations going through these major changes can keep tight control of their IT infrastructures and proactively respond to any security challenges that arise during the project.
M&A processes presents a range of complex IT challenges – but ensuring that business applications continue to run smoothly and securely throughout the transition is critical, and automation is the key to making sure that this happens.
To find out more about how to manage security smoothly and efficiently during an M&A process, see my recent webinar here.
Receive notifications of new posts by email.