Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

The Joint Venture and Security’s Role

Back in October, I was speaking as part of a panel discussion when someone asked about the role security issues should play when an organization is entering into a joint venture. It’s an interesting question and an area where I’ve had some experience.

With economic conditions being what they are today, we’re seeing more companies wanting to rapidly enhance their portfolio or geographic footprint. And many are looking to joint ventures to expand their businesses to meet the demands of the market. But there is always a cost associated with this type of a business decision.  Usually, company executives are more focused on the potential revenue growth associated with joint ventures, rather than the increased risk inherent when joining two or more companies together.  So it falls to the CSO to ensure that the security risks are properly measured and articulated to the C-level suite so that a proper and informed decision can be made.

 

Understanding Security Risks, Regulations and Legislation

For any joint venture exploration, it’s important that the CSO becomes involved as early as possible in the due diligence process. Risks associated with a data breach or a network compromise can have a severe impact on the company and stockholder value as well as on the level of trust the organization enjoys in the industry. Therefore, it’s prudent to assess the level of security risk associated with any joint venture so that a proper valuation is made and any investment required to bring the JV’s security measures up to the appropriate levels is factored into the decision. 

Equally important is to thoroughly understand the regulations and legislation associated with the joint venture based on the company’s geographic location or industry.  Regulatory and legislative factors can often result in increased security requirements around Data Protection, Data Retention and Lawful Intercept, depending on the business or industry, and may require uplifts and investments to satisfy. But, let’s be honest: in most cases, the JV will go forward, with or without the endorsement of the CSO; so once the formation of the JV is complete, there are important decisions to be made and actions to be taken that can mitigate the security risks identified. 

 

Priority One -- Data Protection

Regardless of the industry, data protection should be your first “port-of-call,” as this is usually the most valuable asset of a company and also the one that can cause the most risk if not properly managed.  Even though we have seen the erosion of the perimeter, it is still critical to view security from the outside in to ensure a company has layers of defense to protect its key assets, which, in most settings, will be personal and/or customer data.  The areas I generally focus on in these situations start with ensuring that security policies regarding laptops and mobile devices are sound and compliance is at appropriate levels, as this is probably the weakest link in the chain. 

It is also important to understand whether personally-owned devices are allowed within the business environment, and if so, that appropriate security policies are established, well-communicated throughout the organization, and are enforced.  Access to company data from such devices can increase risk and exposure since there may not be adequate security tools available or installed on the devices. 

 

Multi-Layered Defense Strategies

The next layer to evaluate includes networks and systems. Understanding the security policies in place as well as how compliance is monitored and enforced is necessary to adequately measure the level of security. Any good security department will have a mature process for monitoring and measuring compliance and will be happy to share their metrics. Third-party audits and/or certifications can be very useful in determining how a company’s security profile measures up against your own, so be sure to review these as well; but keep in mind that not all auditors are equal. Remember the motto of most security organizations – “trust but verify.” 

The third layer to examine is physical security. I recommend reviewing the physical security policies associated with the company’s offices and data centers as this will provide a more comprehensive view of how seriously the company considers security. It’s fairly easy to take a quick walking tour of a building to look for security video, access controls, intruder detection, protection of windows and doors; and you can readily determine whether there is manned or mobile guarding provided at the company’s key sites. Let’s be honest – if you can get physical access to a network device or system, you can own it, no matter how effective the system’s security controls.

The final layer for me is around security awareness and training – a company with a good security culture will have much better success in thwarting an attack than one that relies solely on technology and their security team. I consider a good security awareness and training program to be a force amplifier. Why rely on a small department of security professionals when you can enlist the help of the entire organization to be your eyes and ears across the company?  Even if employees aren’t able to stop a data breach or network compromise, they will be much faster to alert the security team if they see or hear about a threat. And we all know how critical early detection can be to minimize the impact of an attack.

Once you’ve completed your review of the company’s security layers of defense, it is important to determine how they measure up against your own – and then determine what areas need the most attention. But before you can put together and implement a proper remediation plan, there are some key decisions to make with the organizational design to ensure a smooth and amicable relationship is formed between the different security teams. 

 

Maximize Success

In a best-case scenario, the teams will merge to form a single security organization that brings together the expertise from all sides to work together and uplift the security across the JV to the highest standard possible. But for this to truly occur and succeed, a similar merging of the IT departments needs to take place so the infrastructure is merged and any lines of demarcation between the companies are removed. Otherwise, the security team will be hindered by its inability to secure all of the devices across the JV. 

But let’s face it – a joint venture is not an acquisition, so merging departments or infrastructure is highly unlikely. The second best option is to have the security teams from each company report into a single CSO.  This will at least ensure that both teams’ strategies are aligned as well as their policies and procedures. It will also encourage cross-pollination of knowledge and expertise, resulting in more effective security practices in the long run. The biggest pitfall to avoid is creating an environment where turf battles begin to rage. In my experience, when a department or organization becomes territorial, they can single-handedly introduce delays into any program through protectionism and paranoia. Obviously, this is never a good thing and can completely undermine the good intention of any joint venture. Creating an open and collaborative environment where all ideas and innovations are entertained will go a long way to foster a cooperative attitude where teamwork is rewarded and territorial battles are quickly diffused and disciplined. And remember, attitude starts at the top – employees will mimic the actions of their leadership, so ensure you set the right example from Day One and encourage your management team to do the same.  

Merging people, processes and technologies can be challenging, but if done properly with the right focus on risk management and a collaborative team environment – where everyone is given opportunities for knowledge enhancement and career advancement – a joint venture can result in a stronger and more robust security practice. It stands to reason that if two heads are better than one, then two security teams should also be stronger and more effective than one.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Jill Knesek

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+