With economic conditions being what they are today, we’re seeing more companies wanting to rapidly enhance their portfolio or geographic footprint. And many are looking to joint ventures to expand their businesses to meet the demands of the market. But there is always a cost associated with this type of a business decision. Usually, company executives are more focused on the potential revenue growth associated with joint ventures, rather than the increased risk inherent when joining two or more companies together. So it falls to the CSO to ensure that the security risks are properly measured and articulated to the C-level suite so that a proper and informed decision can be made.
Understanding Security Risks, Regulations and Legislation
For any joint venture exploration, it’s important that the CSO becomes involved as early as possible in the due diligence process. Risks associated with a data breach or a network compromise can have a severe impact on the company and stockholder value as well as on the level of trust the organization enjoys in the industry. Therefore, it’s prudent to assess the level of security risk associated with any joint venture so that a proper valuation is made and any investment required to bring the JV’s security measures up to the appropriate levels is factored into the decision.
Equally important is to thoroughly understand the regulations and legislation associated with the joint venture based on the company’s geographic location or industry. Regulatory and legislative factors can often result in increased security requirements around Data Protection, Data Retention and Lawful Intercept, depending on the business or industry, and may require uplifts and investments to satisfy. But, let’s be honest: in most cases, the JV will go forward, with or without the endorsement of the CSO; so once the formation of the JV is complete, there are important decisions to be made and actions to be taken that can mitigate the security risks identified.
Priority One -- Data Protection
Regardless of the industry, data protection should be your first “port-of-call,” as this is usually the most valuable asset of a company and also the one that can cause the most risk if not properly managed. Even though we have seen the erosion of the perimeter, it is still critical to view security from the outside in to ensure a company has layers of defense to protect its key assets, which, in most settings, will be personal and/or customer data. The areas I generally focus on in these situations start with ensuring that security policies regarding laptops and mobile devices are sound and compliance is at appropriate levels, as this is probably the weakest link in the chain.
It is also important to understand whether personally-owned devices are allowed within the business environment, and if so, that appropriate security policies are established, well-communicated throughout the organization, and are enforced. Access to company data from such devices can increase risk and exposure since there may not be adequate security tools available or installed on the devices.
Multi-Layered Defense Strategies
The next layer to evaluate includes networks and systems. Understanding the security policies in place as well as how compliance is monitored and enforced is necessary to adequately measure the level of security. Any good security department will have a mature process for monitoring and measuring compliance and will be happy to share their metrics. Third-party audits and/or certifications can be very useful in determining how a company’s security profile measures up against your own, so be sure to review these as well; but keep in mind that not all auditors are equal. Remember the motto of most security organizations – “trust but verify.”
The third layer to examine is physical security. I recommend reviewing the physical security policies associated with the company’s offices and data centers as this will provide a more comprehensive view of how seriously the company considers security. It’s fairly easy to take a quick walking tour of a building to look for security video, access controls, intruder detection, protection of windows and doors; and you can readily determine whether there is manned or mobile guarding provided at the company’s key sites. Let’s be honest – if you can get physical access to a network device or system, you can own it, no matter how effective the system’s security controls.
The final layer for me is around security awareness and training – a company with a good security culture will have much better success in thwarting an attack than one that relies solely on technology and their security team. I consider a good security awareness and training program to be a force amplifier. Why rely on a small department of security professionals when you can enlist the help of the entire organization to be your eyes and ears across the company? Even if employees aren’t able to stop a data breach or network compromise, they will be much faster to alert the security team if they see or hear about a threat. And we all know how critical early detection can be to minimize the impact of an attack.
Once you’ve completed your review of the company’s security layers of defense, it is important to determine how they measure up against your own – and then determine what areas need the most attention. But before you can put together and implement a proper remediation plan, there are some key decisions to make with the organizational design to ensure a smooth and amicable relationship is formed between the different security teams.
In a best-case scenario, the teams will merge to form a single security organization that brings together the expertise from all sides to work together and uplift the security across the JV to the highest standard possible. But for this to truly occur and succeed, a similar merging of the IT departments needs to take place so the infrastructure is merged and any lines of demarcation between the companies are removed. Otherwise, the security team will be hindered by its inability to secure all of the devices across the JV.
But let’s face it – a joint venture is not an acquisition, so merging departments or infrastructure is highly unlikely. The second best option is to have the security teams from each company report into a single CSO. This will at least ensure that both teams’ strategies are aligned as well as their policies and procedures. It will also encourage cross-pollination of knowledge and expertise, resulting in more effective security practices in the long run. The biggest pitfall to avoid is creating an environment where turf battles begin to rage. In my experience, when a department or organization becomes territorial, they can single-handedly introduce delays into any program through protectionism and paranoia. Obviously, this is never a good thing and can completely undermine the good intention of any joint venture. Creating an open and collaborative environment where all ideas and innovations are entertained will go a long way to foster a cooperative attitude where teamwork is rewarded and territorial battles are quickly diffused and disciplined. And remember, attitude starts at the top – employees will mimic the actions of their leadership, so ensure you set the right example from Day One and encourage your management team to do the same.
Merging people, processes and technologies can be challenging, but if done properly with the right focus on risk management and a collaborative team environment – where everyone is given opportunities for knowledge enhancement and career advancement – a joint venture can result in a stronger and more robust security practice. It stands to reason that if two heads are better than one, then two security teams should also be stronger and more effective than one.