According to research, there has been a significant increase in major divestment activity in the UK – despite the uncertainty of factors such as Brexit. Justin Coker, Vice President EMEA, Skybox, identifies the key questions that CISOs should be asking themselves to ensure their organisations are secure and compliant throughout a divestiture.
Against the backdrop of Brexit, the UK is being affected by market uncertainty – a nightmare for any organisation planning to break away significant parts of their operations in the coming months. Nevertheless, according to Deloitte’s global M&A index, there has recently been a significant increase in major divestment activity.
However, economic volatility shouldn’t be the only concern. Cybersecurity throughout the divestment process is something that tends to be ignored, yet this type of deal presents significant security and operational risks and liabilities, especially with stricter rules on data protection and regulatory compliance.
Spinning off a division of a business does not mean suddenly cutting off all ties – sometimes shared services need sustainability for a period of time, often for several years. So, it is imperative that the CFO of both the parent company as well as the newly created entity develops a comprehensive plan which includes details of how their integrated IT and networks will be separated. Part of this plan must include how this unravelling will create new cybervulnerabilities, security weaknesses and potential regulatory non-compliance as the companies move to finalise the divestment process.
The CFO’s priority is to save money and deliver quality returns to investors; they must recognise that cybersecurity is critical in order to reach this goal. So to enable an efficient and smooth divestment process, what are the strategic security questions that CFOs, CISOs and the broader executive team should be asking themselves?
How do we have visibility over who owns which assets?
During divestment, it is important to understand which assets need to be separated and which should remain shared to limit operational disruption. It is not just the ownership of the asset that matters but ownership of the liability of the risk of that asset. If there is any ambiguity around who is providing and maintaining the security of a particular part of the network, then the risk of a security breach is dramatically increased. Being able to model the provisioning of access across a new network perimeter between the two organisations can help alleviate this problem and minimise the chance of a cyberattack.
Where are the risks?
Enterprise IT networks can be vast. So, as their networks get divided, it can be extremely problematic to understand where the new network perimeters exist. This challenge is compounded by the fact that access points between the two entities are still likely to exist beyond the divestment process. Only by employing a solution that provides visibility of the entire network can the businesses identify where the new network perimeter is situated, where or how connectivity should be removed and what levels of security and connectivity are needed or not.
There is also a possibility that a breach could cross over from one organisation to the other. The solution to this is to enable security teams to fully understand the expected impact and path of an attack and whether the most appropriate preventative security measures are in place to defend their business using network modelling technology.
How do we segregate security teams?
In addition to the IT network, the security teams responsible for keeping the attack surface protected must also be split. The challenge of this is two-fold: First, with fewer members on each new team there will inevitably be the creation of a knowledge gap in both organisations and, second, there will be fewer people to deal with a similar number of attacks on the networks.
To counteract these challenges, organisations need to get all employees up to speed with risks in both entities to ensure attacks don’t slip through the cracks and it’s likely they need to hire additional staff to fill the resource void.
Security solutions are also available which can highlight the highest priority risks using automated data correlation and recommend the defences and controls that should be put in place to mitigate the risks of shared services and networks. This way, security teams are able to prioritise where to focus their efforts and make better use of human resources.
Are we at risk of non-compliance?
A huge concern for the CFO of an organisation on the brink of divestment is the potential regulatory impact, so this must be clearly understood. As a new network perimeter is planned and introduced, the security teams need to establish whether this produces any compliance gaps. With shared network assets, it is important to ensure any changes made are not resulting in a breach of regulation and that changes are implemented within the timescales demanded by the regulators.
Using automated change assessment, security teams can ensure network changes happen quickly and that the organisation remains regulation compliant, so the divestment process keeps to the schedule. Using this type of tool also means that any changes haven’t exposed any new vulnerabilities.
Although traditionally viewed as the sole responsibility of the CISO, thanks to digitalisation, cybersecurity has infiltrated every aspect of business operations, including divestments and other activities that fall under the remit of the CFO. By using the latest solutions in visualising network and security infrastructures as well as their risks, IT aspects of divestments can be concluded more quickly – and the life of the CFO can be made significantly easier.
This approach helps smooth divestment operations for finance directors by ensuring security and compliance risks are properly identified, understood and dealt with strategically. Doing so will mean that any possible monetary and reputational risks caused by a cyberattack – during the divestment or at a later date – will be avoided and will safeguard the future of both companies.