Cybersecurity and Change Management: Considerations in a Post-Merger IT Environm

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #84114
    Max Eager

    Understanding the complexities of cybersecurity in the post-merger IT environment ensures that the newly merged entities can hit the ground running, and maintain their momentum. Confronting cybersecurity risks from merged IT environments often poses significant challenges to integration and the achievement of optimal (or at least as-planned) operations. This is, generally but not exclusively in my experience, due to diverse systems used for similar (or not) business function, sometimes incompatible governance structures over the IT, and the fragmented use of various technical standards, and different cybersecurity policies and protocols.

      I’ve outlined some key change management considerations that are important, but by no means exclusive, to cybersecurity in a post-merger IT environment:
      1. Alignment of Cybersecurity Policies: With two (or more) different cybersecurity systems at hand, there is an immediate need to decide on a unified security policy. This often involves inspecting all current security measures, identifying the most effective ones, integrating these measures into a new, comprehensive system, and phasing out redundant or incompatible components. The catch is that to do this seamlessly takes a mature security program (not a given).
      2. Cyber Risk Assessment: The risk landscape may significantly fluctuate during and following a merger, exposing the company to new hazards and vulnerabilities that may not have been foreseen. A comprehensive risk assessment should take place quickly after the merger (preparation beginning in due diligence preferably), along with regular assessments throughout the integration period. Any risk findings should be managed in a risk register owned by a corporate risk manager.
      3. Tech Maximization: When the opportunity arises, invest in new technology or innovative tools that will facilitate the change more seamlessly. Planning to move all ticketing to JIRA and integrate it with the new eGRC platform? Piggy-back off the already inevitable integration process where possible.
      4. Improved Communication: All stakeholders, from employees to top management, should be informed, in a timely manner, about the changes that will place, especially as regards enhanced security measures regarding log-in portals, and why one entity may have and require more security. Enhancing communication helps foster organization-wide understanding of why changes are necessary and how they will strengthen the organization as a whole.
      5. Training and Competency Building: Frequent training sessions should be organized to keep employees abreast with new security policies, protocols, and software that will constitute part of the post-merger cybersecurity approach. People will not read these on their own, so sit them down and review them.
      6. Continued Monitoring & Evaluation: It’s critical for the acquirer to figure out how to start monitoring (having visibility into) the acquisition’s cyberspace as soon as possible after a deal is signed. While control isn’t necessarily required at this point (often hard to pull off), the acquirer needs the visibility to manage risk, both security and project-based risks.

      7. Managing Regulatory Compliance: Regulatory requirements may differ across companies due to geographical location or industry sector: Accommodating these different standards as part of the unified cybersecurity policy suite is key to achieving early consistency at the strategic level.

    Please feel free to share your thoughts or experiences related to this topic or any of the above!


    Definitely a very hot topic and one which comes up quite a bit in Life Sciences / Pharma- R&D in particular. One observation is there seems to be a reluctance by those in the IT departments to embrace cybersecurity. An example of this is adoption or implementation of practices described here: I suppose the reality is that many Biotech firms aren’t very secure so assessing with a formal standard isn’t widely practiced.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Are you sure you
want to log out?

In order to become a charterholder you need to complete one of the IMAA programs