We wrote a post last Sept about successful acquisitions. In that post we first struggled with how to actually define a “successful” acquisition. After that we postulated that there were two primary methods of achieving what would in general be considered a successful outcome from an acquisition.

The first method is by overwhelming the acquisition’s culture and turning it into the acquiring culture as fast as possible. I called this the GE-approach because of all the acquisitions I saw while at General Electric during the 90′s, this appeared to be the dominant strategy. The second approach is to leave the acquisition completely alone and let it run autonomously. The only tie to the acquiring company is through financials. Reading an article recently I was shocked but pleased to see that academic research had arrived at similar strategies for successful mergers and acquisitions.

Clayton Christensen, Harvard professor and author of books such as The Innovator’s Dilemma, wrote an article recently in HBR with several other authors about the new M&A playbook. In this article the authors state that studies indicate that mergers and acquisitions fail over 70% of the time. Much has been written and studied about this but from the perspective of attributes of the deal. Christensen et al suggest that the problem isn’t attributes of the deal but that executives fail to match candidate acquisitions to the strategic purpose of the deal.

The article states that there are two reasons to acquire a company, to boost your company’s current performance or to reinvent your business. To extend your business but not fundamentally change how you compete, an executive should buy a company with resources aligned with the current business and fold them in, letting the acquisition eventually die. This is what we described as “overwhelming the acquisition’s culture” or the GE-approach. To reinvent your business, executives should seek companies that have a different business model put resources into it and let it grow. This is what I see as our approach of leaving the acquisition alone letting it continue to grow, perhaps providing financial resources from the parent company.

This post is the last in a 3 part series and will cover the last 2 points from our post entitled the Top 4 Failures in Corporate Information Security.  Here we are going to focus on why firewalls aren’t always the best solution to your problems and how to use your security team properly in your risk making processes.  We’ll end with a quick review.

Firewalls Can Be Bad Too

Firewalls can absolutely be overdone.  In fact, in our experience they are very often overdone.  Often firewalls are cited as being necessary to be compliant with certain regulatory requirements or industry standards (such as PCI compliance).  Sometimes companies feel they must put them in place simply because similar “comparison companies” have installed them.  Many times the driver of this need isn’t as much the requirement, standard or “comparison” company as it is misinformation on the part of firewall vendors or decisions made without complete information.

Firewalls, besides not being free either in terms of labor or capital (obviously), almost always reduce your availability and decrease your flexibility.  Like any other piece of hardware and software, they fail from time to time.  These failures often either lead to idle employees who cannot perform their work or even worse, the turning away of revenue generating customers from certain functions on your site.  There’s no way around it – if you put a firewall in the way of a transaction sooner or later it will cause a problem.  Sometimes this is both acceptable and advisable, such as the additional protection that a firewall provides a database that stores PII information such as credit cards.  Other times, it is just an unfortunate cost and burden such as when firewalls are used to protect static image servers that have very little valuable information on them and which are of little interest to money-focused bad guys.  And finally they can really harm employee productivity by stalling business initiatives.   It’s not unusual to spend thousands of dollars of labor several times a year troubleshooting why a new service won’t work or an why an old service quit working  before identifying that a port in a firewall needs to be opened or was recently closed.

Security Teams as Contributors – Not Decision Makers

Your security team very likely has a lofty and aggressive goal – to keep your company, your systems and your data (or your customer’s data) free from being abused by bad guys.  This goal doesn’t come cheaply and the only way to guarantee it is attained is to either go out of business or spend so much on your risk adjustment initiatives that you will never make a profit.

The security team rarely has the business background and overall business context to make business tradeoffs when it comes to risk.  While they may in fact have a number of people with advanced business degrees, their focus on reducing risk means that they are not focused on maximizing profits within the context of all of the available business levers.  And you may not want them to have such a broad business focus as some practitioners argue that you want your risk team focused singularly on the available risk options rather than making the risk tradeoff decisions.  The bottom line here is that the team should be involved in the decision process, but they are not necessarily the best decision makers for your risk management options.

Acting Sensibly

Treat your security and risk initiatives as you would your personal property and valuables.  Lock up and keep out of sight those things of significant value, but retain enough flexibility to allow you and your team to do your jobs quickly.  You probably don’t put deadlocks on every bedroom in your house as it just doesn’t make sense and you probably don’t need to put firewalls on every LAN segment in your network for the same reason.  Add passive detection advices such as intrusion detection systems to increase your level of security.

We covered four failures in corporate information security:

1)      Fear rather than Risk and Profit driving decisions

2)      Teams not understanding financial drivers of the “enemy”

3)      Overemphasis on Firewalls

4)      Security decisions made by the wrong team

By understanding what motivates your enemy, approaching security with risk and profit rather than fear as a driver, acting sensibly when it comes to risk mitigation and making risk decisions at the appropriate level you can both decrease risk and increase profitability.