Risk Modelling – the Secret to Successful Post-Merger Network Convergence
Many organisations in today's economy see a merger or acquisition as an attractive business strategy to improve financial position and weather a down market. This is especially true in the financial services sector, where even very large organisations are being acquired by equally large organisations as a basic survival strategy. While the results may favour shareholder value and workforce efficiency, the impact of combining the IT infrastructure and IT management processes of two entities can be profound.
The Merged Network Problem
When large organisations merge two complex networks made up of disparate types of equipment, managed through many different interfaces, and governed by different policies and standards, IT is left to plan and implement network changes, determining how to consolidate devices, processes, and people to ensure consistent availability, security and compliance. Add to this burden the frequent demand by senior management to show significant savings as a result of combining business infrastructures – often in a very short time frame – and IT faces a Herculean task.
The approach taken by many organisations that find themselves in this state is to install firewalls that will dictate access from one infrastructure to the other until the risk of each heritage network can be determined. Then IT begins an arduous manual inventory of all existing equipment and assets. This is followed by a similar manual effort to try to identify all the rules that have been implemented in both networks to ensure security, privacy, and compliance with a host of internal and external regulations, such as PCI-DSS. IT will try to sift through the mountains of data generated by a host of vulnerability scanners, trying to identify and deal with the most important risks and vulnerabilities in the ‘new' network before removing the firewalls separating one from the other.
Risk Modelling to the Rescue
Rather than resort to tedious, inefficient manual efforts, savvy organisations look to the approach of risk modelling to support pre- and post-merger risk management. This concept involves using automated solutions to collect information about network topology, business assets, vulnerabilities, threats and countermeasures. The software then creates a visual model of the network and the asset “battlefield” where potential attacks can be simulated and potential responses compared. Using such an approach can help the merged companies develop a game plan to address existing and new risks quickly.
The benefits of risk modelling to support network consolidation include:
- Quickly identify the real, immediate risks to business assets
- Quantify those risks in terms that are understandable to senior management
- Prioritise and fix security and compliance gaps in the resulting combined network
- Manage complex network topologies so as to ensure availability and connectivity
- Focus scarce resources on areas of highest risk
- Understand and quantify pre- and post-network convergence risk through what-if modelling
- Perimeter discovery – identify the true network perimeter.
Below we discuss a few of the benefits in detail.
Maintaining Security and Compliance
Organisations can determine their access policy compliance status by automatically validating configurations against network policies such as PCI, industry best practice or custom organisational standards. In addition, rather than dealing with the volume of information produced by vulnerability scanners, and trying to prioritise the information based on inadequate data, risk modelling enables security analysts to highlight the most critical vulnerabilities so they can be remediated. Using attack simulation, IT security and compliance managers are able to use the network model to determine access paths allow the exploitation of vulnerabilities, leading critical business assets to be compromised. Automated risk modelling allows an organisation to quickly evaluate its security and compliance posture, assuring senior management that they are secure and focused on the right IT priorities.
Ensuring Network Availability
By collecting configuration data from all devices in the network, the risk modelling approach provides the network visibility that most organisations lack. It is much easier for IT to look at a network map that includes all the devices in the combined network and captures all device behaviour, enabling personnel to spot potential problems. In analysing connectivity issues, the root cause and path of a potential or actual network outage can be identified. This can be a big help in ensuring that network issues do not impede the already stressful merger transition.
Quantifying and Reducing Risk
Network consolidation in an M&A scenario is very much about business costs and risks. Using a risk modelling approach, the network and security teams can gather quantifiable information about assets, risk levels, and the tradeoffs between IT expenses and security or compliance levels. This helps business executives define the business resources needed to ensure an acceptable level of risk throughout a merger of two infrastructures.
Mergers and acquisitions hold out the potential for massive cost savings and organisational efficiencies. However, the task of merging disparate networks almost always brings new burdens and complexity for IT security and risk management staff. Those who have succeeded at network consolidation view the approach of automated risk modelling as a key factor in their success. The use of risk modelling tools enables IT to quickly understand the converged network, spot exposed vulnerabilities, prioritise risk scenarios, and maintain a secure, compliant network while ensuring continuous availability.
Skybox Security is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit