Computerworld - My company recently merged with another financial services firm, and now the boundaries we worked so hard to build have to be torn down and rebuilt. We're under significant management pressure to quickly enable communication and information-sharing between the organizations. But we must also maintain the integrity of our IT security infrastructure, all the while merging two cultures with different IT security priorities.
We can't even decide where to build the walls, let alone how high they should be. We need to have all the normal working systems linked together.
The initial Phase 1 priority is e-mail, followed by file sharing. In Phase 2, we'll replace these linked systems with new companywide systems.
Given that our companies have different approaches to IT security, what should the newly formed organization incorporate as its new methods? And how much time and money should we spend protecting the links between systems if in Phase 2 we'll just throw away those links, along with the systems they connect?
Coordinated Response
To clarify my team's response, I spent a day with my other half, the acquiring company's head of security, whom I'll call Joe. He has no staff -- his organization outsources everything to a large managed-services provider.
My team acts as the services company to our business groups. Joe is a business-oriented customer of the outsourcer. My security group has an informal relationship with the business teams that are our customers, but we also have a clear responsibility to be flexible to their needs. Joe's firm has a formal service-level agreement (SLA) with the services company.
Unfortunately for Joe, security isn't a detailed part of the SLA, and he doesn't receive data or reports about security events. His costs are much lower, but he can't be sure of the service he receives. This sounds bad to me. Then again, perhaps I'm a control freak who enjoys the depth of data I have at my fingertips, giving me the ability to track our company's security posture. But at least his SLA covers patch deployments. Some outsourcing contracts I've heard about don't.
Joe is new to security. His background is in commercial management and general IT team leading. I come from a technical security background, so I have nearly 10 years of experience with the nuts and bolts.
Our reporting lines also differ. Joe has a nominally more senior position in his company, but with no budget and no staff, he feels somewhat ineffectual. He has requested that we help him apply some of the facets
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
