Cybersecurity throughout the divestment process is something that tends to be ignored, yet this type of deal presents significant security and operational risks and liabilities, especially with stricter rules on data protection and regulatory compliance.
Spinning off a division of a business does not mean suddenly cutting off all ties — sometimes shared services need sustainability for a period of time, often for several years. So, it is imperative that the CFO of both the parent company as well as the newly created entity develops a comprehensive plan which includes details of how their integrated IT and networks will be separated. Part of this plan must include how this unravelling will create new cyber vulnerabilities, security weaknesses and potential regulatory non-compliance as the companies move to finalise the divestment process.
The CFO’s priority is to save money and deliver quality returns to investors and they must recognise that cybersecurity is a critical in order to reach this goal. Therefore, to enable an efficient and smooth divestment process, what are the strategic security questions that CFOs, CISOs and the broader executive team should be asking themselves?
Gain visibility to who owns which assets
During divestment, it is important to understand which assets need to be separated and which should remain shared to limit operational disruption. It is not just the ownership of the asset that matters, but ownership of the liability of the risk of that asset. If there is any ambiguity around who is providing and maintaining the security of a particular part of the network, then the risk of a security breach is dramatically increased. Being able to model the provisioning of access across a new network perimeter between the two organisations can help alleviate this problem and minimise the chance of a cyber-attack.
Where are the risks?
Enterprise IT networks can be vast. So, as their networks get divided, it can be extremely problematic to understand where the new network perimeters exist. This challenge is compounded by the fact that access points between the two entities are still likely to exist beyond the divestment process. Only by employing a solution that provides visibility of the entire network can the businesses identify where the new network perimeter is situated, where or how connectivity should be removed and what levels of security and connectivity are needed or not.
There is also a possibility that a breach could cross over from one organisation to the other. The solution to this is to allow security teams fully understand the expected impact and path of an attack and whether the most appropriate preventative security measures are in place to defend their business using network modelling technology.
Segregating security teams
In addition to the IT network, the security teams responsible for keeping the attack surface protected must also be split. The challenge of this is two-fold: with fewer members on each new team there will inevitably be the creation of a knowledge gap in both organisations, so it is important to make sure that all employees are up to speed with all security risks or make sure that additional staff are hired to fill the void.
As there won’t be as many people to deal with a similar number of attacks to the network, so how can they make sure that a breach doesn’t fall through the net? Fortunately, there are security tools available which can highlight the highest priority risks using automated data correlation and recommend the defences and controls that should be put in place to mitigate the risks of shared services and networks. This way, security teams are able to prioritise where to focus their efforts and make better use of human resources.
A huge concern for the CFO of an organisation on the brink of divestment is the potential regulatory impact, so this must be clearly understood. As a new network perimeter is planned and introduced, the security teams need to establish whether this produces any compliancy gaps. With shared network assets, it is important to ensure any changes made are not resulting in a breach of regulation and that changes are implemented within the timescales demanded by the regulators.
Using automated change assessment, security teams can ensure network changes happen quickly and that the organisation remains regulation compliant, so the divestment process keeps to the schedule. Using this type of tool also means that any changes that have been made haven’t exposed any new vulnerabilities.
Although traditionally viewed as the sole responsibility of the CISO, thanks to digitalisation, cybersecurity has infiltrated every aspect of business operations, including divestments and other activities that fall under the remit of the CFO. By using the latest tools in visualising network, security infrastructures and their risks enable the IT aspects of divestments to be concluded more quickly and making the life of the CFO significantly easier.
This approach helps smooth divestment operations for finance directors by ensuring security and compliance risks are properly identified, understood and dealt with strategically. Doing so will mean that any possible monetary and reputational risks caused by a cyberattack, during the divestment or at a later date, will be avoided and will safeguard the future of both companies.