Merger security.
There’s a whole art to managing business-to-business connectivity, and it all comes to a head when your organization merges with another. This great article by Mike Chapple can get you started down that road.
Once the new letterhead stationery starts appearing in your stockroom and the domain names have been registered, it’s good to be proactive in managing the management. Myself, I always like to start with a “default deny” stance: start with no extra connectivity to the other network (other than what you already have over the Internet), and then start meeting with the business areas to find out explicitly what they do need. If you treat the other company as you would other sites on the Internet, you may be able to keep things down to a dull roar as you figure out what security the other side has in place. Mike’s advice not to rush is good: as long as the business can get what they need within a reasonable period of time, and there’s a known process that they can use, they often don’t care whether you still have firewalls between your networks a year from now. (You should probably have some access controls in place permanently anyway, but that’s another story.)
Negotiations on merging security policies take a lot more time. You may find out that the firewall is protecting them from you rather than the other way around if their policies are stricter than yours. If you stay on the technical level with your peers on the other side, you’ll probably avoid some of the nastier aspects of mergers, most of which are political in nature (get into the bunker while your senior management jockeys for position). Be creative about letting executives get access to data where they need it—and only give them as much as they need. Again, being proactive counts for a lot: if you come up quickly with a secure data-sharing model, they’re much more likely to follow it and thank you for being a business enabler.
No, I’m not going to help you with your struggle to come out as Top Dog CISO. That’ll take every ounce of business-sucking-up that you can muster, and I definitely don’t recommend breaking in to the other CISO’s email. I’ve heard that Sun Tzu at 40 paces works for some people, though.
