The five points in this article are indispensable when considering the effects of M&A on information security.
Imagine: two companies, two environments, one data centre each, two different approaches to information security. Each company confident in the integrity of its systems. But when these need to be integrated (and no, you can't 'start over'), there are too many things to consider.
Firstly, you are not just doubling the potential ingress points by having two networks communicate, you are exponentially increasing possible attack vectors through different hardware, network ports and protocols.
Additionally, you need to think about the internal threats - your employee base has just grown, increasing risk of insider attacks. Was everyone happy with the merger? It only takes one person to compromise the integrity of what was once a very secure network.
Example: System A needs to be accessed by system B. System A is protected by solution X, and system B is protected by solution Y. X and Y cannot communicate, which means that only the end points of transactions can be monitored. What happens between? This is an example of 'grey space'.
Options are limited. Replacing solution X and Y with solution Z comes at a heavy staff and capex cost. X can be expanded to cover system B but then the engineers for system B need to drop Y and learn solution X (or get laid-off and replaced, at high cost). A stop-gap measure is to get solution V to broker chatter between X and Y but the long-term costs are too much to sustain and the burden of an extra system means drafting in more staff.
Although simplified, you can see some of the considerations made by companies undergoing this process. There is no one-size-fits-all approach to information security in mergers. Each organisation will deal with this differently. There are vendor and partner relationships that will influence the choices made.
My main suggestion is that before completing a merger or acquisition, companies must include systems integration (and by extension, security) projects in their plans and budgets in order to avoid the embarrassment of a merger becoming a major security event.
However, companies often neglect the security implications of their merger. After all, each company had theoretically been secure and in compliance before the merger. Why would the combined entity be any different?