Within the span of six months in 2017, CISO Eric Schlesinger watched his company Polaris Alpha balloon from 150 employees to 1,500 workers after three companies merged and three more were acquired. Schlesinger faced several daunting challenges, starting with being a prime target for cyber attacks because the company provides mission solutions to defense, intelligence and security customers, including the federal government.
“Part of that rapid IT integration comes with inherent risks. When it goes so fast, sometimes security wasn’t necessarily keeping up with the pace of IT,” says Schlesinger. How could he take six different companies, with six different networks and security teams and create a single, dedicated security function that could partner and scale as the Polaris Alpha network was being scaled out?
Like most small to mid-size firms, the acquired companies had relied on investments in tools for their cybersecurity. But integrating multiple tools from six companies wasn’t going to work.
“We realized early on that tools were just part of the investment, but not the ones driving our security,” Schlesinger says. “It needed be based on the people, methodologies, workforce and processes that would allow us to scale from 500 to 1,500 people, and now to the 15,000 people we have today with Parsons acquiring us [in May 2019].”
You need a strategy
Schlesinger spent the first months wrapping his arms around the new organizations. Did he have the right people? What were the tools that were there that could be repurposed?
Next, the company’s integrated network security team adopted a standard US Department of Defense (DoD)/Defense Information Systems Agency (DISA) model and applied it to the processes used by the company to defend its corporate network. “It creates a workforce structure that is clear on how that ecosystem has to work, and gives individuals a very clearly defined purpose, and clearly defined procedures and workflows,” he says.
While this mega-merger represents an extreme case of scaling a security organization, most organizations still need the ability to scale security quickly, and not just due to M&A, new business innovation or new ways of interfacing with customers.