Security Q&A: Avnet's 'Cookbook' for Safe Systems Integration
Over the last 10 years, electronics component distributor Avnet has acquired more than 25 companies. Its largest deal, based on sales, came in July 2005, when the $11.1 billion Avnet purchased the Memec Group, a $2.3 billion semiconductor distributor, for $663 million.
Steve Phillips, Memec's chief information officer, was named CIO at Avnet in August 2005, taking responsibility for integratingand securingthe information systems for the merged organizations. His predecessor, Ed Kamins, was promoted to chief operational excellence officer at Avnet. Previously, Phillips was CIO at computer maker Gateway and I.T. director for the European foods division of Diageo.
He spoke with Baseline executive editor Anna Maria Virzi in a Sept. 27 interview about the measures his organization has taken to keep systems secure during times of transition.
With Avnet's ambitious acquisition strategy, how can you be sure that systems remain secure while merging operations?
Security is job number one for I.T. leaders. It has to be done right.
I like to assess our security posture in two ways. First is internally; you look at risks and how you can mitigate those security risks using our internal folks. At both Avnet and Memec, we had directors of I.T. security dedicated to protecting our information assets and our physical I.T. assets.
We also use external parties. Some diversity is important when you look at your security posture. So, third parties come in, audit, and validate the security of our systems environments, our information assets.
How does that work during an acquisition?
We make a review. We understand where we stand. Then we apply common standards across both the organizations in a very fast way.
One of the things that Avnet has learned through its many acquisitions is that moving both fast and deliberately is important. So, for example, we completed the integration of Memec's I.T. systems within 90 days from the acquisition. And early in that process, the security teams at Memec and Avnet held a discussion to validate the security of Memec's I.T. environment. We wanted to ensure that we maintained in-place security practices to make certain we did not expose those environments to unnecessary risk. As Memec was absorbed into the Avnet infrastructure, Avnet's security policies took force.
All within 90 days?
Ninety days start to finish.
How were you able to pull that off?
With a lot of hard work by a lot of good people. Avnet has what we call the "cookbook," and the cookbook gives guidance and advice on how to integrate companies into Avnet. It's the collective knowledge base of our acquisition expertise.
When we have an acquisition and start the integration, we pull down that cookbook and open it up. It's got all sorts of useful information to help with a fast integration, such as template plans, checklists, and processes and procedures that we execute. And then, again, at the end of an integration project, we update it so it becomes a stronger document every time.
How does Avnet's cookbook address security?
People are one of the most important assets and elements of an acquisition. At Avnet, our acquisition cookbook outlines the process for rapidly incorporating the new employees into our infrastructure and mapping their job functions into Avnet's applications. Mass loads into Active Directory, e-mail, HRIS [human-resources information system] and the ERP [enterprise resource planning] systems enable large numbers of new users to be added quickly. The Memec America operations were converted to Avnet's infrastructure and applications only 30 days after the acquisition was approved.
Leading up to the integration of systems, business analysts map the incoming data to Avnet systems. A minimum of three "dry runs" are performed to validate the data and uncover any issues with it. The business analysts also review any errors from the dry runs and determine if those problems are due to mapping or programming issues in the conversion.
Another important asset associated with an acquisition is data, which also requires careful attention to security. Backups of critical data are maintained for safety, and physical security controls are reviewed for data leaving the environment. The strategy for moving data between entities is established early in the process, and secure FTP connections are generally a good starting point. Until the network architecture of the acquired entity is completely understood, all data connections are treated as "untrusted," meaning that data between entities flows through firewalls, intrusion detection sensors, antivirus and other security controls to bring the data into the corporate environment.
During the integration, how did Memec's security director and Avnet's security director work out the selection of a particular technology/approach for security?
Every acquisition at Avnet is guided by a "best people, best practices" policy in which each company's people, tools and processes are evaluated to determine the best long-term fit for the company. Following Avnet's acquisition of Memec, the I.T. teams from both organizations worked together to inventory their security tools, and followed this best-practices approach to identify and move forward with the best tools and systems from both environments. For example, Memec was using a third-party Web content filtering tool that blocked employee access to Web sites considered a potential security risk. Avnet did not have such a broad tool in place. The security directors from both Avnet and Memec worked together to implement and deploy this tool throughout the Avnet organization.
When you use a third party to audit and validate security, how does that arrangement work?
We use two different firms.
Who are they?
I don't want to disclose their names. The idea behind using two firms is driven by, again, diversity. We have some fairly routine security audits that are automated, that happen regularly and frequently, and we take actions on those audits' results.
One of the things about security is that the threat constantly evolves. It's not a one-time event. You have to constantly look at your security, constantly change your security posture to address whatever threats are evolving. So, we have a fairly routine audit that happens regularly, and we take actions from that.
How often are those routine audits?
What types of things do you audit for?
We primarily check our security from external intruders. Less frequently we complete more hands-on audits that look at our internal security as well as our external security. And those are pretty comprehensive.
What is an example of what is included?
It would include looking at, for example, application security.
As you mentioned, security threats evolve daily. How do you keep up-to-date, as CIO, on what's important?
I'm helped by a really great team, and we have a dedicated I.T. security director, Bill Smathers. He and his team work on staying very close to what the threats are, and making sure that as collective I.T. teams we address those threats. Even though we have a dedicated director of I.T. security, we make it clear that security is everybody's job. He coordinates and helps us become aware of risks, but it is everybody's job to make sure that we protect our information assets.
Are you referring to everyone on the I.T. team, or the entire company?
In terms of I.T. security, that's the I.T. team's job.
Often, the greatest threat to a company is someone inside the building, not an outsider. We have a fairly clear code of conduct that every employee of Avnet reviews and signs every year. And that clarifies each individual's responsibilities in terms of protecting Avnet's information.
Did Memec have an information security director, and if so, what happened to him or her?
Bill Smathers was the Avnet I.T. security director at the time Avnet acquired Memec, a role he fills today. The security officer role at Memec was carried out on a part-time basis by a senior I.T. director. That director decided not to relocate from San Diego, where Memec was based, and left Avnet after an agreed transition period, and now fills a leadership role at a large company based in San Diego.
How often does Avnet perform the more intensive security audits?
Is that two or three or four times a year?
I'd rather just say periodically.
So, during a merger or acquisition, how do those reviews fit in?
As Avnet makes an acquisition, we still have a regular business to support and we have to continue to support it. It's a competitive marketplace, and our competition doesn't take a rest because Avnet makes an acquisition. So, the challenge for all of the folks involved in integrationand not just the information-technology teamsis that we have to sustain and continue to grow our business as well as complete an integration quickly and effectively.
Have you ever said, "Whoa, I need to slow down here," because the timetable is not realistic?
We have some collective knowledge, as I said, through the Avnet cookbook. We know what works and doesn't work in terms of timing. We know that the sooner we get these [mergers] completed, the sooner we can get on with just totally dedicating ourselves to supporting that business. Do I ever say to myself, "Slow down"? I like the pace, and I have a team that likes the pace as well.