A man jogs past the CBS Broadcast Center on August 13, 2019, in New York City, the day the $12 billion CBS-Viacom merger was announced. Not all deals are for that amount of money, but today’s columnist, Chad McDonald of Radiant Logic, says once a merger is in play, security teams have to identify all the important data and automate processes so threat actors can't take take advantage of the inevitable gaps. (Photo by Drew Angerer/Getty Images)

Few business activities are as turbulent as mergers and acquisitions, and they’re happening more frequently. PwC estimates that 2021 was a record-breaking year, with more than 62,000 deals announced globally. Successful M&A can create huge opportunities for all involved, facilitating growth and enabling enterprises to seize new markets—but making M&A seamless is easier said than done, especially from a technical perspective. According to most studies, between 70% and 90% of acquisitions fail. Most explanations for this depressing number emphasize problems with integrating the two parties.

Because modern businesses are built around digital identities, most of the responsibility for making the transition falls on the shoulders of IT and security leaders. Imagine, for example, that a CISO of a large global organization has just acquired four companies in rapid succession. Each company is based in a different country, boasts over 100,000 employees, and has its own platforms for managing identity and system access.

So, short of completely deconstructing the acquisitions, how does the CISO go about merging identity and system access? And, more importantly, how does the security team complete this before circling threat actors swoop in to take advantage?

The challenge of managing M&A 

Once an M&A is completed, the new company has to get all parties synced up to work together. This means that all the employees across different locations need to communicate and access resources effectively, often a painfully slow process.

The first hurdle is synergizing counterpart departments across the different organizations. Bringing two companies together means two finance departments, engineering departments, and so on. While it’s common to keep regional teams together in some format, the team will see a lot of duplication of roles and activity, and, subsequently, employees exiting the company or moving to other departments.

From an IT perspective, this means there are suddenly a lot of orphaned user accounts that must be deleted, and other accounts that need roles and privileges changed. Managing this process demands a proper understanding of which accounts actually belong to real people.

The elevated cyber risk

A lax approach to employee exit processes can lead to a buildup of ghost accounts. On a small scale, security teams can start to resolve this by walking over to the finance department with a clipboard. On a global scale with thousands of employees, it isn’t straightforward.

These stale accounts present a serious security risk. If cyber criminals discover and compromise them, they can use and abuse the account’s access privileges with little oversight. Even more direct risks are posed by former employees deciding to exploit their former accounts for profit or out of malice. The risk becomes particularly grave when it comes to privileged accounts with admin capabilities.

The situation gets complicated further by the fact that user identities are usually  spread across multiple different platforms. There’s nothing to say that the Tim Smith in Active Directory is the same one in Salesforce, or the homebrew financial application the company uses.

How can IT and security teams connect the dots?

Start by developing a baseline understanding of the identities and systems in place across all the organizations involved in the M&A. Next, create a clear picture of just how many of these accounts still belong to real people that are currently employed at the company, and how many are ghosts or duplicates. With so many identities involved, getting an accurate idea of bodies in the room becomes mostly a manual process, usually involving HR departments and department managers.

Once this has been achieved, it’s time to get automated. The security team can then gather all the scraps of identity to create a singular identity data fabric. The security team can now discover the user identities that are now defunct and delete them with the help of automated tools, while mapping those that are still valid to an abstraction layer.

Now, the team can connect Tim Smith from finance to his many different digital identities, as well as gaining a single global view of what he can access across the ecosystem. Once in place, the security team can automatically update joiners and movers in the system, ensuring that identities are up-to-date in real time.

By establishing a single source for all identity data, IT and security heads can quickly form a clear picture from the multitude of pieces that come with M&A – before threat actors can seize the opportunity.

Chad McDonald, chief of staff, CISO, Radiant Logic