Published by Jessica Weisman-Pitts
Posted on July 5, 2022
8 min readLast updated: February 5, 2026
Add as preferred source on Google
By Chad McDonald, CISO at Radiant Logic
When it comes to fast business growth, few strategies are as critical as mergers and acquisitions (M&A). 2021 was a record-breaking year for M&A, with 62,000 deals announced globally – a 24% growth from 2020. In fact, the overall value of M&A reached $5.8 trillion last year, and it’s expected to remain robust in 2022.
Successful M&A is critical for businesses as it results in greater opportunities to enter new markets and access wider resources. However, effective M&A is hard to achieve, as it requires a complex integration of technical and network infrastructures between enterprises. For example, the failure rate of mergers and acquisitions is between 70% and 90%. When multiple companies plan on coming together, they bring their own policies and infrastructure. It’s like having several different jigsaw puzzles and attempting to combine them into a single meaningful piece.
From an IT perspective, it is an even more difficult task. Modern businesses are built around digital identities and interconnected networks. So, when it comes to merging departments or businesses, most of the responsibility gets dumped on IT and security leaders. Imagine you’re the CISO for a large enterprise that just acquired two other companies. Each company is in a different location, they have thousands of employees, and their own unique platforms for managing identity data and system access.
So how do you manage this complexity? How do you ensure that all of these separate systems and platforms are constantly monitored and administered from a single hub? More importantly, how do you make sure that threat actors do not slip in through the haystack of access points?
Why identity data management is a critical challenge during M&As
One of the biggest aspects of M&A is syncing and collaboration, which needs to be actioned almost immediately after a deal goes through. Employees across both organisations and different departments need to be able to communicate and access resources efficiently without any disruption to the business.
However, it can be a complex and painfully slow process, and the larger the M&A the bigger this problem becomes. CISOs often wonder where to start due to the large volume of data scattered across several applications that need to be synced.
Research by Radiant Logic found that 44% of the companies that went through M&A took at least 7-12 months to synchronise application access across all involved entities, and 35% of the companies took even longer.
But where is this complexity coming from? Firstly, when two companies merge, similar departments also need to be merged. It means syncing two finance departments, two production departments, and so on. Then there is the challenge of managing duplicate roles and responsibilities. For instance, there will be two finance managers and multiple payroll officers, who have almost identical responsibilities.
While dividing the workforce into regional teams might solve the problem of financial decision making and operations management, there’s still the massive issue of managing duplicate identities across different systems. For example, if an employee leaves the company or switches departments, their records and privileged access will be deleted from the central database, but it will still remain in their accessed systems and several different communication channels. In fact, our research found that 52% of all tech executives find the manual provisioning and deprovisioning of user access to be the most stressful challenge.
The lack of control over the provisioning and deprovisioning of user access also increases the potential risk of suffering a cyberattack. According to reports, 47% of ex-employees still have access to business data months after their exit. Threat actors can use these identity credentials to access restricted areas of the network and cause significant damage to an organisation. Disconnected systems help increase the attack surface and create gaps, allowing threat actors to move laterally across the network and remain virtually undetected.
From an IT perspective, it becomes an excruciatingly painful process to find, modify or change this data, and change access privileges. To manage this complexity, CISO’s and security admins need to develop a clear understanding of which accounts belong to who, and which systems each account should have specific access to. Then again, it’s also not a fast and easy process. That’s why we see that big 7-12 month gap (or more!) in achieving synergies and integration between all systems after an M&A.
Financial companies face the biggest challenge
The complexity of M&A is often greater for financial organisations and institutes such as banks. This is because financial companies are very distinct from each other, especially when they are operating in different regions. For example, a US Bank would have very different policies and a network infrastructure compared to a bank in Asia or Europe.
When such organisations merge, it’s often difficult to find common digital resources. For instance, one company might be using Salesforce and another might be using Oracle solutions. The digital identities of these companies will be scattered across multiple different platforms that offer almost identical services.
There is also the fact that financial companies tend to have a bigger workforce compared to other industries. A bigger workforce means more digital identities and privileged access, leading to more management complexity during M&As.
Unifying all sources of identity data with Identity Data Fabric
The first step to achieving successful integration after a M&A is to clarify the identities across all the organisations involved. This means separating real accounts from ghosts or duplicates. There needs to be an accurate projection of identities, meaning that HR departments and managers need to come together to produce a correct headcount. Once this accurate projection has been achieved, automated tools can be used to detect and delete the duplicate accounts.
Once all duplicate and stale accounts have been removed from the network, it’s time to implement an effective IAM framework. The current IAM solutions in the industry often fail to manage the sheer complexity and volume of M&As. Radiant Logic found that 67% of organisations have a modern access control and governance solution, but a lot of apps and users are left out. This is because the majority of the current IAM solutions work at the application layer – meaning they focus on unifying applications and systems instead of unifying identity data. This is a particularly negative approach for integrating cross-organisational systems, as most applications have very different protocols and are often tailored to the specific needs of a department.
Thus, the most effective solution is to create an unified single source for all identities using an Identity Data Fabric.
An Identity Data Fabric is an approach that unifies every identity data across the entire organisational network from all sources, regardless of where the data is stored, whether on-premise or in the cloud. It collects all identities scattered throughout the network, maps similar identities to an abstraction layer, and merges them into a single user profile. So, now all identities within the network are unique, and one profile links to multiple systems and applications.
It also works at the data layer instead of the application layer, meaning that unifying allsource identity data will not impact how existing applications work, rather it will provide a better way to access, present, and manage identity data across all organisations.
Implementing this framework allows security teams to have complete visibility over the entire network. They can easily identify the true level of access associated with each unique user across multiple systems and applications, whether it is on the cloud or on-premise, leaving no gaps for cyberattacks to exploit.
For example, with an Identity Data Fabric, ‘John Doe’ from Active Directory can be linked to his various digital identities and access points. In one single view, admins can identify which systems and platforms John Doe has access to and which he doesn’t. Once the employee exits the company, only deleting his data from the Identity Data Fabric can remove all his digital identities and access privileges across the system.
Establishing a single source for all identity data can help IT and security teams to have a clear picture of access and administration privileges across thousands of employees, thus eliminating the stress of identity and access management (IAM). It allows security teams to easily monitor access points and address vulnerabilities quickly before cybercriminals can act.
Using anIdentity Data Fabric can radically simplify the complex process of identity management and governance, as well as boost the speed and agility of mergers and acquisitions.
Mergers and acquisitions (M&A) are strategic decisions where companies combine (merger) or one company purchases another (acquisition) to enhance market presence and operational efficiencies.
A Chief Information Security Officer (CISO) is an executive responsible for an organization's information and data security strategy, overseeing the implementation of security measures.
An Identity and Access Management (IAM) framework is a set of policies and technologies that ensure the right individuals have appropriate access to technology resources.
A cyberattack is a malicious attempt to access, damage, or disrupt computer systems, networks, or devices, often to steal sensitive information or cause harm.
Explore more articles in the Business category
