In a recent conversation, a friend was pondering if she’d been impacted by the recent T-Mobile breach. “I know my personally identifiable information has been included in several big breaches in the past, and I’m sure it’s been sold a million times over. I’ve never been a T-Mobile customer, yet T-Mobile acquired Sprint, and I was a Sprint customer for years. Do you think my data has been compromised as a result?”

I can’t answer that question as I’m not close enough to the details of the investigation. But I do think it raises a few important topics – what M&A means for cybersecurity and how it impacts security investigations.

According to the 2020 Ponemon Institute Cost of a Data Breach Report, the average time to detect and contain a breach caused by a malicious attack is 280 days, and the average cost savings of containing a breach in less than 200 days is $1.12M. That’s a motivational amount of dollars yet, strangely, security investigations have never been the main area of focus for most organizations. Their efforts have been largely geared toward prevention and detection. But breaches still occur. Every single day.

A well-known CISO recently said that “if you have an online presence, you have to acknowledge that you will inevitably be breached. If you can embrace that and focus on getting quickly through the investigation with high confidence outcomes, then you can start to build true cyber resiliency.”

Data is everywhere and centralization hurts

Cybersecurity investigations are complex for a number of reasons.

Let’s start with the current landscape. First, there’s the mass addition of cloud technology for infrastructure and software that is now primarily delivered as a service (SaaS). Then there are a plethora of other decentralized data sets for identity, threat intelligence, vulnerability information, etc. You’ve got a lot of dots to connect!

If that’s not enough, most organizations are still relying on traditional tools, which attempt to centralize all their data before interrogating it. The task of centralization is never ending, and always adds time and cost to the process.

There are so many factors making it impractical and inefficient to continue in this way … the explosion of data, further distribution of data as technology evolves (in the cloud, in SaaS applications, on prem), rise in the number of attacks, the shortage of cybersecurity expertise, time and expense required to train new cybersecurity staff … and the list goes on.

It’s no wonder it’s so tough for most enterprises – big and small – to truly understand what their assets look like, keep their security processes entirely up to date, and ultimately achieve cyber resilience.

Now compound that complexity with a merger or acquisition situation, and the integration of two companies. Simply painful.

A sound approach to merging security operations

There are steps you can take to create immediate efficiencies in your security operations integration.  Let’s look across the three pillars of cybersecurity: people, processes, and technology.


Security team structures change as two organizations come together. There’s a massive psychological impact to restructuring teams and changing processes. Shift things overnight, and you’ll be faced with the real risk of employee turnover. If your people walk out the door, so too does a lot of specialized expertise and valuable institutional knowledge, putting you in a weaker position when dealing with adversaries.

Take the time to ask, listen, and understand the mentality of the teams you’re bringing together. Also, give them access to technologies that will streamline their processes and make them more effective. This will result in a more rewarding work environment for your team, and retention of essential security operations staff for your business.


It’s no secret that processes are crucial to the implementation of an effective cybersecurity strategy. In merger or acquisition situations, one company often extends its practices across the newly combined organization. A better approach is to look at management systems, governance, policies, and third-party management procedures from both sides.

Take the opportunity to assess the strengths and weaknesses of each organization, then incorporate the best of each to build the most appropriate structure for your merged company.


Visibility is an overused term, but when you bring two companies together, it’s essential to quickly have visibility into what is happening in both environments. Without this, it’s impossible to secure your combined company. The very real odds are that each organization is using a multitude of cybersecurity technologies. That is requiring teams to manually look at decentralized data and piecemeal it together for high fidelity detection and response. Most organizations spend six or more months going through the time consuming and costly process of centralizing massive amounts of data to achieve some level of visibility.

Take a different approach that allows you to rapidly gain real-time, centralized insights from decentralized data across your combined company. Use a security investigations control plane that sits on top of, and connects, your existing data planes without requiring you to transfer or duplicate data. With API integrations and a unified browser interface, you won’t have anything to install or need to rip or replace any existing technologies to begin reaping the rewards.

Cybersecurity can be complex, and so can be mergers and acquisitions. While you can have the best laid plans, each cybersecurity and M&A situation is slightly different, meaning there are no silver bullets for either. By starting with a sound approach and embracing a willingness to learn and evolve, you can more quickly overcome some frustrations and challenges related to each.