A large financial services company has just acquired a smaller fintech startup to integrate its innovative mobile platform. A security architect on the integration team discovers the startup had a relaxed IT policy, allowing developers to use their own cloud services and unmanaged devices. Which of the following presents the most immediate and critical risk to the acquiring company's security posture?
Consolidating software licenses to reduce redundant spending on productivity tools.
Undocumented and unmanaged assets from the startup creating a shadow IT environment that is not covered by existing security controls.
Integrating the startup's employees into the parent company's identity and access management (IAM) system.
Harmonizing the two companies' data classification and acceptable use policies.
The most critical initial risk during a merger or acquisition is the presence of unknown and unmanaged assets, often called 'shadow IT'. These systems are not protected by the acquiring company's security controls, creating significant gaps that attackers can exploit. While integrating IAM systems, consolidating licenses, and harmonizing policies are all important integration tasks, they are secondary to the immediate threat posed by an unsecured and expanded attack surface. The first step must be to discover and gain visibility over all inherited assets to apply necessary security measures.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is shadow IT and why is it considered a risk?
Open an interactive chat with Bash
How can shadow IT be identified and managed during a merger or acquisition?
Open an interactive chat with Bash
Why is integrating IAM systems considered a secondary risk in this scenario?