Skip to content
Open to board advisory and board seats — 2H 2026, then CY 2027–2028.
See details →
Writing

The First 100 Days: A Post-Close Cyber Integration Playbook

The post-close decade is decided in the first 100 days. The eight cyber controls to ship by day 30, and the identity-sprawl audit every exit diligence will run.

August 4, 2025 7 min read 893 words All postsTable of contents

The conventional wisdom is that cyber posture in an acquired company is a year-three problem. It is wrong, and it is wrong in a way that compounds. The decisions made in the first 100 days post-close — which directories to merge, which contractors to keep, which subscriptions to cut, which third-party access to revoke — set the posture envelope for the entire hold period. Get them right and the company enters year three with a clean identity surface and a logging baseline that an exit-side diligence team accepts on the first read. Get them wrong and year three is a remediation project that shows up as a finding in the buyer's diligence.

The compounding is not metaphorical. Every dormant account left in place at day 30 is still there at day 730, but now it has been used. Every duplicated subscription left unrationalized at day 60 has been wired into a workflow nobody owns. Every former contractor whose access was not revoked at day 14 is still in the identity provider at month 18. The first 100 days are the only window when the integration team has the political authority and the executive air cover to make these decisions cleanly. After day 100, every change becomes a negotiation with a department head who has gotten used to the access they have.

The eight controls to ship by day 30

The integration team does not need a posture program in the first 30 days. It needs eight controls, in priority order, each with a named owner and a date:

  1. SSO and MFA backbone. Settle the identity provider for the new entity, then enforce MFA on it — phishing-resistant where the population supports it, TOTP everywhere else, SMS fallback removed. Nothing else compounds without this.
  2. Access cleanup at the identity provider. Reconcile every active account across both directories against last login, group memberships, and privileged roles. Disable dormant accounts and remove terminated employees who never made the offboarding queue. Thirty to fifty percent identity bloat on the first audit is normal.
  3. Endpoint baseline. Managed EDR on every laptop with a known configuration and a known coverage percentage. Enumerate by day 30, close the gap to 95%+ by day 60. This is what the cyber insurance underwriter asks about on renewal.
  4. MFA on financial systems. The identity-provider MFA does not automatically cover the ERP, the AP automation tool, the corporate card platform, or the bank portal. At least one of these is usually configured with shared credentials or an MFA-bypassing service account. Wire fraud and BEC concentrate here.
  5. BAA inheritance. In regulated verticals, every BAA the seller held has to be reviewed for whether it survives the change of control and whether the new entity is the named party. The day-30 milestone is the inventory and the gap register, not the renegotiation.
  6. Third-party access audit. Every external party with access — outsourced IT, MSP, accounting firm, the developer who left two years ago — has a credential that survived the close. Produce the list, then decide which survive.
  7. Off-boarded employee and contractor purge. HR has one list, the identity provider has another, the SaaS apps a third, the git host a fourth. The reconciliation produces the master list of accounts that should not exist.
  8. Vendor inventory. Not vendor management — just a list: every subscription, license, cloud account, and external integration. It is the precondition to rationalization, to the BAA work, and to the insurance renewal questionnaire.

The identity sprawl audit

If one part of this lands, I hope it is this one. Identity sprawl is the most consistent finding post-close, the cheapest to fix in the first 100 days, the most expensive to fix after month six, and the one that most reliably surfaces in exit diligence — because the buyer's IT team can produce the diagnostic in an afternoon, and they will. The bloat decomposes into four buckets: dormant employee accounts, former contractors and short-term consultants, service and integration accounts with privilege concentration and no MFA, and third-party or partner accounts that are often over-privileged and undocumented.

The method is mechanical. Pull the identity-provider roster, the HR roster, the AP/vendor master, and the admin consoles for the top apps by spend, then reconcile with a series of joins. Every account in the identity provider that appears in neither HR nor the AP file is a candidate for disablement. Disable, do not delete; preserve the audit history; wait fourteen days; re-enable on review if anyone surfaces. The surface rate is consistently low. The rest were accounts that should have been disabled when their reason to exist ended. The audit is not a one-time event — it is a quarterly hygiene practice that, once established, keeps the bloat from regrowing, and the exit-side diligence will ask for the trend line.

Why the window matters

The first 100 days are the cheapest 100 days. They are when the cyber insurance market forms its view of the new entity, when the renegotiation leverage on vendor and BAA contracts is highest, and when the artifacts the exit-side buyer will read are actually created. An MFA rollout in month four shows up in the audit log as an MFA rollout in month four; it does not retroactively become one in week one. The posture window is not coachable on the way out. It is the work that was actually done.

SecurityM&ACloud SecurityLeadership