An ever-expanding attack surface is a global concern for most organizations and complicates an M&A, especially for CISOs. The M&A prospect may have a partially unprotected attack surface, thus increasing security risk coming in the form of a gap between the attack surface they can and do protect and the attack surface (and accompanying assets) they need to defend. This gap is what many M&A prospects bring to the table. And while an M&A may have undisputed business and strategic value, CISOs must still address the security risks involved in acquiring another organization’s assets and its current attack surface, fully protected or not.