The CISO Perspective on IT Asset Management: Why Security and ITAM Go Hand-In-Hand
Whether it’s the forgotten PC hiding behind a box of cookies in a dark closet, or the ex-employee who still has a corporate-issued laptop—we all have a story of how misplaced or mismanaged assets have contributed to security risks within the organization.
“Inventory's rough because we should know what equipment we have,” says Dan Anderson, CISO of Lifescan. Anderson adds that contractors, vendors, employees, and virtual machines all add to the difficulty of provide a clear view of your environment.
Anderson’s peers agree. A complete picture of your assets as part of a solid security strategy.
“The basic function of security is knowing what you have and where it is, so you can secure it,” says Ryan Layton, CEO of Secuvant. “That’s where we're probably missing the most.”
Layton says the challenge is two-pronged. Large enterprise IT teams often struggle with the growing size of their organization. Small to mid-market enterprises often don’t have the resources to keep up with good asset management practices.
“The mid-market is interesting because, in most cases, they don’t have a CISO – they have an IT Manager or IT Director that reports to a CFO or a COO,” said Layton. “That person is functioning as the IT Director as well as Security lead… and that’s a problem because you have a conflict of interest.”
Layton recommends forming a governance committee that pulls in executives, IT, and if possible, security team members.
Ivanti CISO Phil Richards says guidelines are in place, but often it’s easier said than done.
“The National Institute of Standards and Technology (NIST), who's the governing body, comes out with a lot of these standards in terms of what you're supposed to put in place. Their configuration management baseline, which is called CM-2, says that you have to have a current and accurate snapshot of your hardware and software inventory, and that it needs to change and be reflected as being accurate at all times,” said Richards. “The way they say it makes it sound easy, but it’s not easy.”
Peter Green, Virtual CISO at Sirius Computer System, says ITAM’s fingerprints are all over key IT functions.
“Asset management, vulnerability management, patching, remote control, certificate delivery, it’s all there in configuration management,” said Green.
Despite this, Green says asset management often falls off the top priority list for most IT teams.
“Honestly, I think they've blown past it, just because out of necessity. They're trying to look at their top three, top five… protecting the crown jewels and trying to classify data so they know what data they have,” said Green. “It’s a little alarming how underserved asset management is.”
One way to justify ITAM’s role at the top of the list is to think of your users as assets.
“As long as you have users, you're going to have problems,” said Layton. “It's education, it's getting the controls, it's getting the culture right. It has to start with the top, and you have to push it down or you're stuck.”
Richards agrees. While it might not directly relate to pure ITAM practices, he says user education is essential in protecting your environment from cyberattacks. He and his team conduct test phishing campaigns to make sure employees understand the consequences of their actions.
“An employee actually responded to and clicked on a phishing email, put in their user credentials and everything… then they opened up an incident defect that said their password wasn't accepted on the website,” said Richards. “They went the extra mile and tried to get us to fix it because their legitimate password wasn’t accepted in the malware.”
As for the offenders at the top of the list, Layton says you might be surprised about who is falling for these phishing emails.
“The biggest culprits of phishing and bad practices are, generally, the executives,” claims Layton. “It's just, they're so busy. Routine is a big piece of what they do, and so you get caught in your routine and you kind of get caught.”
Richards says threat actors are always looking for your weakest link when it comes to attack vectors. Whether it’s your users, a particular endpoint, or a lapsed practice – it’s a matter of time before you’ll be exposed.
“For patching or encryption we have to get it right on every single one of our devices, because the one device we miss is the one that the bad guys are going to find and they're going to get into it,” said Richards. “We have to get it right 100% of the time, and that's really the hard part.”