IT Asset Governance Improves Security Efforts
Ok, I admit I kind of got sucked back into Fuller House recently. One line, cleverly addressing the missing cast of the show, is “It’s always open.” That’s something no IT security department ever said referring to their network, and I guess no one should leave their door unlocked in San Francisco either, but there’s that.
Data is the livelihood of business—trillions of data exchanges containing sensitive corporate information happening every second, all over the world. Data breaches are an ever-increasing danger.
In healthcare for example, the number of breached patient records has doubled, from 15 million throughout 2018 to 32 million between January and June 2019. Let that sink in. The first half of 2019 doubled the total of all breached patient records in 2018 according to the Protenus Breach Barometer.
Not surprisingly, the top source of data breaches is external attackers. The next most prevalent cause of compromised data records was accidental data loss—human mistakes. Former employees retaining full access to SaaS applications, rogue assets, unlicensed software, lost or stolen devices. Just a few examples of what IT and Security teams deal with on a regular basis.
Security Concerns Will Drive Half of ITAM Initiatives
According to Gartner, Inc., 50% of ITAM initiatives will be primarily driven by information security needs and concerns by 2022. (“Enabling the Management of IT Assets With a Comprehensive IT Asset Life Cycle;” Analyst Ryan Stefani; Gartner’s IT Sourcing, Procurement, Vendor & Asset Management Summit)
IT and security teams often struggle to identify all of the IT assets in their environment. Not an easy task given the dynamic nature of technologies such as devices on and off the network, mobile devices, and cloud instances. This lack of visibility widens the cyber exposure gap, increasing the chances of a business-disrupting cyber event.
In the past, the IT Asset Management (ITAM) discipline has been predominantly used to ensure license compliance. While this is still one of the primary drivers, ITAM is becoming a key focus area for security teams to fully understand what assets they really have, where they are located, how they are used, and what security risks they potentially represent.
Two-Thirds of IT Managers Don’t Have Completely Accurate IT-Asset Records
As reported in ComputerWeekly, 66% of IT managers admit to not having a completely accurate record of their IT assets. Many organizations still use spreadsheets for their management initiatives.
The process involved in assessing and patching vulnerabilities to protect against cyberthreats can be very sophisticated on the security side. However, to manage inventory, many organizations still rely on their manual spreadsheets, which means they still don’t really have a good handle on their inventory. An EY Report states that around 56% of organizations verify asset location only once a year, with 10 to 15% only every five years.
According to ISO standards, you can really only get to a level of optimization if you start with Level 1, Knowing What You Have, so you can manage it. Do you know all of the devices on your network? Are they all authorized, or do you have rogue devices? Is really EVERYTHING patched?
For proper vulnerability assessment, you need to have a proper baseline to understand what you truly have before you can manage and secure it. By tying together data systems for IT assets and security, you can arrive at this visibility and be able to apply business and security rules and automation to improve your cybersecurity resilience and gain efficiencies. Example? According to CIO digital magazine, each computer in every office around the world has about $259 of unnecessary, unwanted, or unused software on it on average. Each software license and hardware, whether used or not, represents a risk or vulnerability. If it’s not used, it should not remain in your environment.
When you get rid of unused assets, you can reduce your attack surface and reduce your security exposure. IT Asset Management governance addresses the assignments of rights and responsibilities for decisions regarding the investment, utilization, and divestiture of IT assets, with the objective of ensuring asset optimization, cost control, and risk mitigation. It’s critical for Security and IT teams alike.
How to Get Started
The National Institute of Standards & Technology (NIST) has published a Cyber Security Guide for ITAM. The publication was co-written with the National Cyber Security Centre of Excellence (NCCoE) and provides insight into what security professionals expect an asset management system to provide, and how they would go about configuring it. NIST believes that: “ITAM enhances visibility for security analysts, which leads to better asset utilization and security.” And NIST sees ITAM as “foundational to an effective cybersecurity strategy.”
IT Asset Management governance is a team effort. Align your asset teams closely with your security, procurement, and finance departments to define, establish, and monitor your asset lifecycle and security processes for best results. If your cross-functional team bases its processes, controls, and operations around the NIST frameworks, you now have a common framework to deliver against.