ITAM and CTEM

IT security – you don't need to reinvent the wheel!

In the article "How to Manage Cybersecurity Threats, Not Episodes," by Kasey Panetta of Gartner describes the value of implementing a Continuous Threat Exposure Management (CTEM) program. Gartner acknowledges the need for organizations to be more proactive with their IT security programs and how the security program must adapt to ever-changing IT infrastructure and business objectives. From an IT security perspective, Gartner's direction appears to be excellent advice.

"By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach. "

"3x" is a bold statement, but if their recommendations are implemented appropriately, it is difficult to imagine the organization's IT security program would not significantly improve. The question then becomes, how much would it cost to implement this program or, more to the point, what is the ROI?

How much the program will cost is a good question. Unfortunately, Gartner appears to have defined CTEM in a vacuum, omitting the most critical component, IT Asset Management. 

"A continuous threat exposure management (CTEM) program … prioritizes whatever most threatens your business."

To prioritize, you need to know:

1. The IT asset exists.
2. Where the IT asset is.
3. Who uses the IT asset (e.g., receptionist, marketing, legal, HR, executive).

Gartner defines five steps to create a CTEM program:

"Step No. 1: Scope for cybersecurity exposure, first for external and SaaS threats"

• To understand the exposure, you must first understand what can be exposed. In other words, what IT assets do you have?
• You must also know where the asset is located.
• The SaaS asset may not be easily discovered, and the security exposure must include the SaaS provider, thus the requirement for Cloud Asset Management.
• The I/PaaS asset type was not mentioned but has similar yet more complicated issues than SaaS and is also managed by Cloud Asset Management.

"Step No. 2: Develop a discovery process for assets and their risk profiles" 

• ITAM lives and dies by discovery and typically not just one discovery tool. Furthermore, the discovery tool is only effective for discoverable assets.
• The ITAM staff reconciles what was discovered against the current inventory.
• Discovery is an ongoing effort aided by ITAM processes that capture the request, approval, procurement, receiving, configuration, deployment, in-use, recovery, and disposal of IT assets.

"Step No. 3: Prioritize the threats most likely to be exploited" 

• To properly prioritize threats, you must know what assets are in use, where the assets are located, for what purpose, and by whom. ITAM lifecycle processes capture all of this information.

"Step No. 4: Validate how attacks might work and how systems might react" 

• The data curated by ITAM provides an accurate picture of the attack surface. An accurate attack surface allows IT security to create valid attack scenarios.
• An accurate attack surface makes the blue and red team's exercises efficient.

"Step No. 5: Mobilize people and processes" 

• An effective ITAM program establishes channels for communication and education horizontally and vertically across the organization.
• The CTEM program can leverage these channels to promote its program.
• ITAM can benefit from the CTEM program if the communication channels are incomplete.

Why Reinvent the Wheel?

The ITAM program serves the entire organization. ITAM serves finance with evidence on how the IT budget is used and by applying a disciplined approach to procurement. The legal function benefits from ITAM's commitment to satisfying an IT asset's compliance requirements and supporting the organization's legal obligations. The IT function gains significant efficiencies through a disciplined approach to managing the asset's lifecycle, rationalizing IT asset types, and meeting the organization's business needs. End user's requirements are well represented. Business units can enjoy using their bright, shiny new asset while relegating the asset's business administration to ITAM. Executive management has an accurate insight into the performance and return on investment of probably the only business asset that touches every dollar, pound, yen, or euro. Finally, IT security leverages the processes and data collected and curated by ITAM to protect the organization's crown jewels efficiently, effectively, and accurately.

Implement CTEM and Get a Bigger ROI with ITAM

That's right! If you implement CTEM without ITAM, you will spend more money on less accurate data. How? As stated above, ITAM delivers value to the entire organization. When you implement an ITAM process for, say, finance, you will most likely be able to leverage that process and the data for other functional areas. ITAM may be an organization's best investment of all its core business programs. But how many ways does ITAM support IT security? I'm glad you asked!

Cyber Security Frameworks

There are many cybersecurity frameworks to select from when implementing an IT security program. NIST's Cybersecurity Framework and the Center for Internet Security's (CIS) Controls are two of the most popular frameworks. ITAM IQ has mapped these two frameworks to the ITAM program, and the result was quite impressive. 

ITAM IQ identifies 37 ITAM components representing the IT asset lifecycle, standards, and initiatives. 

CIS has 161 controls, and when mapped to ITAM, the result is over 400 points where ITAM components enable and support the CIS framework.

NIST has 23 functions and 108 categories, and when mapped to ITAM, the result is over 300 points where ITAM components enable and support the NIST framework.

Regardless of the framework, there are over 300 ways the ITAM program can be leveraged to support your organization's IT security program. Even if you have a basic ITAM program, chances are you can leverage what is already in place to accelerate your IT security program while saving money on implementation.

ITAM / Cyber Security Workshop

ITAM IQ used the above-mentioned results to create an affordable workshop that includes an ITAM program primer along with the mapping between ITAM and NIST's and CIS's frameworks. For more information, please visit https://www.itamiq.com/ITAM-CyberSecurity-Training.

Remember, an organization's IT security is only as good as its ITAM program!

Citations

Panetta, K. (2023, August 21). How to manage cybersecurity threats, not episodes. Gartner. https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes 

Pezeta, L. (2019). Black Telescope Under Blue and Blacksky. Pexels. Retrieved January 12, 2024, from https://www.pexels.com/photo/black-telescope-under-blue-and-blacksky-2034892/.