S&P: IT Asset Management is Central to Cyber Security
And the rest of the organization, too!
From S&P Global Ratings, the article "Cyber Risk Insights: IT Asset Management Is Central To Cyber Security[1]" outlines how critical ITAM is to cyber security. In this paper, we look at how ITAM is vital not just to cyber security but to other departments as well, and implementing an ITAM program is more complex than it seems.
Excerpts from the article:
- "For a cyber security system to be effective it must know what it is meant to protect"
- "S&P Global Ratings considers robust ITAM to be vital to an entity's ability to proactively manage vulnerabilities, respond to incidents efficiently, and minimize the financial impact of cyber attacks."
- "In our view, ITAM should be directed by explicit policy that provides the authority for the system to be effective and assigns clear roles and responsibilities."
- "The absence of ITAM can create gaps and blind spots in organizations' cyber risk management"
- "The FTC's complaint against Equifax, for example, cited an inability "to maintain an accurate inventory of public facing technology assets" that contributed to poor patching among the "basic security failures" at the company."
- "U.K. government's National Cyber Security Centre. "Many organisations have significant gaps in what they understand about their environment."
The S&P article accurately identifies cyber security's need for ITAM. Yet here we are, still trying to justify an almost invisible program to executive management despite all the evidence.
- NIST's cybersecurity framework states the requirement for ITAM, although weakly.
- CIS's cybersecurity framework states the requirement for ITAM, although weakly.
- And the famous saying "you can't secure what you don't know you have!" is ubiquitous.
And then there are the distractions:
- Artificial Intelligence – offering hope for a more profitable future!
- FinOps – the latest vendor-generated hype promising to deliver IT for everyone, cheaper and faster, but puts cybersecurity in the back seat.
- Cloud – outsource everything for a cheaper and faster future!
Now, these statements may sound a bit cynical, and that's because ITAM has been slow to mature and become an organization's core competency. It doesn't help that a great deal of misinformation is designed to benefit the service provider more than the practitioner. Or that executive management still doesn't get what ITAM truly is. So, what's an ITAMer to do? Should we give up and seek out another profession? Should we keep our heads down and do what we are told? Or should we continue to fight this battle and be prepared for when the powers that be recognize our value? I'll choose the latter. I've heard many examples where ITAM was waiting in the wings, and when an opportunity presented itself, ITAM came to the rescue.
A successful ITAM Program has two perspectives – strategic and tactical.
The strategic approach defines a three-to-five-year roadmap for the ITAM Program and probably is the most complicated of the two perspectives. It is the most complex because developing the ITAM Program roadmap requires forming productive relationships with other departments and gaining executive management buy-in. A well-defined roadmap that includes the value of the business is mandatory to convince executive leadership.
The tactical perspective achieves two objectives. First, reliable execution of the current program, and second, working toward the objectives defined in the ITAM Program roadmap. Many ITAM Programs are only focused on the first objective due to the absence of a roadmap.
The line between strategic and tactical is fuzzy. As the situation warrants, IT Asset Managers will bounce back and forth between the two perspectives. Cybersecurity is one of those areas that requires a strategic/tactical approach.
"We thus also consider ITAM to be foundational to the effective conduct of many key cyber security activities, including vulnerability management, incident response, and cyber risk management."
Let's look at a diagram that appeared in the S&P article. The "brain icon" was added to identify ITAM IQ comments.
Security Monitoring
Any security framework of value states an accurate IT asset inventory is the foundation for the security program. The problem with this is the absence of any description of how difficult it is to achieve an accurate inventory. IT Asset Managers are well aware of the perception that all we do is "count things." Which leads to the subsequent great misunderstanding.
Lifecycle Management
While what is stated is true about lifecycle management, it is only one of the many benefits ITAM lifecycle management brings to security. The first benefit is an accurate inventory! That's right! You must manage the entire lifecycle of assets to maintain an accurate inventory. And what is the lifecycle? It starts when someone thinks they need an IT asset and goes beyond the end of the asset's life for some asset types.
Incident Response
Incident response depends on an accurate inventory and asset histories to determine the extent of any damage. Again, the reference to an "accurate inventory" is as if it were something that could be purchased at a convenience store.
Vulnerability Management
With every asset type comes vulnerabilities. Understanding those vulnerabilities is best done before a new asset type is purchased and then managing and tracking the asset through its life. Once again, an accurate asset inventory is required, and ITAM is the gatekeeper for all assets that connect to the organization's network.
Cyber Risk Management
Four words: accurate IT asset inventory.
The Bottom Line
ITAM delivers value for many functional areas, not just IT security, making it the organization's best investment in any business program. However, implementing an ITAM program is not easy. Starting with the PC era, organizations have become lazy, undisciplined, sporadic, and, let's face it, irresponsible when managing IT assets. From the PC to the laptop, the internet, then the smartphone, and to date, the cloud, we have been neglecting IT asset management for years. The expectation that an ITAM Program can be implemented within a year is, nicely put, unrealistic.
Simply put, your cyber security program is only as mature as your ITAM program.
Hero photo credit: Leeloo Thefirst
ITAM IQ Is Your Gateway to Modern ITAM
Our expertise enables individuals to advance their ITAM program for the future by providing next level IT Asset Management best practices knowledge. These practices create a symbiotic relationship between ITAM and departments such as IT Security, IT, Finance, and HR by working in tandem to provide heightened information quality which significantly reduces risks, creates greater financial benefits, further enhances compliance, and increases efficiencies.
Where to next?
-
![Instructor teaching IT Asset Management while students applaud the best practice knowledge shared..]()
General IT Asset Management
Learn more →We have the practical, best practice knowledge you need.
-
![Keyboard depicting IT Asset Management cloud certification course on SaaS, IaaS, and PaaS with a blue cloud button.]()
Cloud Asset Management
Learn more →Whether you are contemplating digital transformation or are currently managing SaaS, PaaS, and IaaS, we are here to guide your way.
ITAM and Cyber Security
We will show you how ITAM can be IT Security's proactive arm.