The Cyber Security War

In Steve Preston's excellent article at Dark Reading, "Cyberattacks Are a War We'll Never Win, but We Can Defend Ourselves," the article identifies challenges that an ITAM Program would undoubtedly help alleviate or even eliminate. What follows are Mr. Preston's comments in quotes followed by how ITAM can help.

"The cybersecurity war will never end."

I believe most if not all, people would agree with this statement. Fortunately, ITAM is a program that never ends, so the ITAM Program will always be there to support IT security's constantly evolving initiatives.

"Built-in security is more than technology. It needs to be part of an organization's culture," and "Only by developing a culture that understands cyberattacks are inevitable can an organization hope to ensure an orchestrated team response from the get-go."

Cultural awareness is the same objective that ITAM has. Anyone who touches an IT asset is part of the program, and ITAM processes, when implemented appropriately, provide an opportunity for continuous education of the organization's employees and consultants. End-users must know all their responsibilities regarding "touching" IT assets. And these responsibilities go well beyond IT security.

"Every camera, printer, router, scanner, forklift, coffee pot, or toy — everything and anything with software or firmware in it — should be built securely"

How much money does your organization spend evaluating, testing, and applying patches? Patches do not add value; in fact, they do the opposite. Patch management consumes time and resources that could be better spent adding value to your organization. Organizations must track the quality and reliability of the products and services they use to understand the real value and true cost being realized. The cost incurred due to poor quality must be communicated to the vendor and to the group that negotiates purchases.

"Clean Backups Are Crucial"

Creating the appearance that data has been backed up is easy. The question is – do you trust the backup? Perhaps the more significant question is, what needs to be backed up? The ITAM Program needs to define roles for IT users so that IT standards can be accurately defined. An added benefit of user-defined roles is identifying the data required by the role and how to back up the data for each data-bearing asset type.

"Innovation Is Constant, on Both Sides"

Both good and bad guys are innovating to accomplish their goals. ITAM relies on continuous improvement as a strategy for maturing the ITAM Program. As IT security adapts, ITAM will be there to support IT security initiatives. ITAM is also well aware of new technologies and their adoption by the organization. ITAM's awareness is shared with several departments, including IT security.

"The only true defense is to recognize that fact and take a proactive approach to security."

I couldn’t agree more that a proactive approach is needed. I believe so much of IT security's time is spent reacting to attacks and incidents that there is little time to be proactive. But ITAM is designed to be proactive and reactive in support of multiple departments. ITAM can and should be the proactive arm of IT security by doing what ITAM must already do, which is:

• Manage the design, implementation, and monitoring of the on/off-boarding for everyone who touches an IT asset, including part-time employees and consultants. The on/off-boarding process should educate people on their responsibilities to the organization when interacting with IT assets. This education should continue throughout the person's employment.
• Manage the vendors that provide products and services.
• Oversee the creation and maintenance of IT standards to ensure an understanding of how the IT asset will be used and managed.
• Manage the entire lifecycle of all IT assets by managing the design, implementation, and monitoring of each asset. This includes establishing gates during the asset's lifecycle to collect asset data and eliminate rogue assets. Every step in the lifecycle of an IT asset is an opportunity to collect data on the asset's acquisition, receiving, configuration, deployment, recovery, and disposal.
• Curate IT asset data so that IT security and other departments have a single source of truth.

Better Together

One of ITAM's greatest strengths is being proactive when managing IT assets. Our lifecycle starts when someone "thinks" they need an asset and lasts long after the asset has been disposed of. IT security should do what it does best – monitor our networks, prepare for the next attack, and stay steps ahead of the bad guys. But IT security can only accomplish these goals if they have a clear and accurate picture of all IT assets, including past, present, and future, and on or off the network.

Mr. Preston's article is available at:

https://www.darkreading.com/attacks-breaches/cyberattacks-are-a-war-we-ll-never-win-but-we-can-defend-ourselves

More on Cyber Security

What's Next?