Simon Ractcliffe, Regional Vice President for Australia and New Zealand, Qualys, says asset management is the foundation of information security policy.
As organizations in Australia and globally are faced with a recessionary and tumultuous geopolitical environment, they are increasingly looking to leverage IT technologies to foster innovation and improve the efficiency of processes across their business.
Business leaders, specifically CIOs, are feeling mounting pressure to gain full visibility of their organization’s infrastructure. This pressure stems from the need to meet business demand and harness the ability to mitigate the risk of any disruption that could directly impact customers, shareholders and employees.
The ultimate goal for any CIO is to drive value for the business by enabling the secure, efficient and sustainable flow of information across the organization. IDC predicts that in 2023 40% of Australian CIOs will be primarily measured by their ability to co-create new business models and outcomes through extensive enterprise and ecosystem-wide collaboration.
This is only possible if CIOs collaborate with C-suite colleagues to co-create technology strategies to equip the organization with the business capabilities and processes it needs to achieve its future goals. This is critical as it then transcends into working with the actual security and IT teams to ensure that each element runs and is executed smoothly.
Asset management is the answer and the foundation of any organization’s information security policy. It sounds simple – to have a complete, accurate and timely list of a company’s IT assets. But why is it difficult in practice? And why should a CIO care about this level of detail?
The answer is that without this detail, you – and your department – will always be a step behind. An accurate understanding of the organization’s entire IT estate allows security and IT teams to take the necessary steps to mitigate security threats. It allows for quicker identification of misconfigurations, vulnerabilities and end-of-life hardware and prioritization, which ultimately frees up the time of security and IT staff to focus on the most pressing security issues.
A comprehensive, up-to-date, accurate asset management (AM) program is the lynchpin for any IT/security team’s success. With it, your department will be able to drive the business impact for which they are measured. This insight brings the ability to quickly and easily scale as your business grows and puts the CIO in the driving seat to help unlock the organization’s potential.
Establishing a comprehensive asset inventory seems like an obvious baseline for every organization, but research shows that 69% of organizations have experienced an attack targeting an ‘unknown, unmanaged or poorly managed Internet-facing asset.’ If you don’t know what assets you have on your corporate network, you can’t protect them. If your team can’t report on this, then you can’t effectively know how well those security risks are being handled.
The key goal is for the inventory not to be treated as an afterthought but rather as the first building block. CIOs must prioritize asset management by getting the basics right and keeping the inventory up-to-date. This approach allows for better concentration on other important projects and pressing issues that pop up.
As software and hardware ages, old versions fall to the wayside. Once you have an accurate picture of your IT estate, it’s important to map this alongside each item’s life cycle to ensure that hardware and software continue to be supported by the original manufacturer and are proactively managed in terms of vulnerabilities and patching. End-of-service components can introduce significant security risks and proactive management should be sought to update or replace them to reduce the attack surface.
Within any enterprise organization, there are likely to be tens of thousands of assets to identify and manage. This is where security tooling can help your team manage at scale and automate processes to save manual intervention for repetitive tasks. Combining your asset inventory with end-of-life and end-of-service information allows you to view all relevant information within a single management pane rather than manually searching for the information. The earlier categorization of assets is useful here in particular low-risk assets which will ease your team’s workload and allow them to focus on higher-value tasks.
Asset management can be complex and focused on detail. As you scale up infrastructure and use more platforms to meet your business needs, keeping up with potential risks is difficult.
Asking what your organization looks like from a hacker’s point of view gives a holistic view of an entire IT asset estate. This practice of scanning for any Internet-facing devices helps to understand what an attacker would see – and how they might exploit what they see.
Attack Surface Management is contingent upon a strong asset management approach and takes this practice one step further by assessing the security levels of all identified assets. Like asset management, this should be a continuous discovery, classification and assessment process.
Getting a firm understanding of every IT asset under your control might seem like a level of detail too far. However, this should be a top priority for every CIO, because without this, there is uneven ground to build on for the future. Investing in solutions that allow your organization to better understand, track and secure assets is critical to your success.
Click below to share this article