Implementing a cybersecurity program is essential for any organization. With the increasing number of data breaches, new methods of attacks, and even the use of AI and improved phishing techniques, it is imperative for organizations to create a robust protection in a quick pace. To accomplish this, the information security teams (infosec) and CSO organizations do not need to start from scratch. Most of the current methodologies and frameworks address the creation of sound cybersecurity programs assuming nothing already exists that can be used to leverage in the endeavor. This creates apprehension, especially for small organizations to start building their security programs. Fortunately, for those organizations having a mature IT Asset Management program, it is possible to start by getting what they already know what it is in their network and knowing what they need to protect.
Traditionally, IT Asset Management has been seen identifying what it is owned by the organization and using that information to ensure compliance. In the software side, knowing what the company is entitled to use and determine the deployment of products providing a view of their compliance position and potential cost saving opportunities; but never as the principal source of data for cybersecurity.
IT Asset Management has evolved from tracking purchases, deployment, and retiring of software and hardware assets to be the main repository of information that the company needs to protect. Things like subscriptions to cloud services and mobiles devices interacting with corporate assets. The increasing number in the use of mobile devices by employees, even those under the BYOD (Bring Your Own Device) or company-controlled ones has a big impact in the security controls. Also, the use of opensource application and Libraries. IT Asset Management is the center of inside view of what the company has and use to meet internal and external customers’ needs in the cyberworld. Everybody in the company somehow must deal with IT services working at the office or connecting remotely to use the IT services.
Then, what information is maintained by IT Asset Management that can be used to develop a sound cybersecurity program? A cybersecurity implementation doesn’t need to start from scratch. The process to develop security controls to protect the most valuable data in the company starts with a Business Impact Analysis (BPA).
The BPA process will identify the mission critical functions based on the core business of the organization and what would be the impact for the company if any of these functions is not performed. In order to identify what can affect each of these functions, it will be necessary to identify the IT systems that support such function. IT Asset Management organization has this information (or at least should have it). If the ITAM inventory process collects information about if the asset is essential for a mission critical function, then the individual or group doing the BPA will obtain the data needed with no need to start digging with interviews and analysis to realize what are those critical IT assets. This is a big plus for IT Asset Management functioning as the main data provider for cybersecurity.
Similar situation occurs with the Risk Assessment. Risk Assessment Analysis will help in the development of the cybersecurity program by providing data to identify vulnerabilities and the likelihood of a threat exploiting any of those vulnerabilities. The risk assessment will use the output from a vulnerability assessment to make the calculations. In a mature ITAM implementation, information about what vulnerabilities, patching level, and software version are linked to each asset should be part of the data collected. One more time, the information collected by mature ITAM processes will give a great contribution to the development of a successful cybersecurity program.
During the definition of security controls, information about what devices are connected to the corporate network with the function to protect data is of great value. A complete inventory should include the list of firewalls indicating what portion of the network they are protecting. The same for any IDS/IPS (Intrusion Detection System)/ (Intrusion Prevention System). Also, what systems are part of a cluster covering a specific business function, etc. Is a given asset behind a firewall, in the DMZ, or part of a load balance cluster? Knowing this will provide valuable hints on what additional security controls are needed. There is no doubt that looking at the information stored in the ITAM repository is essential during the development of the security program.
There are much more examples where the information collected by ITAM processes is a great help for the security. In the case the needed information is not collected by the ITAM processes, a conjunction approach must the started between cybersecurity and ITAM to collect such information and keep it updated. Nothing better to succeed than keeping this data under the ITAM repository.
When improving the ITAM maturity level, organizations must look to cybersecurity needs and start identifying what additional information is useful for both sides. ITAM tools and approaches must include APIs (Application Program Interfaces) to communicate with security tools to collect additional data from assets. It is no longer the typical hardware model, serial number, etc.; but also, criticality, vulnerability associated with the asset, and other security data. This way, the convergency of ITAM and cybersecurity will be so tied and inseparable that any silo will disappear for the good of the organization.