Ishpreet Singh, Chief Information Officer at Qualys highlights the importance of asset management and explains why asset management is fundamental to any cybersecurity strategy.
In a recessionary and tumultuous geopolitical environment, digital transformation is increasingly relied upon by organizations to accelerate and maintain productivity. Companies are looking to leverage IT technologies to increase innovation and improve the efficiency of processes across their business. In doing so, business leaders — specifically CIOs — are feeling mounting pressure to gain full visibility of their organization’s infrastructure. This pressure stems from the need to meet business demand and harness the ability to mitigate the risk of any disruption that could directly impact customers, shareholders and employee data.
The ultimate goal for any CIO is to drive value for the business by enabling the secure, efficient and sustainable flow of information across the organization. But there is no free hand design when it comes to achieving this and CIOs must always be thinking ahead. Co-creating technology strategy alongside C-Suite colleagues to ensure that the organization has the business capabilities and processes it needs to meet its future goals is critical, which then transcends into working with the actual security and IT teams to ensure that each element runs and is executed smoothly.
This is easier said than done though, and for a CIO to succeed in their role, they must first focus on the present. Without a clear understanding of where the organization and its tech stack sits today, those future goals will forever be out of reach. Whether you are a brand new CIO taking on IT responsibility for the first time or a seasoned CIO with years of experience, being able to cross between the big picture and the nuanced details is a necessary skill.
For example, asset management is the foundation of any organization’s information security policy. It sounds simple — to have a complete, accurate and timely list of all the IT assets that the company has in its environment. But why is it difficult in practice? And why should a CIO care about this level of detail?
The answer to this question is that without this detail, you — and your department — will always be a step behind. A comprehensive, up-to-date and accurate asset management (AM) program is the lynchpin for any IT/security team’s success. Without it, your department will struggle to drive the business impact for which they are targeted, and you are measured. Try as they might, the IT team will struggle to function effectively without AM.
An accurate understanding of the organization’s entire IT estate, allows security and IT teams to take necessary steps to mitigate security threats. It allows for quicker identification of misconfigurations, vulnerabilities and end-of-life hardware. It also allows for prioritization which ultimately frees up the time of security and IT staff to focus on the most pressing issues that might affect the company.
This insight brings the ability to scale much faster, and easier, alongside the business. With the CIOs intervention, IT can instead focus on enabling other business teams to deliver on their goals, which puts the CIO in the driving seat to help unlock the organization’s potential.
Establishing a comprehensive asset inventory seems like an obvious baseline that every organization would have by now, but research shows that 69% of organizations have experienced an attack targeting an “unknown, unmanaged or poorly managed internet-facing asset.” If you don’t know what assets you have on your corporate network, you can’t protect them. If your team can’t report on this to you, then you can’t effectively know how well those security risks are being handled. Creating a comprehensive view of your organization’s assets will no doubt uncover some hidden secrets — like shadow IT implementations — that may have taken place over the years.
The key goal is for the inventory not to be treated as an afterthought, but rather as the first building block. But it is all too easy for this job to be downgraded or ignored, with competition for attention against the next big malware threat or headline-making vulnerability. CIOs must emphasize that getting asset management under control and getting the basics right first allows for better concentration on other important projects and pressing issues that pop up.
Once your catalog of assets has been established, you must then work out how to keep the program up to date. For example, categorizing these assets based on how critical they are to the business ensures that they get the right level of attention, and should make it easier to decide how to manage and protect them moving forward.
Vulnerabilities exploited by bad actors most always start with endpoints / assets within an organization’s environment. It is often a “low hanging fruit” for attackers to target as numerous applications are running on different environments, assets and endpoints. Without full visibility at a CIO’s fingertips, it’s almost impossible to keep up with growing threats — organizations can only mitigate once there is a clear picture of constantly changing infrastructure.
Re-gain control on end-of-service components
As software and hardware ages over time, old versions fall to the wayside. Once you have an accurate picture of your IT estate, it’s then important to map this alongside each item’s life cycle to ensure that hardware and software continue to be supported by the original manufacturer and are proactively managed in terms of vulnerabilities and patching. End-of-service components can introduce significant security risks, and proactive management should be sought to update or replace them to reduce the attack surface.
Unfortunately however, there is no industry standard for product or service life cycles, or how manufacturers may report these. But there are tools that can map known life cycle information about popular assets from within your inventory to centralize information.
As a CIO, replacing out of date software is necessary over time, but it also has to be balanced against cost and what new services can be delivered. For some projects, it may be possible to mitigate and use software for longer, but for others, there will come a time when a replacement will need to be carried out. The alternative is to leave that software running, which can lead to future exploitation.
Normalize, categorize and prioritize
Within any enterprise organization, there are likely to be tens of thousands of assets to identify and manage. This is where security tooling can help your team manage at scale, and automate processes to save manual intervention for repetitive tasks. Combining your asset inventory with end-of-life and end-of-service information allows you to view all relevant information within a single management pane rather than the team manually searching for the information. The earlier categorization of assets is useful here as you build agreed sets of rules around particular low risk assets to ease your team’s workload and allow them to focus on higher value tasks.
Get the holistic view
Asset management can be complex and focused on detail. As you scale up infrastructure and use more platforms to meet your business needs, it is difficult to keep up with potential risks.
Asking the question “what does my organization look like from a hacker’s point of view?” gives a holistic view of an entire IT asset estate. This practice of scanning for any internet-facing devices helps to understand what an attacker would see, and most importantly, how they might exploit what they see. Attack Surface Management is contingent upon a strong asset management approach and takes this practice one step further by assessing the security levels of all of those identified assets. Like asset management, this should be a continuous process to discover, classify and assess.
For the CIO, approaches like Attack Surface Management can help to build up that picture of risk to the business. This can then be translated into terms that the leadership team can understand. Speaking about risk is much more helpful — and more likely to be listened to — and so can be used to justify the work that your team is putting in.
Getting a firm understanding of every IT asset under your control might seem like a level of detail too far. However, this should be a top priority for every CIO because without this, there is uneven ground to build on for the future. Investing in solutions that allow your organization to better understand, track and secure assets is critical to your success.