Cyber ​​Intelligence: IT asset management is at the heart of cyber security (2023)

For a cybersecurity system to be effective, it must know what it is supposed to protect. Large organizations may have thousands of connected devices, such as laptops and mobile phones, as well as multiple operating systems, software systems and networks.

The process of recording, monitoring and managing these assets is commonly referred to as IT Asset Management (ITAM) and its effective practice is fundamental to good cyber defence.

S&P Global Ratings believes that a strong ITAM is critical to an entity's ability to proactively manage vulnerabilities, respond effectively to incidents and minimize the financial impact of cyberattacks. In addition, we view the absence of an ITAM as potentially indicative of poor cyber risk management, which, when combined with other factors, may affect our assessment of entity management and operational risk.

Reputational damage and financial losses from cyberattacks associated with bad ITAM can be significant. In July 2017, the US credit reporting service Equifax agreed to pay at least $575 million to resolve a complaint filed by the Federal Trade Commission (FTC) after inaccurate inventory of online systems contributed to a data breach that affected approximately 147 million people . Further investigations and the cost of remediation and safety improvements are estimated to have brought the total cost to over $1.4 billion.

ITAM and cyber risk management

The National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, in a September 2018 report highlighted the importance of ITAM to cyber security in a report detailing the benefits of strong ITAM, including:

• Faster response to security alerts (thanks to knowing device location, configuration and ownership).
• Increased cyber resilience by focusing more on valuable and critical assets.
• Better cost management.
• Less attack surface with better patches and updates.

ITAM can also play an important role in facilitating asset prioritization. Not all IT systems are created equal, and the failure of a critical system can have serious consequences for the entire organization. A system that helps organizations monitor the "crown jewels" of their networks, simplifies risk assessment and helps prioritize security efforts.

NIST and the Center for Internet Security (CIS), a nonprofit consulting and benchmarking organization, have identified a detailed list of hardware and software as the starting point for an effective cybersecurity and risk management program.

The framework provided by NIST and other organizations contributes to the framework that guides our analysis of integrating an organization's cybersecurity into its overall risk management. As such, we view ITAM as a key component to the successful conduct of many key cyber activities, including vulnerability management, incident response, and cyber risk management (see Figure 1).

Common goal, different systems

In general, entities are expected to update risk management policies and practices as threats evolve, and responding to changes in cyberspace should be no different. ITAM plays a key role in managing these changes, ensuring that inventories remain accurate (when assets are replaced or new assets are introduced) and that asset protection (including software updates and patching) evolves with the threat environment.

While ITAM systems share a common goal, they can vary significantly in structure and function across organizations. These differences generally reflect the entities' IT environments and cybersecurity needs. For example, manual ITAM systems (such as spreadsheets) may make sense for organizations with small or low-complexity IT structures. Meanwhile, entities that manage complex IT systems (spanning multiple locations, departments, and different assets) will likely require some level of automation to effectively manage their IT assets.

Tailor-made ITAM tools can provide an easy path to this automation. For example, these tools typically allow you to store relevant information about each IT component (including location, system owner, and software version). As such, they are a ready way of gathering information into a repository, facilitating IT risk assessment.

ITAM data

Regardless of the system chosen, for ITAM to fulfill its function and provide the necessary foundation for other elements of cybersecurity, ITAM must fulfill a minimum number of functions and be supported on an ongoing basis. For example, an ITAM developer must correctly identify the assets that need to be protected. ITAM must also be comprehensive enough to effectively track assets, and processes must be in place to ensure that this tracking is up-to-date.

ITAM systems typically consist of software and processes that store key information about potential vulnerabilities of an asset throughout its life cycle. Across your organization, this information may include:

• Network addresses
• Hardware type (eg laptop, desktop or server)
• Software (also for operating systems and applications)
• Property details
• configuration settings
• Resource criticality

ITAM is usually the responsibility of the IT department, but to ensure efficiency it is best to share ownership and management between different teams. For example, security teams may have data that can help IT teams create accurate inventories, which is important for a strong ITAM program. In our view, ITAM should be guided by clear policies that give authority to ensure system effectiveness and assign clear roles and responsibilities.

Scarcity and inefficiency increase risk

The absence of an ITAM can create gaps and dead spots in an organization's cyber risk management, leading to increased vulnerabilities, compliance issues, inefficiencies and suboptimal incident response. Ineffective ITAM can also cause similar problems and be a gateway to security incidents. For example, the FTC's complaint against Equifax highlighted its failure to "maintain an accurate inventory of publicly available technology assets" contributing to the company's poor patching of "fundamental security vulnerabilities."

There is no doubt that other organizations are also at risk due to poor ITAM. According to the UK government's National Cyber ​​Security Centre, IT oversight gaps and their potential to grow are a common risk. “Many organizations have significant gaps in their understanding of their environment. The result is a weakening of the level of cyber security,” the May 2021 asset management article states.

These gaps likely reflect the lack of attention and resources some organizations devote to ITAM, but also the inherent difficulties in meeting the customized needs of different ITAM systems—which are determined by factors such as complexity, size, and operational area. However, ITAM's central place in any effective cyber security system means that organizations cannot afford to ignore it. Starting your journey towards a solid ITAM is a positive step towards mitigating cyber threats.

Related studies

• Cyber ​​Threat Intelligence: New Regulations Will Increase Resilience, Included, 3 August 2023
• Cyber ​​Threat Intelligence: Detection is key to defense, May 10, 2023 r
• Cyber ​​Insights: Addressing Digital DisruptionFebruary 22, 2023
• Cyber ​​risk management is credit risk managementsays seminar, November 1, 2022
• How cyber risk impacts credit analysis for global corporate issuers, March 30, 2022 r

Screenplay: Paul Whitfield

This report is not an audit activity.