The Starting Point for Any Cyber Risk Management Program Must be Identifying Assets and Their Attributes
I was recently reminded of a famous quote by former Secretary of Defense, Donald Rumsfeld, “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”
Nowhere is that statement more valid than in IT asset management. Most of us agree that IT asset management (ITAM) is the least sexy topic in cyber. However, you can’t protect what you don’t know about. Without visibility into your information assets, their value, where they live, how they relate to each other and who has access to them, any strategy for protection would be inherently incomplete and ineffective. It would kind of be like trying to buy a property insurance policy without telling the insurance company the construction, number, size, value and contents of the buildings you are trying to protect. The starting point for any cyber risk management program, internal or regulatory, must be identifying assets and their attributes.
Most organizations, even those that are very large and mature, struggle with IT asset management. It is a challenging domain, that until recently was perceived as a low value administrative activity, and certainly not a key element of managing one of their key enterprise risks. Companies struggle because IT asset management requires a dynamic end to end process that crosses multiple organizations, tracking an ever-changing roster of machines and software.
What’s required for effective IT asset management? First and foremost, don’t allow perfect to get in the way of good. Immature asset data will limit visibility and insights, but like any good business process, a continuous measurement and improvement loop will provide the transparency and motivation to continuously enrich and enhance the asset database.
Continuous improvement includes all aspects of the data, including completeness, accuracy and consistency. A good starting point is a basic technical profiles database that often reside in a configuration management database (“CMDB”), that includes an identifier and basic technical profile information including hardware and operating system attributes. With basic machine attributes defined, the next layer is to create additional attributes and connect it to other organizational and asset entities. For cyber, key connections include identification of the people who own the asset financially and technically, as well as the applications and data sets that are associated with the machine. At the highest level, a map of data and transactional touch points at the machine and application level will allow for more sophisticated analytics that can help reduce risk by connecting the dots between threats and vulnerabilities, and limiting outbreaks by increasing protection on machines in “proximity” to identified attacks and compromises.
From a regulatory point of view, good asset management is sometimes explicitly required, sometimes a best practice to ensure compliance. Without solid ITAM practices, including updated data inventories and data flow analyses, organizations will be hard pressed to comply with regulations like the PCI-DSS and GDPR. For example, without knowing where payment card data resides and flows, companies are left scrambling to comply or over scoping the effort because they don’t really know which applications and infrastructure require the most attention. Being a data centric regulation, GDPR obviously requires a comprehensive data inventory to get started on the path to compliance. Trying to achieve compliance without this solid foundation will result in a lot of wasted time, wheel spinning and worst case regulatory fines down the road. Regulators don’t consider Ignorance of one’s information assets a legitimate excuse for failing to comply.
Finally, when it comes to cyber security, your ITAM pursuits need to include an inventory and assessment of the many defense-in-depth tools that you have spent hard earned budget dollars implementing over the past few years. Unfortunately, despite the best of intentions, in many enterprises, security tools are often only partially implemented or not maintained. Whether it’s because of lack of implementation resources, technical challenges or business obstacles, most organizations are not nearly as protected as they think they are. Sometimes it results in a data loss prevention or endpoint protection platform only being installed and properly functioning on 40 percent of a company’s machines. Other times it may be authentication and proxy logging only covering certain business units, machine types or user categories. Regardless, it is vital to be able to have an up-to-date understanding of your assets and their protective tools. Once a year (or every few years) assessments won’t cut it in today’s dynamic ever changing enterprise.
Operating based on false assumptions results in a false sense of security that can only result in bad outcomes. Making good ITAM a priority will make life easier and more certain in all aspects of your security program, minimizing all the flavors of known knowns, known unknowns and unknown unknowns.