Having secure IT assets should enhance the overall user experience by ensuring security is more effectively and more seamlessly embedded into everyday IT and IT services provisioning activities. But IT assets have a lifecycle, and they need to be protected differently during this lifecycle. Automation of the protection process allows the core competencies of the staff to be focused on more strategic aspects of asset security than patch management or stolen passwords.
I recently shared a webinar with Dell and Markit on IT asset management and information security, which you can listen to on InfoSecurity Magazine here.
Some of the points I was making in my presentation on IT asset management were:
- The lifecycle cost of an IT asset begins with planning and design and continues through procurement, adoption, operations, maintenance, rehabilitation/renewal, and disposal/replacement.
- IT asset management (ITAM) seeks to optimize costs through each stage of this lifecycle, while meeting established levels of service, reliability, and risk. In today’s enterprise, ITAM plays a dual role of asset management and risk protection.
- Protection levels can be performance-related (critical value to the business), or customer/regulatory related (impacting response times, complaints, information availability, etc.).
- Risk is the exposure and uncertainty assumed due to the opportunity for significant damages. And data from IDC had previously forecasted that by this year, 25% of large enterprises will make security-related spending decisions based on analytical determinations of risk.
But what kind of IT assets bring the most concern to the enterprise today? Half the world’s population will be on mobile Internet by 2020. And the key drivers behind the growth in the mobile worker population include the increasing affordability of smartphones and tablets combined with the growing acceptance of corporate bring your own device (BYOD) programs. In addition, innovations in mobile technology such as biometric readers, wearables, voice control, near-field communications (NFC), and augmented reality are enabling workers in completely new ways, increasing productivity by enhancing communications and business workflows. And these devices need to be secured to protect the enterprise. But it is not just about endpoints, but also the network and the physical assets of the enterprise that are impacted by IT asset management not being automated and hardwired into the organization.
So one of the key points I made was that the key to a successful IT asset management program is the legwork performed before selecting solutions, including evaluating your existing IT environment, gaining executive sponsorship, setting program goals, committing the appropriate human resources, and designing strong processes that support your organization’s business objectives. Before getting started with your asset management security program, it is important to achieve the following milestones to ensure not only that the right solution is selected, but that the processes are formally established, understood, and documented.
One of the discussion points between myself and my fellow presenters was the fact that older IT assets are not as well documented as the newer ones. I mentioned in the conversation that I had a 10 year old Dell from previous employment that was still able to access that domain. ( I am not sure which was the more startling statement, then 10 year old Dell still worked or that it could still log on to the systems of my previous employer!) We discussed the concept of good practices (ISF Standard of Good Practice) and the importance, not only from a risk perspective but also from a compliance agenda, to be able to reduce the risk of information security being compromised by weaknesses in hardware / software and protect assets against loss, as well as support development of contracts and meet compliance requirements for licensing.
One other point I made in the presentation was around encryption. It is necessary that an IT department have an encryption plan to provide reasonable assurance that all enterprise owned devices, such as laptops, can be identified and encrypted. Encryption is at the heart of a complete endpoint security solution. When you safeguard the data, you reduce the risk of compromising sensitive customer or employee information, confidential files, and your company’s reputation. So you need to make it easier to identify and activate new devices as they come on the network for their usage of encryption. And to find the older devices as they log back in for software updates into the network.
The CISO on our panel from Markit talked about the convergence of IT asset management (ITAM) and security. His point was the security professional had a very different point of view in the past on what an asset is because their focus is information risk. IT managers focused instead on where physical hardware was at any time; from a software standpoint, the focus was on consolidating license negotiations. Now this is coming together, not only due to cyber threats but for protection of the rest of the assets (data or otherwise) of the enterprise. Another point he made was that decisions regarding procurement, deployment and management of technology are not made centrally and then there is a disconnect. There is no point in putting into place sophisticated network forensic tools (from the network team) if there is no basic patch management from the desktop team.
Our main point: There needs to be a holistic view of IT asset management throughout the lifecycle of the object in question, and throughout the entire IT team as to how to address the risk profile of the assets.