InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Most organizations have dozens of cybersecurity asset management products in use. Which is good for security teams, especially because some commercial
offerings can help consolidate all this data in one, convenient system of record. However, teams should expect to do some necessary custom development work and invest time/resources to get everything working as planned. There is no one correct way
to build and maintain an asset inventory.
This piece outlines the best methods and what’s needed for comprehensive cybersecurity asset management system, along with descriptions of different tools and categories.
Many security teams have adopted a centralized asset management system (CAM). When high-tech organizations do not have CAMs and critical vulnerabilities occur, there is a scramble to determine which systems are affected, because asset data is spread across
multiple systems and even spreadsheets.
Asset management is a challenge nearly all departments across all business verticals face. Each group has different needs and requirements from an asset management solution:
Using a single asset management system doesn’t make a lot of sense for most organizations. However, that hasn’t stopped organizations from trying, and when that happens, we usually see the effort centered around an IT service management (ITSM)
Most large organizations have multiple asset management solutions to satisfy a wide range of needs for different parties. This works and is ideal for the security team, especially now that newer asset management tools can combine and deduplicate
the data from many of these asset management solutions.
The following categories are related to cybersecurity asset management in some way, and all can be useful, depending on the use case: Many of these have “management” in the name; although, security teams don’t typically manage assets—
they just need information related to the assets.
Consider identifying the risk related to certain assets. This use case often requires combining data from:
A whole class of risk management tools exist to combine the data above, along with threat intelligence to give a more accurate score. These tools assign an accurate risk score to each issue and asset. Risk management tools aren’t designed to replace
an asset management tool, but their data is incredibly valuable. Most asset management tools can integrate with risk management tools, and we highly recommend taking advantage of these integrations.
Some additional cybersecurity asset management use cases include:
READ: How to Improve Your Vulnerability Management Program
Cybersecurity Asset Management Success Factors vary. Four key factors are explained below:
1. Visibility Tools:
Teams need a visibility tool that can, ideally, pull information from multiple sources on a regular basis. While some of these tools also offer the ability to automate changes to systems, the key need is visibility, so read-only access to other asset
management systems is sufficient for the core security use case here.
2. Access to data at several levels:
3. Access to critical data sources:
Full responsibility infrastructure
Shared responsibility infrastructure
4. Strong business unit relationships:
Collaboration between business units is necessary to obtain and maintain the data to make asset management systems work. Often, there are alternative ways to obtain the same data, but it typically involves more time and work than simply asking another
department for a read-only account to their system.
Some organizations push everyone to standardize onto a single asset management/ITSM/change management platform. This might work out for parts of IT, but usually does not for security teams. The challenge for security is that it needs as much data as possible
in a short timeframe, but it doesn’t have access to extended development resources. Monolithic offerings typically disappoint when faced with these constraints. Security teams should go after purpose-built security asset management tools instead.
Keep in mind that even with a cybersecurity asset management tool in place:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 6, 2022
By IANS Research
Improve your attack surface management plan using 9 steps to mitigate risk and strengthen enterprise security posture.
December 1, 2022
By IANS Faculty
Improve your vendor management program using six focus areas to benchmark program maturity and identify key pitfalls to avoid.
November 29, 2022
Learn how to integrate IT, OT and physical security programs to reduce risk, improve efficiency and streamline processes across the organization.