The critical connection

Deloitte’s IT Asset Management Global Survey 2022-23 invited more than 3,500 key ITAM professionals at companies large and small in over 20 countries to participate, covering all major industry sectors.

More than three-quarters (77%) agreed that having a strong ITAM program to detect and manage all the enterprise’s software, hardware, and firmware is a must for cybersecurity.

Yet fewer than half (45%) say they believe they are making the appropriate investments to ensure that their ITAM function enhances IT asset visibility for their security analysts.

Coordinating ITAM with cybersecurity to identify and understand vulnerabilities and threats is critical, our respondents also said. Yet many organisations, if not most, fall short of this goal as well. Barely more than half (54%) of ITAM staff said they work closely with their company’s cybersecurity team.

Perhaps not coincidentally, a lack of collaboration and communication between ITAM and cyber is now a top concern for organisations.

Clearly, something needs to change. In Deloitte’s analysis, Cybersecurity threats and incidents differ by region (based on Deloitte’s 2023 Global Future of Cyber Survey),15% of respondents from Australia said they had experienced 11 or more significant cybersecurity incidents in the previous year. Among respondents from Japan and China, 13% had experienced significant cyber incidents.

Enterprises are adding new technologies and moving more fully into the cloud. Most often, they use several cloud environments, our report shows. This may make their data, applications, and devices increasingly dispersed and difficult to track. Unmanaged and unmitigated, these data, applications, and devices become ripe for cyberattacks.

Regulators, too, know that effective ITAM is important to IT governance and security. They’re issuing new and updated security standards that highlight the need for enterprises to obtain full visibility of their IT assets. ITAM may soon be a must for regulatory compliance.

Where ITAM tools fall short

Just having ITAM isn’t enough. For strong security, organisations need ITAM that delivers a number of tasks, and performs them well. These include:

• Discovery of unauthorised assets, continuously detecting and monitoring to alert immediately when a rogue asset has entered the network environment. An example might be a non-company laptop that logs onto your internal system
• Controls on hardware and software access and usage
• Restrictions on software installation
• The ability to facilitate vulnerability scanning, including uncovering assets that vulnerability scanners miss
• The ability to integrate data from log analysis tools used by your cyber teams to detect and manage threats
• Activity detection and reporting, and auditing of events.

Often, however, enterprise ITAM software lacks some of these capabilities or doesn’t perform the tasks adequately, our survey shows.

• Nearly three-quarters (72%) of those surveyed said their ITAM doesn’t discover unauthorised devices.
• More than half said they lack hardware and software access controls (54%) and controls on software installation (56%).
• Nearly half said they need better integration with security log analysis (47%) and activity detection/reporting and event auditing (46%).
  

Where ITAM gets it right

The news is encouraging in some respects. We see companies making progress in key areas in their use of ITAM for security. This year’s survey reveals that they’re becoming more proficient at using ITAM tools for:

• Incident response: 63% use enriched, coordinated data from different sources to improve incident response, investigations, and remediation.
• Endpoint protection: 60% report robust endpoint protection capabilities, including knowing when assets are missing an endpoint agent or have the wrong agent, or know when an agent is not working.
• Vulnerability management: 54% say their ITAM tells them when their vulnerability scan software fails to detect assets.

We’ve seen progress in all areas, but more needs to be done. To protect your systems, networks, and data from intrusion and unauthorised use, your ITAM teams and tools need to work together with your cyber teams and their tools.

In fact, helping to secure your technologies is one of ITAM’s most valuable purposes. Regulators understand this, as recent developments show.

• The USA’s National Institute of Standards and Technology (NIST), a government agency that issues standards and frameworks for cybersecurity, led the way in 2018-19 with its special publication IT Asset Management, (SP 1800-5), co-authored with the National Cyber Security Center of Excellence. This guide specifies precisely what cybersecurity professionals and those in IT governance expect from their organisation’s asset management systems. It describes how ITAM teams can configure their systems to meet those expectations, paving the way for ITAM-cyber cooperation and collaboration.
• The Digital Operational Resilience Act (DORA), a European Union law, mandates operational and security resilience in the financial sector. It sets down rules for IT risk-management, incident reporting, operational resilience testing and IT third-party risk monitoring. It emphasises “knowing what you have.” This legislation’s requirements ripple out to industries that provide services to the financial services sector.
• Open-source software is the object of a recent U.S. White House initiative that aims to improve open-source software’s security using collaboration and other means. This initiative is expected to usher in a new era of cooperation among IT security, ITAM and other relevant teams.
• ITAM is getting attention in Asia Pacific, as well. In June 2023, the Victorian government in Australia issued the Victorian Government IT Asset Management Guidance, which includes an ITAM framework.
• In Japan, the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) published a Guideline for Establishing Safety Principles for Ensuring Cybersecurity of Critical Infrastructure in July 2023 that outlines the responsibility for asset management. In addition, the Ministry of Economy, Trade and Industry published Cybersecurity Management Guidelines, which cover ITAM from a cyber perspective.
• Taiwan regulators published the Public Company Information Security Guidelines in December 2021 that outline a requirement for companies listed on the stock exchange to adhere to specific directives on cyber security, including requirements related to ITAM.

A key challenge: Mapping

As your software inventory and array of devices grows, having a central asset deployment command center is key to managing and securing it all. But many of our respondents lack this essential function. We’ve seen this, ourselves, in our work with clients.

On the other hand, when ITAM and cyber work together, the results can be very effective. ITAM can be invaluable for such tasks as:

• Discovering a device’s location, configuration, and ownership
• Prioritising critical infrastructure, by identifying the most significant assets
• Helping with compliance with Sarbanes-Oxley and with standards such as the Payment Controls Industry-Data Security Standard
• Monitoring and managing inventory as against the entitlement of hardware and software assets
• Patching IT asset vulnerabilities
• Improving helpdesk response by telling staff what is installed and alerting them to errors and other issues.

Fully knowing your enterprise’s full array of IT assets is a cybersecurity must. This includes your devices, software, endpoints, connections, and other assets. You must also understand how these assets connect with one another and with organisational systems and services. Not having this knowledge could open the door to a cyber breach.

For many, creating the map that provides this information is a tedious, time-consuming task. To accomplish it, you will need input from ITAM and specialised dependency mapping tools. Before beginning, it’s imperative that you thoroughly understand what you are doing, why you are doing it, and what the scope of the task will be.

With so many tasks to perform, it might be easy to focus on the details and lose sight of the big picture, which is your overall goal. Strive for a big-picture view of your organisational systems and networks and how to protect them. A top-down, panoramic IT asset approach is the best way to ensure ongoing success.