The role of asset management in securing the whole tech stack

In a tumultuous geopolitical environment, organisations across the Asia-Pacific region harness digital transformation initiatives to accelerate and maintain their productivity.

They want their IT systems to drive innovation and improve the efficiency of processes across their business. At the same time, IT leaders are under mounting pressure to gain full visibility of their infrastructure. This pressure stems from the need to minimise or mitigate the risk of any disruption that could directly impact customers, shareholders, and employee data.

Without a clear understanding of where the tech stack sits today, those future goals will never be achieved.

Whether it’s a newly appointed CIO taking on IT responsibilities for the first time or a seasoned CISO with many years of experience, the ability to navigate between the broader strategic outlook and the nuanced details is a necessary skill to develop.

Start at the beginning

Organisations in the Asia-Pacific region continue to prioritise cybersecurity, with IDC forecasting a 15.4% compound annual growth rate in expenditure on security-centric products and services from 2021 to 2026. This growth is expected to reach a peak of US$55 billion by 2026. In 2023, the region is projected to invest US$36 billion, reflecting a 16.7% increase from the previous year, specifically in security hardware, software, and services.

Effective asset management forms the foundation of any organisation’s information security policy. On the surface, it may seem simple to maintain a comprehensive, accurate, and up-to-date inventory of all IT assets within the company’s environment. However, why does it pose challenges in practice? And why should a CIO prioritise this level of detail?

The answer to this question is that without this detail, the CIO and his or her department will always be a step behind.

A comprehensive, up-to-date, and accurate asset management programme is the lynchpin for any IT team to succeed. Without it, the department will struggle to drive the business impact for which they are targeted and measured. Try as they might, the IT team will struggle to function effectively without asset management.

An accurate understanding of the organisation’s entire IT estate allows security and IT teams to take necessary steps to mitigate security threats. It allows for quicker identification of misconfigurations, vulnerabilities, and end-of-life hardware. It also allows for prioritisation, ultimately freeing up time for staff to focus on the most pressing issues that might affect the company.

Look inward

Establishing a comprehensive asset inventory seems like an obvious baseline that every organisation would have by now. Still, research shows that 69% of organisations have experienced an attack targeting an “unknown, unmanaged, or poorly managed internet-facing asset.”

We need to know what assets we have on our corporate network to protect them.

Creating a comprehensive view of the organisation’s assets will no doubt uncover hidden secrets, like shadow IT implementations, that may have taken place over the years.

The key goal is for the inventory not to be treated as an afterthought but rather as the first building block. It is all too easy for this job to be downgraded or ignored, with competition for attention against the next big project or malware threat.

Once the catalogue of assets has been established, it is critical to work out how to keep the programme up to date. For example, categorising assets based on how critical they are to the business ensures they get the right level of attention. Providing and maintaining asset criticality data should simplify the process of managing and safeguarding assets in future.

Regain control of end-of-service components 

As software and hardware age, old versions fall to the wayside.

Once an accurate picture of the IT estate has been established, it can be mapped alongside each item’s life cycle to ensure that hardware and software continue to be supported by the original manufacturer and are proactively managed in terms of vulnerabilities and patching.

End-of-service components can introduce significant security risks, and proactive management should be sought to update or replace them to reduce the attack surface.

As a CIO, replacing out-of-date software is necessary over time, but it also has to be balanced against cost and what new services can be delivered. For some projects, it may be possible to mitigate those risks and use software for longer. For others, there will come a time when a replacement will need to be carried out. The alternative is to leave that software running, which can lead to future exploitation.

Get the holistic view

Asset management can be complex and focused on detail. As infrastructure is scaled up and more platforms are used to meet business needs, it is difficult to keep up with potential risks.

By asking the question, “What does my organisation look like from a hacker’s point of view?” a holistic view of the entire IT estate can be obtained. This practice of scanning for any internet-facing devices helps in understanding what attackers might observe and, most importantly, how they might exploit any vulnerabilities.

Attack surface management is contingent upon a strong asset management approach and takes this practice one step further by assessing the security levels of all of those identified assets. Like asset management, this should be a continuous process to discover, classify, and assess.

Getting a comprehensive understanding of every IT asset under control might seem like a level of detail too far. However, this should be a top priority for every CIO because without this, there is uneven ground to build on for the future. Investing in solutions that allow your organisation to better understand, track, and secure assets is critical to successfully reducing risk in your IT environment.