The Asset of Asset Management

Published on 17th February 2022 Author: Rob Black

Can you guess what is the most feared day in the Black Family household? If you said, “Any day in which Rob needs to shovel two feet of snow,” we are going to give you partial credit.

But no, it’s actually … “library book due day!”

We visit our local library frequently. Most times, my kids check out 10 or even 15 books at a time. That’s great news; my wife and I want them to love books and enjoy reading.

But, when the books come due, we need to find them. They are…

… in the family room: maybe behind the couch.

… in the playroom: maybe being used as a stand for Lego.

… in a kid’s bedroom: maybe on the dresser, maybe buried in a pile of stuffed animals, maybe hidden in a bookshelf among lots of other books.

You get the idea. The probability of finding all the library books on the first pass is miniscule – roughly the same as being struck by lightning while winning the lottery.

Sometimes, when we have narrowed it down to just a missing book or two, I actually create a “wanted poster” – a printed picture of the book cover that I post on the door to the basement with a reward offer, hoping it will trigger someone’s memory.

Do You Have a Handle on Your Technical Assets?

Unfortunately, soon-to-be-overdue library books are not the only valuable holdings that are hard to track – most companies don’t have a good system for organizing and managing their technical assets, either.

How do we know that?

First, because we ask. The answer is often murky and incomplete.

Just as often, after working with a client for weeks or even months, we learn about “surprise systems.” We might be talking about something completely unrelated and someone will mention the “XYZ System” in which important data is stored and … it’s the first we’ve ever heard of it!

Whatever the specifics, without a clear and complete inventory of an organization’s assets, it is impossible to protect them. After all, how can you answer critical questions like the following if you don’t even know what you’ve got on hand (hint: you can’t)?

Do we have a backup of all our key systems?
Are all of our laptops encrypted and up to date with Anti-Virus?
Do we have all of our servers segmented from the rest of our network?
Do we know where all of our proprietary corporate data is kept?

You don’t necessarily need a fancy asset management tool and there are any number of ways to solve this problem (even a simple spreadsheet can work). But it is a problem and it does need to be solved.

Three Essential Elements of Asset Management

Whatever you decide to put in place, here are three things to strive for:

The information is up to date.
Someone owns the process. Like payroll, it’s not a group responsibility; it needs to be part of somebody’s job description.
It is comprehensive. Not just most departments; not just some laptops. The entire organization, as one entity, needs to be part of this.

Some ideas to get you started, depending upon your risk profile and company size:

If you have endpoint management tools such as a Mobile Device Management (MDM), Anti-Virus (AV), or Endpoint Detection and Response (EDR), you may be able to pull the endpoint information from there.
IT may have Excel spreadsheets that document the devices they own. These spreadsheets are often out of date but can be a good starting point.
You probably know which servers you have but you may not have them written down and inventoried in one place. While you’re thinking about it, note the function(s) that each server performs.
Generating an inventory of all hosted cloud systems, such as AWS or Azure, is easy. But generating a list of SaaS applications (even in a small company) is nearly impossible. IT knows about the tools it controls, but what about those used by Finance, Marketing, Sales, etc., and paid for with a company credit card? SaaS application discovery tools such as BetterCloud or Blissfully can be helpful here.

You Can’t Secure What You’re Not Aware Of

There is no one-size-fits-all solution for inventorying all of your assets. You need to right-size the tools for your program and business particulars.

However, the challenge itself – securing your assets – is universal. Absent some type of reliable, comprehensive, and up-to-date approach to asset management, you are rolling the dice on security with each passing day.

Oh, one more thing… If you happen to come across a slightly used copy of Harry Potter and the Goblet of Fire, please let me know. There’s a good chance one of my kids left it at your house and that book is due tomorrow.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).