articles Ratings /ratings/en/research/articles/230815-cyber-risk-insights-it-asset-management-is-central-to-cyber-security-12819307 content esgSubNav
In This List
COMMENTS

Cyber Risk Insights: IT Asset Management Is Central To Cyber Security

COMMENTS

Retail Brief: European Retailers Set Out Their Stalls For The Golden Quarter

COMMENTS

Instant Insights: Key Takeaways From Our Research

COMMENTS

Digital Assets Brief: Crypto's Trump Card

COMMENTS

Sustainability Insights: Rising Curtailment In China: Power Producers Will Push Past The Pain


Cyber Risk Insights: IT Asset Management Is Central To Cyber Security

For a cyber security system to be effective it must know what it is meant to protect. At large organizations that can include thousands of connected devices, such as laptops and mobile phones, as well as multiple operating systems, software systems, and networks.

The process of logging, tracking, and managing those resources is typically called IT Asset Management (ITAM) and its effective practice is foundational to good cyber defense.

S&P Global Ratings considers robust ITAM to be vital to an entity's ability to proactively manage vulnerabilities, respond to incidents efficiently, and minimize the financial impact of cyber attacks. We furthermore regard the absence of ITAM as potentially indicative of poor cyber-risk management which, in conjunction with other factors, could weigh on our assessment of an entity's governance and operational risk management.

Reputational damage and financial losses following cyber attacks linked to poor ITAM can be significant. In July 2017, Equifax, a U.S. credit reporting agency, agreed to pay a minimum $575 million to settle a complaint, led by the Federal Trade Commission (FTC), after an inaccurate inventory of internet-accessible systems contributed to a data breach affecting about 147 million people. Further settlements and recovery and security improvement costs are estimated to have increased the total cost to over $1.4 billion.

ITAM And Cyber Risk Management

The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, underlined ITAM's importance to cyber security in a September 2018 report, which described the benefits of robust ITAM, including:

  • Faster response to security alerts (facilitated by knowledge of device location, configuration, and ownership).
  • Increased cybersecurity resilience due to an improved focus on valuable and critical assets.
  • Improved cost management.
  • A reduced attack surface due to better patching and updating.

ITAM can also play an important role in facilitating asset prioritization. Not all IT systems are equal, and the failure of a critical system can have major impacts across an organization. A system that helps organizations track the assets that are the "crown jewels" of their network makes risk assessments easier, and aids in prioritizing security efforts.

NIST and the Center for Internet Security (CIS), a nonprofit consultancy and benchmarking organization, described an accurate inventory of hardware and software assets as the starting point of an effective cyber security and risk management program.

Frameworks provided by NIST, and other organisations, contribute to the framework that guides our analysis of an organization's integration of cyber security into its overall risk management. We thus also consider ITAM to be foundational to the effective conduct of many key cyber security activities, including vulnerability management, incident response, and cyber risk management (see chart 1).

Chart 1

image

Common Purpose, Different Systems

Entities can generally be expected to update risk management policies and practices as threats evolve, and the response to shifts in cyber risk should be no different. ITAM plays a key role in managing these changes, ensuring inventories remain accurate (as assets are replaced or new assets are introduced) and that protection of assets (including software updates and patching) evolves with the threat environment.

While ITAM systems share a common purpose they can vary significantly in structure and operation across organizations. Those differences generally reflect entities' IT environments and cyber-security needs. For example, manual ITAM systems (such as spreadsheets) can make sense for organizations with small or low-complexity IT structures. Meanwhile, entities operating complex IT systems (including multiple locations, departments, and diverse assets) will likely require some level of automation to effectively manage their IT assets.

Purpose-built ITAM tools can offer a simple route to that automation. These tools, for example, typically provide the means to store relevant information about each IT asset (including location, system owner, and software version). They thus offer a ready-made means to centralize information in a single repository, which makes conducting IT risk assessments easier.

ITAM components

No matter what system is chosen, for ITAM to fulfill its function and provide the foundation required by the other cyber security elements it must perform a minimum set of functions and be supported in an ongoing manner. For example, an entity implementing ITAM must properly identify the assets that need to be protected. ITAM must also be comprehensive enough to effectively track assets, and there must be processes in place to keep that oversight up to date.

ITAM systems typically consist of software and processes that track key information on an asset's potential vulnerabilities over the whole course of its lifecycle. Across an entire organization, that information may include:

  • Network addresses
  • Hardware type (e.g., laptop, desktop, or server)
  • Software (including for operating systems and applications)
  • Ownership details
  • Configuration settings
  • Criticality of the asset

Responsibility for ITAM typically falls to the IT department, though to be effective it is better if ownership and management is shared across different teams. For example, security teams may have data that can aid IT teams' production of accurate inventories, which are important to a robust ITAM program. In our view, ITAM should be directed by explicit policy that provides the authority for the system to be effective and assigns clear roles and responsibilities.

Absence And Inefficiency Contribute To Risk

The absence of ITAM can create gaps and blind spots in organizations' cyber risk management, which can lead to increased vulnerability, compliance issues, inefficiencies, and sub-optimal incident response. Ineffective ITAM can also create similar issues, and as a result can be a gateway to security incidents. The FTC's complaint against Equifax, for example, cited an inability "to maintain an accurate inventory of public facing technology assets" that contributed to poor patching among the "basic security failures" at the company.

There is little doubt that other organizations are also at risk due to poor ITAM. Indeed gaps in IT oversight, and the potential for gaps to develop, is a common risk, according to the U.K. government's National Cyber Security Centre. "Many organisations have significant gaps in what they understand about their environment. The result is a weakened cyber security posture," it said in a May 2021 article on asset management.

Those gaps likely reflect a lack of attention and resources dedicated to ITAM by some organizations, but also the difficulty inherent in meeting the bespoke needs of differing ITAM systems--which are determined by factors including complexity, size, and operational area. Yet ITAM's foundational position within any effective cyber security system means organizations can ill afford to ignore it. Starting a journey that leads to a robust ITAM is a positive step toward reducing cyber risk.

Related Research

Writer: Paul Whitfield

This report does not constitute a rating action.

Primary Credit Analyst:Paul Alvarez, Washington D.C. +1 2023832104;
paul.alvarez@spglobal.com
Secondary Contacts:Tiffany Tribbitt, New York + 1 (212) 438 8218;
Tiffany.Tribbitt@spglobal.com
Martin J Whitworth, London +44 2071766745;
martin.whitworth@spglobal.com
Bruno Bastit, Madrid +34 914233215;
bruno.bastit@spglobal.com
Maria Mercedes M Cangueiro, Buenos Aires + 54 11 4891 2149;
maria.cangueiro@spglobal.com

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in