For a cyber security system to be effective it must know what it is meant to protect. At large organizations that can include thousands of connected devices, such as laptops and mobile phones, as well as multiple operating systems, software systems, and networks.

The process of logging, tracking, and managing those resources is typically called IT Asset Management (ITAM) and its effective practice is foundational to good cyber defense.

S&P Global Ratings considers robust ITAM to be vital to an entity's ability to proactively manage vulnerabilities, respond to incidents efficiently, and minimize the financial impact of cyber attacks. We furthermore regard the absence of ITAM as potentially indicative of poor cyber-risk management which, in conjunction with other factors, could weigh on our assessment of an entity's governance and operational risk management.

Reputational damage and financial losses following cyber attacks linked to poor ITAM can be significant. In July 2017, Equifax, a U.S. credit reporting agency, agreed to pay a minimum $575 million to settle a complaint, led by the Federal Trade Commission (FTC), after an inaccurate inventory of internet-accessible systems contributed to a data breach affecting about 147 million people. Further settlements and recovery and security improvement costs are estimated to have increased the total cost to over $1.4 billion.

ITAM And Cyber Risk Management

The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, underlined ITAM's importance to cyber security in a September 2018 report, which described the benefits of robust ITAM, including:

• Faster response to security alerts (facilitated by knowledge of device location, configuration, and ownership).
• Increased cybersecurity resilience due to an improved focus on valuable and critical assets.
• Improved cost management.
• A reduced attack surface due to better patching and updating.

ITAM can also play an important role in facilitating asset prioritization. Not all IT systems are equal, and the failure of a critical system can have major impacts across an organization. A system that helps organizations track the assets that are the "crown jewels" of their network makes risk assessments easier, and aids in prioritizing security efforts.

NIST and the Center for Internet Security (CIS), a nonprofit consultancy and benchmarking organization, described an accurate inventory of hardware and software assets as the starting point of an effective cyber security and risk management program.

Frameworks provided by NIST, and other organisations, contribute to the framework that guides our analysis of an organization's integration of cyber security into its overall risk management. We thus also consider ITAM to be foundational to the effective conduct of many key cyber security activities, including vulnerability management, incident response, and cyber risk management (see chart 1).

Chart 1

Common Purpose, Different Systems

Entities can generally be expected to update risk management policies and practices as threats evolve, and the response to shifts in cyber risk should be no different. ITAM plays a key role in managing these changes, ensuring inventories remain accurate (as assets are replaced or new assets are introduced) and that protection of assets (including software updates and patching) evolves with the threat environment.

While ITAM systems share a common purpose they can vary significantly in structure and operation across organizations. Those differences generally reflect entities' IT environments and cyber-security needs. For example, manual ITAM systems (such as spreadsheets) can make sense for organizations with small or low-complexity IT structures. Meanwhile, entities operating complex IT systems (including multiple locations, departments, and diverse assets) will likely require some level of automation to effectively manage their IT assets.

Purpose-built ITAM tools can offer a simple route to that automation. These tools, for example, typically provide the means to store relevant information about each IT asset (including location, system owner, and software version). They thus offer a ready-made means to centralize information in a single repository, which makes conducting IT risk assessments easier.

ITAM components

No matter what system is chosen, for ITAM to fulfill its function and provide the foundation required by the other cyber security elements it must perform a minimum set of functions and be supported in an ongoing manner. For example, an entity implementing ITAM must properly identify the assets that need to be protected. ITAM must also be comprehensive enough to effectively track assets, and there must be processes in place to keep that oversight up to date.

ITAM systems typically consist of software and processes that track key information on an asset's potential vulnerabilities over the whole course of its lifecycle. Across an entire organization, that information may include:

• Network addresses
• Hardware type (e.g., laptop, desktop, or server)
• Software (including for operating systems and applications)
• Ownership details
• Configuration settings
• Criticality of the asset

Responsibility for ITAM typically falls to the IT department, though to be effective it is better if ownership and management is shared across different teams. For example, security teams may have data that can aid IT teams' production of accurate inventories, which are important to a robust ITAM program. In our view, ITAM should be directed by explicit policy that provides the authority for the system to be effective and assigns clear roles and responsibilities.

Absence And Inefficiency Contribute To Risk

The absence of ITAM can create gaps and blind spots in organizations' cyber risk management, which can lead to increased vulnerability, compliance issues, inefficiencies, and sub-optimal incident response. Ineffective ITAM can also create similar issues, and as a result can be a gateway to security incidents. The FTC's complaint against Equifax, for example, cited an inability "to maintain an accurate inventory of public facing technology assets" that contributed to poor patching among the "basic security failures" at the company.

There is little doubt that other organizations are also at risk due to poor ITAM. Indeed gaps in IT oversight, and the potential for gaps to develop, is a common risk, according to the U.K. government's National Cyber Security Centre. "Many organisations have significant gaps in what they understand about their environment. The result is a weakened cyber security posture," it said in a May 2021 article on asset management.

Those gaps likely reflect a lack of attention and resources dedicated to ITAM by some organizations, but also the difficulty inherent in meeting the bespoke needs of differing ITAM systems--which are determined by factors including complexity, size, and operational area. Yet ITAM's foundational position within any effective cyber security system means organizations can ill afford to ignore it. Starting a journey that leads to a robust ITAM is a positive step toward reducing cyber risk.

Related Research

• Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost, Aug. 3, 2023
• Cyber Risk Insights: Detection Is Key To Defense, May 10, 2023
• Cyber Risk Insights: Navigating Digital Disruption, Feb. 22, 2023
• Cyber Risk Management Is Credit Risk Management, Says Seminar, Nov. 01, 2022
• How Cyber Risk Affects Credit Analysis For Global Corporate Issuers, March 30, 2022

Writer: Paul Whitfield