IT asset management has taken on new urgency with the SEC’s new cybersecurity disclosure requirements. Effective Dec. 18, 2023, publicly traded companies must report “material” security incidents within four business days of discovery. IT asset management (ITAM) plays a critical role in complying with this new rule.
Devices that aren’t tracked or maintained are a significant security risk. If a device falls into the wrong hands, the data stored on it becomes vulnerable to unauthorized access. Lost or stolen devices can also give attackers access to the corporate network. According to the Forrester Research 2023 State of Data Security report, 17 percent of data breaches are caused by lost or stolen IT assets.
However, few organizations investigate missing devices. Organizations lose track of hundreds or even thousands of assets every year, but the loss typically isn’t noticed until there’s a discrepancy between asset inventories and the devices that can be located for final disposition. How can an organization know if a missing device should be reported as a security breach?
Today’s Asset Management Challenges
That’s the role of ITAM, which is concerned with identifying, tracking and controlling components, along with their financial and contractual aspects. A mature ITAM program provides the insight needed to control costs, increase utilization, reduce risk and make smarter investment decisions.
However, IT teams are faced with a diverse and growing array of assets, including new classes of devices that didn’t exist a decade ago. Digital transformation initiatives have changed the very definition of “technology asset” and how assets are deployed, managed and used. Older ITAM systems and processes cannot keep up with the changing landscape. Inventory and configuration information becomes quickly outdated as the IT environment and business processes evolve.
Furthermore, few organizations have visibility into all IT assets across business units, geographic locations and offsite IT infrastructure. IT no longer controls many of the assets that determine business outcomes.
Inadequate Processes Create Risk
The lack of effective asset management processes also plays a role. Many business leaders view ITAM as a tactical function focused on the physical aspects of the IT environment. IT teams lack the resources to leverage ITAM data to support IT, business and regulatory activities.
ITAM’s increasing complexity adds to the challenge. Many employees have multiple devices, each with a three- to five-year lifecycle. A midsize organization with hundreds of employees must manage thousands of these assets, along with printers and other peripherals, IoT devices, and core IT infrastructure. Each asset must be disposed of securely when it reaches end-of-life. If some assets cannot be located, there’s a tendency to assume they were among those that were disposed of.
This creates significant risk. Multiple ITAM failures over five years cost Morgan Stanley Smith Barney more than $150 million in fines and settlements. The company failed to dispose of devices containing personally identifiable information while decommissioning two data centers and a branch office hardware refresh. The SEC called the failures “astonishing.”
Take Steps toward Improving ITAM
Reducing this risk starts with recognizing ITAM as a strategic imperative. Organizations should take a holistic approach based on a robust governance framework. Stakeholders from IT, compliance, legal, operations, finance and HR should review ITAM processes to identify any gaps.
AI can revolutionize ITAM processes by automating many manual tasks. AI tools can scan the entire IT environment to identify IT assets, and populate the asset inventory with each asset’s location, configuration and other data. AI can also identify misconfigured devices and other security risks and analyze data to assist in compliance reporting and enhance decision-making.
Odds are high that a missing device stores sensitive information subject to regulatory requirements. Several regulatory authorities specifically cite ITAM as a component of cybersecurity. Let Technologent help you augment your ITAM systems and processes and implement automated tools to improve asset management and reduce risk.
April 26, 2024
Comments