“How is IT asset management different from cybersecurity asset management?”
We hear this question a lot — and rightfully so.
There’s significant overlap of responsibilities between IT asset management (ITAM) and cybersecurity asset management.
Yet, these core functions ultimately have different objectives, and often are carried out by different teams. IT Asset Management is about managing assets to optimize spend and efficiency.
Cybersecurity asset management is about understanding all of your assets to strengthen your company's cyber risk posture.
IT Asset Management is a set of processes to account for technology lifecycle costs and risks, according to Gartner.
The biggest focus of ITAM is to strategically tackle and manage financial, licensing, and contractual aspects of IT assets. Effective ITAM can help maximize the value of technology investments, inform IT architecture, spend, and sourcing.
Key aspects of ITAM programs include:
With the rise of cloud computing, and the adoption of SaaS platforms, it’s harder than ever before to account for — and manage — all hardware and software assets.
Today, ITAM initiatives are often part of IT Service Management (ITSM) programs.
Cybersecurity asset management is the process of gathering asset data (with a primary focus on devices, cloud instances, and users) to strengthen core security functions, including:
The first step for both a successful ITAM and cybersecurity asset management program requires gaining an up-to-date asset inventory.
A large aspect of ITAM is identifying inefficiencies: redundant software, devices not being used, and more. You can’t do that without an up-to-date inventory of all hardware and software assets.
And not only that — you also accurately project and plan future IT costs.
A complete and up-to-date asset inventory is also table stakes for cybersecurity asset management.
“You can’t secure what you can’t see” is cliche, but always true. That’s why having an accurate inventory of all hardware and software assets is the first step in many security frameworks, like the CIS Controls.
So, how are asset inventories managed for ITAM and Cybersecurity asset management? Until recently, both have relied on Configuration Management Databases (CMDBs).
For many companies, CMDBs are a single source of truth to track all assets. But with the rise of virtual machines and cloud computing, CMDBs rarely provide a complete picture of all assets at any given time.
And for cybersecurity asset management, CMDBs often lack the data that’s needed to truly understand assets from a security perspective.
IT teams are often involved in both ITAM and cybersecurity asset management. However, at many companies, IT teams stop at maintaining the asset inventory.
To ensure assets are secure and meet company security policies, security professionals often need to go further than just managing an asset inventory.
Instead, they need to answer critical questions, like:
Unfortunately, these questions are frequently left unaddressed in most asset inventories. To answer them, teams need to create asset inventories with rich, correlated data from sources that know about each asset — including cloud, virtual, and IoT assets which are often unaccounted for.
That’s why many companies are turning to Cybersecurity asset management solutions to pick up where ITAM solutions stop.