There’s significant overlap of responsibilities between IT asset management (ITAM) and cybersecurity asset management.
Yet, these core functions ultimately have different objectives, and often are carried out by different teams. IT Asset Management is about managing assets to optimize spend and efficiency.
Cybersecurity asset management is about understanding all of your assets to strengthen your company's cyber risk posture.
What is IT Asset Management (ITAM)?
IT Asset Management is a set of processes to account for technology lifecycle costs and risks, according to Gartner.
The biggest focus of ITAM is to strategically tackle and manage financial, licensing, and contractual aspects of IT assets. Effective ITAM can help maximize the value of technology investments, inform IT architecture, spend, and sourcing.
Key aspects of ITAM programs include:
Hardware asset management: managing and optimizing company devices (workstations, laptops, servers, peripherals, and more)
Software asset management: managing and optimizing the purchase, deployment, maintenance, utilization, and ultimately removal of all company owned software
Licensing and compliance: ensuring that the licensing of hardware and software assets don’t introduce risk and comply with company policies
With the rise of cloud computing, and the adoption of SaaS platforms, it’s harder than ever before to account for — and manage — all hardware and software assets.
“You can’t secure what you can’t see” is cliche, but always true. That’s why having an accurate inventory of all hardware and software assets is the first step in many security frameworks, like the CIS Controls.
For many companies, CMDBs are a single source of truth to track all assets. But with the rise of virtual machines and cloud computing, CMDBs rarely provide a complete picture of all assets at any given time.
And for cybersecurity asset management, CMDBs often lack the data that’s needed to truly understand assets from a security perspective.
The Differences Between ITAM & Cybersecurity Asset Management
IT teams are often involved in both ITAM and cybersecurity asset management. However, at many companies, IT teams stop at maintaining the asset inventory.
To ensure assets are secure and meet company security policies, security professionals often need to go further than just managing an asset inventory.
Instead, they need to answer critical questions, like:
Are devices running the latest software versions?
Are all devices covered by security controls?
Are devices vulnerable?
Unfortunately, these questions are frequently left unaddressed in most asset inventories. To answer them, teams need to create asset inventories with rich, correlated data from sources that know about each asset — including cloud, virtual, and IoT assets which are often unaccounted for.
That’s why many companies are turning to cybersecurity asset management solutions to pick up where ITAM solutions stop.