“How is IT asset management different from cybersecurity asset management?”
We hear this question a lot — and rightfully so.
There’s significant overlap of responsibilities between IT asset management (ITAM) and cybersecurity asset management.
Yet, these core functions ultimately have different objectives, and often are carried out by different teams. IT Asset Management is about managing assets to optimize spend and efficiency.
Cybersecurity asset management is about understanding all of your assets to strengthen your company's cyber risk posture.
What is IT Asset Management (ITAM)?
IT Asset Management is a set of processes to account for technology lifecycle costs and risks, according to Gartner.
The biggest focus of ITAM is to strategically tackle and manage financial, licensing, and contractual aspects of IT assets. Effective ITAM can help maximize the value of technology investments, inform IT architecture, spend, and sourcing.
Key aspects of ITAM programs include:
- Hardware asset management: managing and optimizing company devices (workstations, laptops, servers, peripherals, and more)
- Software asset management: managing and optimizing the purchase, deployment, maintenance, utilization, and ultimately removal of all company owned software
- Licensing and compliance: ensuring that the licensing of hardware and software assets don’t introduce risk and comply with company policies
With the rise of cloud computing, and the adoption of SaaS platforms, it’s harder than ever before to account for — and manage — all hardware and software assets.
Today, ITAM initiatives are often part of IT Service Management (ITSM) programs.
What is Cybersecurity Asset Management?
Cybersecurity asset management is the process of gathering asset data (with a primary focus on devices, cloud instances, and users) to strengthen core security functions, including:
- Detection and response: Ensuring detection and response capabilities provide coverage across the enterprise
- Vulnerability management: Understanding which assets may be vulnerable to exploits, and ensuring all assets are being evaluated for vulnerabilities
- Cloud security: Ensuring that cloud instances are secure and configured to prevent overly permissive access rights, even when they’re commissioned and decommissioned rapidly
- Incident response: Using enriched, correlated data on assets to expedite incident response investigations and remediation
- Continuous control monitoring: Identifying when security controls are missing and need to be applied
The Similarities between ITAM & Cybersecurity Asset Management
The first step for both a successful ITAM and cybersecurity asset management program requires gaining an up-to-date asset inventory.
A large aspect of ITAM is identifying inefficiencies: redundant software, devices not being used, and more. You can’t do that without an up-to-date inventory of all hardware and software assets.
And not only that — you also accurately project and plan future IT costs.
A complete and up-to-date asset inventory is also table stakes for cybersecurity asset management.
“You can’t secure what you can’t see” is cliche, but always true. That’s why having an accurate inventory of all hardware and software assets is the first step in many security frameworks, like the CIS Controls.
So, how are asset inventories managed for ITAM and cybersecurity asset management? Until recently, both have relied on Configuration Management Databases (CMDBs).
For many companies, CMDBs are a single source of truth to track all assets. But with the rise of virtual machines and cloud computing, CMDBs rarely provide a complete picture of all assets at any given time.
And for cybersecurity asset management, CMDBs often lack the data that’s needed to truly understand assets from a security perspective.
The Differences Between ITAM & Cybersecurity Asset Management
IT teams are often involved in both ITAM and cybersecurity asset management. However, at many companies, IT teams stop at maintaining the asset inventory.
To ensure assets are secure and meet company security policies, security professionals often need to go further than just managing an asset inventory.
Instead, they need to answer critical questions, like:
- Are devices running the latest software versions?
- Are all devices covered by security controls?
- Are devices vulnerable?
Unfortunately, these questions are frequently left unaddressed in most asset inventories. To answer them, teams need to create asset inventories with rich, correlated data from sources that know about each asset — including cloud, virtual, and IoT assets which are often unaccounted for.
That’s why many companies are turning to cybersecurity asset management solutions to pick up where ITAM solutions stop.