Organizations today have a comprehensive arsenal of security tools to protect corporate-assigned devices. However, they can only protect the assets they know about. Finding the “unknown unknowns” presents a challenge.
At the surface, IT service management (ITSM) shares a lot of similarities to cybersecurity asset management. For starters, understanding all of the assets your organization has (devices, applications, cloud instances, users, and more) is fundamental to both functions.
But the core objectives of ITSM and cybersecurity asset management are very different.
IT service management is about maximizing business value from your IT stack.
Cybersecurity asset management is about knowing everything you have and applying security controls.
What Is IT Service Management?
IT service management includes all the activities needed to deliver IT services to employees and customers.
Frequently, this means establishing an IT Service Desk to provide a single point of communication that meets the needs of customers and employees.
There are many other functions of ITSM, too:
- Asset management: Tracking, updating, and mapping the hardware and software assets of the organization. This is often done using a Configuration Management Database (CMDB)
- Change management: Minimizing the impact and disruption of services when changes to IT infrastructure need to be made
- Knowledge management: Sharing and documenting IT information to share across the organization (often in form of a knowledge base)
- Project management: Planning needed operational changes to IT systems associated with business projects
- Incident and problem management: Handling single incidents and interruptions to service, and larger problems that may step from multiple issues that have the same root cause
With the rise of agile development, ITSM is now heavily focused on serving DevOps and product-focused teams.
There are a variety of standards for ITSM, but the Information Technology Infrastructure Library (ITIL) framework is the most widely adopted.
What Is Cybersecurity Asset Management?
Cybersecurity asset management is the process of gathering asset data (devices, cloud instances, and users) to strengthen core security functions, including:
- Detection and response: Ensuring detection and response capabilities provide coverage across the enterprise
- Vulnerability management: Understanding which assets may be vulnerable to exploits, and ensuring all assets are being evaluated for vulnerabilities
- Cloud security: Ensuring that cloud instances are secure and configured to prevent overly permissive access rights, even when they’re commissioned and decommissioned rapidly
- Incident response: Using enriched, correlated data on assets to expedite incident response investigations and remediation
- Continuous control monitoring: Identifying when security controls are missing and need to be applied
The Similarities Between ITSM & Cybersecurity Asset Management
To be successful, both cybersecurity asset management and ITSM require a full understanding of hardware and software assets.
For ITSM, understanding all assets can be used to better understand the costs of delivering service, and project costs for any changes needed to IT infrastructure.
Cybersecurity asset management revolves around understanding all assets in order to strengthen the overall security posture.
The Differences Between ITSM & Cybersecurity Asset Management
While both functions provide a level of detail around assets, cybersecurity asset management focuses on a comprehensive understanding of all assets and their relationship to security posture, while ITSM centers on delivery with minimal disruption.
ITSM can usually function well even if some assets aren’t accounted for.
As long as IT services are reaching end-user customers efficiently and there’s minimal disruption, ITSM can enable the business to meet its larger goals.
In contrast, the strength of a cybersecurity asset management practice includes a complete understanding of all assets to minimize an organization's attack surface.
This includes knowing where all assets are located, what software exists on them, if they’re being protected by existing security controls, and — most importantly — if the asset adheres to company security policies.
Delivering a successful cybersecurity asset management program translates to effectively managed risk for the business. And when risk is managed effectively, businesses are more likely to meet (and even surpass) their goals.