Organizations today have a comprehensive arsenal of security tools to protect corporate-assigned devices. However, they can only protect the assets they know about. Finding the “unknown unknowns” presents a challenge.
At the surface, IT service management (ITSM) shares a lot of similarities to cybersecurity asset management. For starters, understanding all of the assets your organization has (devices, applications, cloud instances, users, and more) is fundamental to both functions.
But the core objectives of ITSM and cybersecurity asset management are very different.
IT service management is about maximizing business value from your IT stack.
Cybersecurity asset management is about knowing everything you have and applying security controls.
IT service management includes all the activities needed to deliver IT services to employees and customers.
Frequently, this means establishing an IT Service Desk to provide a single point of communication that meets the needs of customers and employees.
There are many other functions of ITSM, too:
With the rise of agile development, ITSM is now heavily focused on serving DevOps and product-focused teams.
There are a variety of standards for ITSM, but the Information Technology Infrastructure Library (ITIL) framework is the most widely adopted.
Cybersecurity asset management is the process of gathering asset data (devices, cloud instances, and users) to strengthen core security functions, including:
To be successful, both cybersecurity asset management and ITSM require a full understanding of hardware and software assets.
For ITSM, understanding all assets can be used to better understand the costs of delivering service, and project costs for any changes needed to IT infrastructure.
Cybersecurity asset management revolves around understanding all assets in order to strengthen the overall security posture.
While both functions provide a level of detail around assets, cybersecurity asset management focuses on a comprehensive understanding of all assets and their relationship to security posture, while ITSM centers on delivery with minimal disruption.
ITSM can usually function well even if some assets aren’t accounted for.
As long as IT services are reaching end-user customers efficiently and there’s minimal disruption, ITSM can enable the business to meet its larger goals.
In contrast, the strength of a cybersecurity asset management practice includes a complete understanding of all assets to minimize an organization's attack surface.
This includes knowing where all assets are located, what software exists on them, if they’re being protected by existing security controls, and — most importantly — if the asset adheres to company security policies.
Delivering a successful cybersecurity asset management program translates to effectively managed risk for the business. And when risk is managed effectively, businesses are more likely to meet (and even surpass) their goals.