The National Cyber Security Centre (NCSC) is the UK’s leading government authority dedicated to helping businesses, government agencies, and individuals stay cyber secure. The organisation was formed in 2016 and is a collaborative effort between the CESG, the Centre for Cyber Assessment, CERT-UK, and the National Protective Security Authority. As such, the NCSC offers practical guidance and support to its constituency. A critical element of the NCSC’s mission is Cyber Essentials, a cybersecurity assessment framework and certification process which incorporates leading security practices known to reduce the likelihood of a successful compromise by a threat actor. To achieve Cyber Essentials certification, organisations must meet certain requirements.
In 2022, the NCSC released a major update to Cyber Essentials that was focused on fighting present-day threats, securing modern infrastructure, and countering cyber criminal tactics and techniques. Shortly thereafter, the NCSC announced that it would provide additional requirements in April 2023. The additional requirements came at the recommendation of assessors and applicants, and were meant to provide greater specificity and guidance in key areas of cybersecurity.
The April release centred on five technical controls:
However, the controls aren’t the only focus of the updated guidance. In this edition, the NCSC included a precursor to the technical controls — that’s to say, the authors added an important process which serves as the foundation to any thorough and hardened cybersecurity program. That precursor: asset management.
For the first time in the history of Cyber Essentials guidance, asset management was listed — before any new guidance on the technical controls — as a critical element that’s necessary to meet all the other requirements. Specifically, the document states, “effective asset management can help meet all five controls, so it should be considered as a core security function”. It further adds that, “Integrating and coordinating asset management across your organisation will help reduce or manage any conflicts between these functions”, and that “creating, establishing and maintaining authoritative and accurate information about your assets… enables both day-to-day operations and efficient decision making when you need it. In particular, it will help you track and control devices as they're introduced into your business”.
At Axonius, we are glad to see NCSC, as well as other government oversight entities, including cybersecurity asset management in their guidance and requirements documents. The reason Axonius was founded in the first place is because cybersecurity asset management (including SaaS application asset management) is a foundational element of running any effective cybersecurity program. It’s the old adage (attributed to Peter Drucker): “You can’t manage what you don’t measure.” And a continuous measurement of the attack surface — asking questions such as: How many Windows devices do we have? How many assets are in my cloud environments? Which SaaS apps are my users accessing? Which systems are unpatched? Do I have malfunctioning agents? — is the only way to understand the technology landscape and therefore create processes to properly manage and secure it. The ability to apply effective security controls relies on knowing:
In today’s digital world, the sheer volume of assets is enough to create measurement and management problems. But take into account the fluctuation in not only the number, but also the types and security states of every asset, and security and operations teams are facing serious asset-based challenges.
This is why it’s critical for organisations to deploy automated cybersecurity asset management, and why we believe NCSC and other government agencies are starting to emphasise cybersecurity asset management in their guidance and requirements. Organisational operations depend on technology (i.e., assets) running without disruption, which means they can’t be impacted by confidentiality, availability, or integrity issues that arise from a cyber compromise. Therefore, incorporating automated and continuous cyber asset management into your organisation will help with resilience and overall risk management. Cybersecurity asset management, when done properly, provides an authoritative, consolidated, and accurate source of truth about your business (not just your technology) that allows you to keep your organisation on track.
If you won’t take our word for it, earlier NCSC guidance says that “Asset management provides the foundation for most other areas of cybersecurity”, including:
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010