Back in late 2013, David Bicket, former convener of Working Group 21 (WG21) for the ISO ITAM standard wrote a short article for the ITAM Review. That article summarised a meeting of WG21 that among other things, mentioned work underway on an ITAM cybersecurity standard. In light of recent Cybersecurity breaches, it makes sense to revisit the topic of cybersecurity and ITAM.
When reading about recent cybersecurity breaches, it is clear that they all involve different entry points (which makes this even more challenging). However, there are steps that organisations can and should take to minimise those entry points. I want to focus on one of those entry points as it is something that can be done before a breach, and perhaps save money at the same time.
1E has previously published research that summarises the extent of unused software within organisations. While reading that report, I was astonished to learn that, on average, more than a quarter of installed software is not being used. If the software has not been used, one has to wonder if it’s been updated with patches and updates to help ensure security. Further, if the software is unauthorised (illegal), it has a greater likelihood of being infected with malware creating even more possible entry points, according to a study done by the University of Singapore and IDC.
But how does this relate to ITAM? I believe there are three reasons:
- Cybersecurity is everyone’s job. Those in ITAM need to be vigilant and ensure that their software is both legal (to stop possible entry points from malware) and updated with the latest patches and updates. This can only be done if you have processes in place to ensure a full and accurate accounting of what is installed across all of your devices. Knowing what is installed where is a critical first step in security – and ITAM practitioners should know what’s where in their organisation.
- Look for opportunities to lessen the risk. Is all of the software installed across your network actually being used? If not, there are tools that will provide this information and give you options on ways to remove it. Reducing the number software titles (and indeed variety of versions) of software on your network reduces the possible attack vectors for hackers seeking to exploit un-patched software. Reducing the software variety in your network also lessens the number of different applications that need to be updated with patches/updates.
- Establish policies and procedures – and verify they are working. All too often, policies are created and forgotten about. If a policy was established, it was done for a reason (at least at the time). If the policy is in place, test it to see that it is doing what it was designed for. If not, you know what to do. If you find the policy is out of date, fix it. Be a change agent – reduce the risk.
I don’t mean to suggest that dealing with cybersecurity challenges can always be overcome with effective IT Asset Management, but it certainly reduces the size of the hole that is probably already in your organisation. Reducing the size of the cybersecurity hole equates to reducing risk. Further, knowing what you have installed, and are actually using, can also save money. These seem like simple wins to me. IT Asset Managers should challenge themselves to add this to their remits and track and report these wins which any CIO will want to see.