Sometimes buzzwords are good predictors of what organizations see as priorities in a given year. If you surveyed both the revenue-generating and security functions of enterprises in 2019, you would hear two terms often repeated: digital transformation and zero trust.
While the two terms may seem at linguistic odds, the idea that organizations must embrace the digital age to drive growth and operate more efficiently while simultaneously maintaining adequate information security makes sense. It won’t be easy, though, as there’s a persistent problem that has to be solved before reconciling those two initiatives.
The march toward the digital promised land
While definitions vary, digital transformation can be boiled down to the application of technology in every business function to crush inefficiency.
Enterprises are ripe with examples of staggering inefficiencies. For example, a 2017 survey by the Credit Research Foundation revealed that nearly half of all business payments are made by paper check. Baffling, to be sure, but the good news is that businesses are recognizing that it’s time to make a change. In fact, a recent survey from AppDirect found that nearly 80% of companies are in the process of strategizing and implementing their digital transformation initiatives.
The war against manual business processes is certainly a net positive, but it isn’t waged without security challenges. The concept of digital transformation is about more than just onboarding technologies: with every new asset, user or device added, enterprises are continuously and increasingly introducing new risks.
Open the digital floodgates, yet trust no one
At the same time businesses rush to employ new technologies, the security function is embracing a new model that challenges the traditional approach to keeping information secure: zero trust.
While traditional information security approaches used the castle-and-moat analogy that focused on defending a perimeter and assumes anything on the inside is safe, the zero trust model makes no assumption based on position relative to perimeter.
Just because a user or asset has made it onto the corporate network it does not automatically mean they should be trusted. Employing the zero trust model means verifying anything and everything trying to connect to the organization’s systems before granting access.
Two excellent aspirations, one nagging issue: Asset management
The business wants to use technology to increase speed, efficiency and growth. Security wants to interrogate every asset, device and user at all times to be sure all access is appropriate.
Both are noble ambitions, but there’s one issue that must be solved first before either of these initiatives can succeed: asset management.
Asset management is the Toyota Camry of cybersecurity. In a landscape of solutions using AI, machine learning, deception and other sci-fi sounding technologies, getting a credible inventory of all laptops, desktops, servers, VMs, cloud instances, users, and so on, is decidedly unsexy. But despite the lack of luster, understanding all assets and how they adhere to the overall security policy is the only way organizations can both embrace digital transformation while continuously validating whether assets, users, and devices should be granted access.
Here are five reasons why asset management is necessary for achieving digital transformation and zero trust.
1. A staggering number of devices
With Gartner Research projecting that the number of connected things will reach 14.2 billion in 2019 and 25 billion by 2021, managing this increasing number of connected assets, devices and users is quickly becoming an urgent security priority for CISOs, CIOs, and frankly, organizations everywhere.
More recent trends like BYOD, mobile devices, remote work and the cloud have led to a significant shift in the way organizations think about which devices they’re responsible for securing. In a world where any device has access to corporate information, the sheer number of devices security teams are tasked with identifying and securing is astounding. As organizations continue to grow, it’s no longer possible or scalable to ensure that every device or cloud instance is covered by the security solutions required by the corporate security policy.
2. A growing attack surface and opportunistic cyber criminals
The rise in the number of assets means that enterprises across the globe continue expanding their attack surface. Most of the high-profile breaches we hear about today are a result of inadequate cybersecurity asset management. Whether it’s an unpatched Apache server, a public-facing Amazon bucket or a smart fish tank in a casino, organizations are often breached when an attacker can find an easy way into the environment, which frequently happens by exploiting an asset that isn’t accounted for or does not adhere to security policy.
3. Too many tools with not enough answers
New products, solutions, and services are introduced to the market every day, and as a result, companies purchase and onboard a myriad of products to secure a variety of different assets. The problem is that instead of making life easier and more secure, the sheer volume of these devices ends up creating silos of information, making it more difficult for security teams to answer basic questions about their security posture like “How many Windows hosts do I have?” and “Are they adhering to our security policy?”.
4. The inevitable march to the cloud
The cloud is fast, cheap and scalable, which is why 85% of companies have adopted and utilized cloud infrastructure moderately or extensively in the past year. Unfortunately, the security solutions once used for on-premise devices don’t always translate to the cloud.
5. Too much work, too few resources, never enough time
Although the number of connected devices, assets, and users is increasing, skilled security professionals are in short supply, expensive, and overworked.
Considering the ever-expanding attack surface and talent gap, CISOs don’t want to use scarce, highly-trained resources to take on manual, tedious tasks like inventorying every asset. This problem is multiplied when the assets are siloed and distributed across a variety of products, tools, and solutions.
We’re at a time in cybersecurity where despite all of the advanced technologies available to businesses, the industry has yet to solve the old and unsexy problem of asset management for cybersecurity.
As long as digital transformation continues on, this age-old problem worsens. If your organization is onboarding or deploying new technologies, there’s no better time to develop, optimize and strategize cybersecurity asset management.