The hidden gaps in your asset inventory, and how to close them

In this Help Net Security interview, Tim Grieveson, CSO at ThingsRecon, breaks down the first steps security teams should take to regain visibility, the most common blind spots in asset discovery, and why context should drive risk prioritization.

What are the first steps a security team should take if they realize their asset inventory is incomplete or outdated?

The first step is to openly communicate the issue and alert stakeholders to the potential risks associated with an inaccurate inventory. The mindset that asset inventory is just a “one-time project” is outdated and needs to shift towards maintaining an ongoing living map that includes business context.

Start with the visibility you already have on endpoint agents, cloud providers, DNS records, procurement systems and begin correlating. From there, introduce passive and active discovery methods that don’t rely solely on internal documentation. If the process hasn’t been automated, it’s fair to assume it’s out of date.

From a practical standpoint, the following steps may help strengthen your asset discovery efforts going forward:

Initiate an automated discovery process: Many organizations already have tools in place such as network scanners, EDR agents, or CMDBs. However, implementing purpose-built, continuous discovery tools will provide additional security through improved visibility and context.

Define the scope and objectives of the inventory: From hardware and software to cloud assets, categorize assets that need to be included in the inventory to avoid missing key elements of your environment.

Establish a cross-functional team: Asset inventory isn’t solely a security responsibility, it’s a collaboration between IT operations, network teams, development teams, and even business units to ensure all assets are identified and accurately documented. This will require clearly defined roles and responsibilities.

Develop a remediation plan: Define the steps involved to maintain the asset inventory update process, including timelines, responsible parties, and the tools being used.

What are the biggest blind spots organizations typically face when it comes to discovering digital assets across on-prem, cloud, and SaaS environments?

The biggest blind spot isn’t a specific asset. It is trusting that what’s on paper is actually live and in production. Many organizations often solely focus on known assets within their documented environments, but this can create a false sense of security.

Blind spots are not always the result of malicious intent, but rather of decentralized decision-making, forgotten infrastructure, or evolving technology that hasn’t been brought under central control.

External applications, legacy technologies and abandoned cloud infrastructure, such as temporary test environments, may remain vulnerable long after their intended use. These assets pose a risk, particularly when they are unintentionally exposed due to misconfiguration or overly broad permissions.

Third-party and supply chain integrations present another layer of complexity. Even though these assets are not owned directly, they can still have a material impact on your environment. If a vendor is compromised, the risk is effectively transferred to you. Without automation and continuous validation, it’s difficult to trust that what’s on paper matches reality.

What types of assets are most commonly overlooked during traditional discovery processes?

Traditional discovery often misses anything that doesn’t leave a clear, traceable footprint inside the network perimeter. That includes subdomains spun up during campaigns or product launches; public-facing APIs without formal registration or change control; third-party login portals or assets tied to your brand and code repositories, or misconfigured services exposed via DNS. These assets live on the edge, connected to the organization but not owned in a traditional sense. That’s why they’re easy to miss and easy for attackers to find.

How should asset discovery integrate with other components of a cybersecurity stack, such as vulnerability management, threat detection, and CMDBs?

Without an accurate and ongoing discovery process, tools used for vulnerability management, threat detection, and even CMDBs are operating with incomplete or outdated information.

As we know, you can’t patch what you can’t see and more importantly, you can’t detect anomalies if you don’t know what’s supposed to be there. Asset discovery helps establish that baseline. It also plays a vital role in enriching and correcting CMDBs, which are often out of sync with what’s in production.

The key is to treat asset discovery as a source of truth, not an audit checkbox. It powers prioritization, response, and even compliance.

How do you recommend organizations prioritize discovered assets from a risk or exposure perspective?

Many vulnerability management programs rely heavily on CVE counts or severity scores, however this approach fails to reflect the real-world risk to the business. Simply identifying a vulnerability isn’t enough. The context in which that vulnerability exists is what should drive prioritization.

For example, it’s important to ask whether the affected asset is internet-facing, whether it supports a business-critical function, or if it’s part of a supply chain or third-party integration.

It’s also worth considering whether the asset is actively used or dormant, how it is maintained, and who ultimately owns it. These details help determine both the likelihood and impact of a potential compromise.

Ultimately, organizations will get far more value by prioritizing based on exposure and proximity to critical operations, not just signature-based scanning. Risk isn’t just about what’s vulnerable; it’s about what’s exposed, exploitable, and important to the business.