Organizations must take risks in order to operate. Each organization determines what level of risk is acceptable to that organization. This concept is known as risk appetite. Security is the process of examining risk across an organization and taking defined steps to reduce those risks to a level that is acceptable to the organization. Security is NOT the act of eliminating all risk. This is impossible. Every action or activity has inherent risk. We all make risk-based decisions every day. Life would not be possible without the ability to discern risk level and act accordingly.
Unfortunately, just as there are many people who lack discernment and take risks that put themselves and other at risk, some businesses also forego the process of properly assessing their risk profile and as a result put people, data and their organization at risk.
One major component of assessing risk is fully understanding the assets that need protecting. We do this in our personal lives by implementing protective measures to protect our family, our homes, our vehicles and other things of value. A business must also understand what assets it possesses before any risk assessment or protective controls can be implemented.
What is an Asset?
When we think about an asset, we tend to think in terms of tangible items. Things that we can touch or hold. While this is a true statement, assets can also be intangible things like ideas, processes, trade secrets and intellectual property. Think of assets as anything you can inventory.
Here are some examples of tangible assets:
- People (from a protection and safety perspective)
- Laptops
- Monitors
- Networking gear
- Office supplies
- Furniture
- Vehicles
- Software
Placing a dollar value on tangible assets is straightforward.
Here are some examples of intangible assets:
- People (from a skill and contribution to business perspective)
- Web sites
- API endpoints
- Source code
- IP addresses
- Manufacturing, coding and other operational processes
- Customer data
- Employee data
- Operational documentation
- Service providers
- Aggregate employee skills and expertise
Placing a dollar value on intangible assets is a more difficult process.
Why Does Asset Inventory Matter?
Imagine you purchase a home and need to secure homeowners’ insurance. Coverage usually is broken down into three main categories: Structure, Contents and Liability
Premiums are based on many factors including the replacement value of the dwelling, the coverage limit on the contents and the limits on the liability coverage. All other factors being equal, its best to purchase insurance with contents coverage that would provide enough benefit to replace the entire contents of your home in the case of a catastrophic loss while not paying for more coverage than your need.
Here is where an accurate inventory of the contents of your home comes into play. By compiling an accurate list of the contents of your home and estimating the replacement costs, you can confidently purchase the appropriate coverage limit on your home’s contents thus securing and protecting your investment.
The idea here is that you cannot protect what you don’t know exists. the protection in this case is insurance.
Similar to insuring your home, businesses must accurately manage their asset inventory. A solid asset management process is foundational to an organization’s ability to protect and secure those assets. A business cannot protect that which it does not know exists. This is why companies implement various reporting measures to inventory devices, installed software, vulnerabilities, and other metrics as well as onboarding processes for outside vendors. Our goal is to understand the risks to the business and the attack surface that could be used by malicious actors. Every asset presents some risk to an organization.
Asset Management
The process of monitoring and tracking assets is known as asset management. In most businesses, this process is usually carried out by every department within an organization to some degree with some centralized management around cyber assets managed by the IT department and other Engineering teams. Each department may have its own processes for asset management. Each asset has a lifecycle that must be tracked from the acquisition of that asset to the decommissioning and destruction of that asset. These processes are particularly critical for assets that are distributed to users outside of a central office or assets that contain or have access to critical corporate, employee or customer data. This includes third party cloud-based applications.
Each corporate asset adds risk to the organization at some level. Those risks are evaluated, and controls are put in place to lower those risks to a level that is acceptable to the organization. Reducing risk and protecting an organization starts with proper asset management coupled with a solid risk management program.
An organization’s goal is to properly understand its asset profile, understand the risks and reduce those risks. There are four basic ways to handle risk:
- Accept the risk – document and monitor the risk and go about your business.
ex. Driving to work is risky but we accept the risk and do it anyway. - Avoid the risk – document and monitor the risk and take active steps to not engage in the activity.
ex. Certain software with a high likelihood of exploitation is removed from all devices. - Reduce the risk – document and monitor the risk and implement controls that reduces the risk to a level acceptable to the business.
ex. Passwords can be compromised so implementing MFA reduces the risk of access by malicious actors. - Transfer the risk – document and monitor the risk and transfer the risk to another entity.
ex. Instead of building your own infrastructure in a data center, your business could outsource this to AWS and transfer certain risk to AWS.
Asset management is foundational and should be a part of every team’s operational procedures. This helps us protect our data and people as well as minimize the likelihood that a forgotten asset could lead to an expensive, business-impacting compromise. It’s the basis for strong corporate security and compliance program.