If you are not involved in asset management, you do not have information security

Hello, Habr! I present to you the translation of the article “ If You're Not Doing Continuous Asset Management You're Not Doing Security ” by Daniel Miessler.

The more a company can talk about its assets, the better they have to do with security. The more comprehensive and operational inventory is implemented, the higher the level of maturity of the organization in matters of information security. I have been convinced of this for 15 years, advising hundreds of corporate clients.

But just try as a full-time employee or as a consultant to get an individual hired to create and maintain an asset management system. In most cases, they will look at you as if you are asking to paint the walls with invisible paint. The expressions of their faces will say: “Listen, I don’t know where you are from, but here we don’t have any extra money to throw them on silly administrative tasks.”

That's what their views mean, and it's funny, considering what the money is spent on. Companies bear the cost of cookies in offices, send people to useless trainings with conferences and pour millions into marketing campaigns, the results of which cannot then be tied to the level of sales. But to spend money on having a list of what we are really protecting? Nope. Too expensive. Wasting clean water.

Asset management is perhaps the most important component of a security program, but I know about zero companies that have a dedicated employee for this.

People keep asking unnecessary questions about violations. Stop asking about certificates of conformity, regulations or diplomas. It does not matter. Instead, let's ask which of these companies had a list of assets, with coverage of more than 60% and relevance of less than 30 days. I think that more than 99% of the companies faced with a serious incident or leak over the past five years did not have such a list of their systems, data and manufacturers. I would be glad to hear from someone that I am wrong.

For most companies, the best thing they can do for their security program is to hire an individual to maintain a near real-time list of company assets.

And since we are playing with fire here, let's ask another question: what is the compliance with the requirements of regulators in the field of information protection, if it can be obtained without having a clue where your data is and what systems you have? How is this even possible? It is as if the automaker passed the crash test without having provided the car.

Forget everything you knew about information security. Flush it down the toilet. All regulations, security scanners, vulnerability management and audits. Let's call it "not-bad-to-have . "

Maturity indicator of the security team is their answers to the questions:

  • What is now available from the Internet?
  • How many systems do you have?
  • Where is your data?
  • How many manufacturers do you use?
  • What kind of data on the equipment of which manufacturers are processed?

If they look at you like a ram at a new gate, they are not engaged in real security. If they don’t know what they are protecting, it’s just an expensive and broken car, burning the company's money.

They are a teacher who does not count the students on a dangerous trip, a military commander who has lost his military units, and a parent who has no idea what their child is doing. In a word, they are lost . And the fiasco is inevitable. This does not mean that they do not know security, or they do not have a well-coordinated team. This is a trap that many great teams fall into.

If we want to know the true level of security, let's use a single metric for the entire industry: “Accuracy and relevance of asset inventory” . You can start with something like this:

  • A: 90% accuracy, or 1 week ago
  • B: 80% accuracy, or 1 month ago
  • C: 70% accuracy, or 2 months ago
  • D: 60% accuracy, or 3 months ago
  • E: 50% (or less) accuracy, or 1 year ago

Now, set each safety team leader to achieve 95% accuracy with a daily / weekly update of 6 months. And the price will simply be the salary of 1-3 people hired to complete this task. This will reduce security breaches and will cost several times less than that dump of products that we purchase and deploy every year.

I am not saying that it is easy, or that I have always done excellently before. I, like many, did not always take this seriously enough. But if you do not want to pay one or more people to deal with asset management full time, you are not on the path to failure - you have already failed. Of course, I do not urge the abandonment of other important protective measures. But I say that this should be a priority for improving security, and you can pay for it with money that is inefficiently spent on other things. Original

author : Daniel Miessler

about the author


Daniel Miessler is an information security specialist and writer born, raised, and resident in northern California:
My main intellectual passion in life comes down to the following:
  1. The study of interesting principles of world order: their identification, description and documentation.
  2. Solving real problems using structured knowledge.
  3. Exchange and discussion with others of both the models themselves and their applicability to changing the world.

In other words, I like to find patterns in things, create models of how the world works, discuss, share and use this information to improve life in one way or another.

Also popular now: