IT risk management is a pain in the asset

There's a line from an old Allman Brothers song that goes, "Can't spend what you ain't got/Can't lose what you never had."

Maybe it's just me, but this lyric reminds me of the situation I see around asset management. Large organizations have deployed so many new end-points, servers and networking devices over the past 20 years that they actually have no idea what's there. Sometimes they know that a generic asset like an "Oracle database" exists, but they have no idea about which revision, which patches have been applied, who has system administration rights, etc. Very, very scary.

If you think that I'm exaggerating, check out the past few Federal Information Security Management Act report cards. Massive federal agencies such as the Department of Homeland Security (DHS) get low marks for asset management. If DHS can't identify its assets, how secure can it be?

There is no magic bullet here. Yes, there are tools to automate asset discovery, but they won't find everything and they won't necessarily give a complete detailed picture around the characteristics of each asset. Ever see store employees counting cans of peas on your supermarket shelf? That's what it takes to get started.

Ultimately, managing assets and configurations depends upon process supported by technology--not technology alone. This is why so many large organizations are adopting an IT governance framework such as ITIL, ITSM, CoBiT and ISO 17799 from a security perspective. These frameworks are based upon repeatable processes, strict controls and measurable results. What a concept!

Here's a more relevant cliche that businesspeople hear throughout their careers: "You can't manage what you can't measure." When it comes to IT risk management, nothing could be more accurate.