Follow us

For security’s sake, companies need to fix their asset visibility problems — and fast!

For security’s sake, companies need to fix their asset visibility problems — and fast!
Alastair Dickson, Director at Quod Orbis

Getting a clear view of digitally connected assets — and not just those related to cyber security — has been an on-going challenge for organisations for as long as they’ve had to manage those assets. Such assets include not only computers, phones, applications, IoT devices et al, but also, of course, the people who use them.

Now made more complex by the rise in flexible working and WFH (working from home) and rapidly expanding attack surfaces, this is an issue that continues to challenge security and IT teams. But now it’s also coming under the gaze of CIOs and other senior business leaders. And frankly, when those at the top table focus on the potential consequences of poor asset visibility and asset management they become extremely frustrated with the ongoing challenges.

There are two reasons for this. Firstly, should a CIO get wind of the extent of the asset visibility and problem, there’s the stark realisation of immediate security vulnerability and exposure to severe financial penalties. And while CIOs tend not to be involved in asset visibility detail, they are quick to see the big picture and understand where the buck stops. Secondly, CIOs are increasingly seeing that this absence of an accurate, up-to-date asset inventory will delay or block the deployment of advanced security technologies and the achievement of improved maturity of security posture.

On top of this, we’ve seen that CISOs sometimes take a ‘hands-off’ approach to any assets that don’t fall under their security-related remit — and, of course, there are plenty of such assets within the enterprise! Tactically, and strategically, it can add up to something of a mess.

CISOs and CIOs need confidence in asset visibility and management

Effective asset management is critical because if you don’t have the confidence you can see everything (that is, all of your assets and potential attack surfaces), how can you have the confidence that your cyber tools are providing your organisation with the protection they should be?

To be clear, this is not a cyber issue alone. However, the negative impact of poor asset visibility to the cyber team can be huge.

From a cyber perspective having a rogue asset, or assets that are not managed, can often mean the difference between your cyber investments keeping you safe, passing compliance and accurately managing risk, or failing in all of these areas.

Without an accurate (and ideally real-time) asset inventory an organisation doesn’t have the solid base understanding of its IT environment that is needed to keep it secure within its designed cyber standards.

Benefits of asset visibility and effective asset management extend beyond security

It’s not only about the threat perspective. The benefits of effective asset visibility are extensive and can include:

  • Improved efficiency by understanding technology utilisation and coverage
  • A first step to the ideal state of 24/7, real-time CCM (Continuous Controls Monitoring)
  • Reduced exposure to cyber risk, and more easily reduced or mitigated risks
  • Eased burden of Audit and Compliance, through being confident that you have complete coverage
  • Reduced operational costs, as teams don’t need to be constantly looking for missing assets.
  • Increased ROI of all technology investments — know what you’ve got and you can ensure that all assets are necessary and working to meet your goals

In short, best-practice asset management means: You can see it, you can manage it, and you can protect it — while also protecting its owner or user.

The reasons why organisations are struggling with asset visibility

There are several reasons behind the asset visibility challenge but the main ones are the complexity of the modern working environment and the sheer number of assets in use (often multiple assets per user). Scratch the surface and many questions and unknowns emerge. What hardware do those assets sit on? Who owns what? What controls should exist on each to ensure the organisation is able to maintain its cyber posture?

Add into the mix relatively ineffective CMBDs (Configuration Management Databases) and you have a complex combination of issues which essentially means that cyber teams have limited confidence in the assets they need to manage.

The bigger issue, explored a little later, is that without a base level of knowledge of your assets, rolling out any other kind of technology will not be as effective as it could be if it cannot be deployed on everything that it should be.

Traditional CMBDs are and should remain a key component of managing assets, but unfortunately they often rely on manual processes to keep them updated. As such they are not reliable enough on their own to offer the assurance to the cyber team that they provide the accuracy needed to base their controls, risks and compliance on.

The key to success: a live asset repository

These ongoing challenges are forcing businesses to address the way they manage their assets.

Key to success will be a live asset repository capable of evolving with the constant change that is now prevalent in business.

The solution needs to have multiple touchpoints feeding into it, and to have the capacity to self-correlate — thereby automating the process of asset visibility and management.

It needs to be intelligent so that it knows what should or should not be on an asset at any time to be able to accurately reflect its status in the wider tool set. For example, if a user is signed off for a few months, you would not expect their asset to be active or receive updates and patches. So, this should be factored in when assessing how patched your systems are. Only by correlating HR (Human Resources) data with AD (Active Directory) data and IAM (Identity and Access Management) data can this be automated and kept accurate, live and intelligent.

In short, it means IT — and IT systems and processes — being connected to the business in the closest possible way, which in the digital age makes perfect sense!

Removing manual work and automating the whole asset visibility and management process also has many benefits. Not only does it make your asset repository more accurate, it also saves operational costs by not having to manually update systems.

Clearing the roadblocks to improved security maturity

Many organisations ask themselves: “Are we too big, or too complex, or just too immature to properly manage our assets?” It will surprise no-one when I say that CCM (Continuous Controls Monitoring) is the ultimate solution to these questions and the most logical and sustainable answer to the asset visibility and management challenge.

For an organisation that is already in control of asset management, CCM shouldn’t be seen as a big step. But surprisingly few organisations are at this point on the journey to their ideal state — and many are simply unsure which way to turn.

When discussing CCM’s many benefits with interested organisations, one of the first challenges we often get posed is this: “What’s the point of knowing in real-time how our business is performing against our cyber and risk posture if we are not confident that the assets and controls data going in is accurate?”

Similarly, an excited and positive discussion with an organisation about how they can benefit from CCM is often dampened by an admission from their CTO or CISO along the lines of: “Actually, we don’t have an up-to-date and accurate assets inventory…. and, umm, I’m not sure when we will have one.”

This can lead to the organisation feeling that they will have to:

  1. Live with their existing immature approach to asset management, and
  2. Accept indefinitely that this will be a barrier to their progress to a more mature state of IT and security controls across their organisation.

Both a and b, of course, will impact the organisation’s cyber KRIs, Compliance, Audits and Risk management, but what can be done?

Thankfully, a rapid, largely automated solution to the asset management problem is at hand for medium-sized and large organisations that are struggling and can see no end in sight.

Seeing everything — your 100% accurate and intelligent live asset repository, made possible by Quod Orbis CCM

Connecting to multiple pieces of technology — from cyber tooling to HR and business process tools — Quod Orbis CCM sees all of the assets on a client organisation’s network, and then records them in real time.

This first step towards a full-fledged CCM managed platform will also highlight any gaps in coverage you might have with regard to assets and controls. In this respect it does the same job as a CAASM (Cyber Asset Attack Surface Management) solution — and much more besides.

It will tell you what software is installed on each asset and if it’s patched correctly. And as an intelligent solution, it will know what should be on each asset and when.

It automatically correlates multiple pieces of data and technology and presents the comprehensive findings back to you in the form of ‘Entities’ — a 100% accurate and intelligent live asset repository.

In short, you get asset identification and you gain the full visibility of assets and coverage that your business needs.

Once this live asset repository is in place, it’s a relatively small further step for us to map your organisation’s controls for continuous monitoring should you so wish. You’ll then have the assurance that you are seeing everything required and that 100% of the data and assets are being monitored 24/7 and aligned to any in-house or public compliance requirements or regulations.

But most importantly, with this first easy step towards CCM, you’ll be secure in the knowledge that your assets have been quickly and accurately brought under your control.

Read more about Quod Orbis Asset Visibility and Management on our dedicated web page. Or call me, Alastair Dickson at Quod Orbis on 07939 286 006 and I’ll be delighted to answer any questions and to demo the solution for you.

RECENT POSTS

Effectively Conveying Cyber Risks to Senior Board Executives

The number one risk to any business is ineffective cyber security because of the catastrophic implications on their reputational and financial status. However, it has become apparent that being able to effectively communicate that risk to Boards and senior executives within an organisation is becoming increasingly difficult,  leaving cyber security

Find out more

Contact Us

To find out more about cyber security and Continuous Controls Monitoring, please complete the form below with a short message and we’ll get right back to you. Alternatively, you can book a meeting directly.

Address:
2nd & 3rd Floor,
2 Burgon Street,
City Of London,
London,
EC4V 5DR

 

Uttamkurmar Lakhani

Technical Analyst -

Register for updates

Please register your contact details with us to receive links to insightful blog articles as soon as they are published.

Address:
2nd & 3rd Floor,
2 Burgon Street,
City Of London,
London,
EC4V 5DR

 

Liam Flavin

Intern Developer -

Ekaterina Kuzevanova

Back End Developer -

Mohamed Mohamud

Front End Developer -

Juan Morales

DevOps Engineer -

Luke Bakare

DevOps Engineer -

Rutvik Belapurkar

Technical Analyst -

Harman Singh Malhotra

Technical Analyst -

Jason Wilkes

Technical Lead -

Annie Greenfield

Marketing Executive -

Will Tonge

Head of Recruitment -

Will has spent the last 9-years embedded in Cyber Security working with global, household names and innovative start-ups.

Passionate about bringing people and technology together, Will has worked in various settings, helping build high-growth organisations across multiple sectors. During this time, he has built an extensive network with access to some of the best talent out there.

Outside of QO, his young daughter keeps him well on his toes!

Shaun Barnes

DevOps Team Lead

Mark Hudson

Non-Exec Director -

Mark works with SMEs and charities to develop strategies to help them grow and access development capital. He is a NED, charity trustee and mentor to a wide range of people. His plural career started in 2017 after 16 years at pwc as a Deals partner working with large corporates and PE houses; at pwc he also ran the Retail and Consumer practice and was Chairman of the pwc UK Supervisory Board. Prior to pwc he was an executive director at Welcome Break and Iceland Group, and a partner at Bain and Company. He trained as an engineer at Imperial College and has an MBA from INSEAD. 

Register for our event

Sign-up to future Quod Orbis events

Eamon Flavin

Non-Exec Director -

Eamon is a highly regarded and massively respected technology career professional as well as serial entrepreneur. He has started, grown and successfully taken to market three technology business.

Genuinely expert in technology, Eamon has enjoyed long-term working relationships with many of the world’s top companies and organisations in finance, banking, government, manufacturing, engineering, technology and the charities sector.

He draws on unparalleled contacts and experience and provides advice, solutions and recommendations, as well as helping respond to emergencies. Eamon has grown in-house and client teams and has a gift for hiring great people.

Peter Martin

Non-Exec Director -

Peter has the ability to do what many fail to and that is to consistently bring together highly professional teams and build a business environment that is supportive, agile, professional and where everyone enjoys coming into the office.

Bringing a unique blend of business acumen and technical knowledge to the role of non-exec director, Peter has already demonstrated his ability to bring an exceptional flair for dealing with complex situations with a clear, considered approach.

Personally, Peter brings humility and a strong moral compass to the team. His disarming and self-deprecating approach wins everyone over.

Anwen Haynes

Head of Marketing -

Anwen has worked in B2B and B2C marketing for over 20 years. From transforming end-to-end customer journeys in retail with strategic customer-centric plans to target driven focused strategies for B2B sales. With extensive experience in digital marketing including SEO, as well as Brand development, she loves to develop a cohesive approach to brand image and communications to drive and develop the business proposition and perception.

Alice Walker

Head of Customer Success -

Alice has worked in the IT industry for 20 years. Starting in Procurement, she moved into Software Asset Management before transitioning into Customer Success Management. Working across a variety of roles for different industries as both a customer and a service provider has given her a great understanding of what makes a great service. She has always been passionate about building and maintaining great customer relationships and helping her customers achieve their goals.

Owain Rowley

Lead Developer -

Owain has spent nearly a decade building software solutions and products within the cyber security sphere for the likes of government entities, large telecommunication companies, banks and card transaction companies.

This level of experience allows him to swiftly identify business and security processes that can be streamlined with automation, increase the efficiency of existing processes, as well as generate insightful data visualisations and models for members of an organisation at each different level.

Ami Penolver

Head of HR & Legal -

Ami is a finance sector career professional, with many years’ experience working in financial services, both in London and throughout the UK. In addition to financial control, she looks after HR and legal for the company.

Being a mother of two also equips her with the basic skills required to manage a senior team of management and technology consultants.

Ami’s sense of balance and perspective is an essential ingredient of the Quod Orbis culture.

Alastair Dickson

Commercial Director -

Alastair has spent the last 20 years working in Cyber Security and Risk Management. He is a passionate believer that security solutions should enable a business to take advantage of all the benefits of the digital world, while not putting the organisation’s data or productivity at risk.

Alastair has developed high-performing teams in some of the industry’s most competitive markets and launched new innovative technologies to market.

Being a rugby coach, and also having four sons at home, means he has lots of experience in keeping a passionate team in order but always has time for some fun!

Gary Penolver

CTO -

Gary has 15 years’ experience in senior technology roles, and has already been closely involved in starting and taking two technology companies to market.

Totally comfortable with a fast-moving, state-of-the-art technical landscape, he helps his clients maintain and improve security and compliance.

He has a reputation for delivering pragmatic and easy to maintain solutions – business owners and managers enjoy knowing that the security and compliance is well managed and automated, properly instrumented and reported at a competitive cost point.

Honest, open, unflappable and very social, Gary is trusted by many household-name organisations to protect their, and their client’s data.

Martin Greenfield

CEO -

Martin is an experienced technology and organisational transformation specialist and an excellent, proven leader and communicator in mission-critical operations, particularly in security technology.

Over the past 20 years, multi-billion pound commercial organisations, including global banks, utilities and major investment funds have trusted Martin to transform their operations to meet financial, operational and compliance targets.

Martin optimises operations, managing and transforming operational teams of between 50 and 500 people, to deliver the highest levels of audit compliance, risk management and financial efficiency.

Often working with other major consultancies and suppliers for new global corporate owners or management teams, Martin will help integrate and streamline operations on a global basis.

Thank you.

Please register your contact details with us to receive links to insightful blog articles as soon as they are published.

Sign Up!

Fill in your details to access the Liberty & QO White Paper

Request a Quod Orbis CCM demo

Contact us to schedule a demo of the Quod Orbis CCM managed platform.

See it for yourself – automated Continuous Controls Monitoring (CCM), with complete cyber controls visibility in a single pane of glass, continuance compliance, automated audits, our unique service wrap, and more.

Please complete your details and a member of the Quod Orbis team will be in touch soon.