Understanding your assets is the starting point to securing them – Quod Orbis | Continuous Controls Monitoring

Understanding your assets is the starting point to securing them

February 26, 2021

“Asset visibility” is a recognised core concept in Information Security and there are few factors which are more important today than knowing exactly what you have in your estate. Assets can be anything from physical devices also known as hardware, buildings or other infrastructure and non-tangible resources for example cloud resources, and data. Gaining asset visibility is the cardinal starting point for rolling out any cybersecurity programme assuming of course that the aim is to implement the programme successfully. Of course, I cannot refer to people (once upon a time, but hopefully never again referred to as “wetware” or “meatware”) as assets but it is important that you recognise their contribution and importance in the security of any organisation. Humans are the most essential link in any cybersecurity chain.

  • What assets do we have within our estate?
  • What of these assets do we need?
  • Which of these assets do we own or manage?
  • Which of these assets did/do we pay for?
  • Which of these assets would we rather not have residing in our estate?
  • If we were to rank the assets identified above by order of importance to the organisation, which of them are the most important?


After the answers to these have been obtained following an asset discovery exercise, the following may be the next set of considerations:

  • What are the gaps in our controls?
  • Which cybersecurity controls will aid our goal of ensuring “beyond-adequate” security for our assets?
  • With data being described by some as “the new oil” as a way of highlighting its potential importance, do we as an organisation have the right controls in place to protect the data we own or handle?
  • When factors such as industry verticals or attack types faced by our organisation are considered, which of these identified controls are the most important?
  • What is the best plan for putting the right controls in place to ensure we secure our assets beyond achieving the static, bare minimum, “repeat-manually-every-six-months-or-every-quarter” exercise of ticking boxes?
  • As these controls are being rolled out, how do we measure improvements to our security posture and ongoing cybersecurity strategy? What is the best way to identify existing cybersecurity solutions overlaps, controls overlaps or even persisting, stubborn gaps in our security solutions or controls?
  • Do we manage all the above manually? How limiting – or even detrimental – is the manual approach to managing cybersecurity controls? Does it introduce the risk of mistakes and therefore erroneous and potentially costly decisions missed gaps leading to fines for poor security culture resulting in reputational damage, and so on. Is an automated approach preferable, with all the benefits of speed, reduced errors, repeatability, scheduling, measurability and the possibility to make rapid adjustments to a cybersecurity roadmap as required?


With the increasing types and numbers of devices and applications and the volume, variety and velocity of production of new data and recognising the reality of Bring Your Own Device (BYOD) and working from home options being adopted by an increasing number of companies due to the benefits they provide (cheaper or zero office rent costs, lower company bills, potentially more productive employees, etc.) – it is critical that organisations gain real-time, trustworthy visibility into which controls affect the assets that are in use as part of their estate and where the gaps in their security coverage is.

Knowing which controls you have in place or otherwise in real-time helps you plan for the best way to secure your asset estate. Identifying the controls needed to ensure the security of these assets and, unwittingly or otherwise, to support compliance requirements is a smart approach to security today. The alternative is an absence of visibility into some very vital security measurements.

Organisations can choose to capture, measure and review their organisation’s controls using lists and documentation which they create, share and manage manually. Alternatively organisations can offload the task to an automated system that consumes their controls in real-time if they have any controls in place and provides them with actionable insights into the coverage across all their assets, recommendations for the smartest way to improve your cybersecurity posture over a pre-agreed period as well as making recommendations for managing the current risks using mitigation techniques, among other approaches.

The options are quite clear: you can choose to drive to the market, or you can walk there – but you can’t complain if the person who opts to shop online gets there first and gets the best produce. Visibility, Speed and Relevant recommendations.



Recent Posts

The Top 6 Benefits of Continuous Controls Monitoring

A cacophony of complications has meant that businesses are struggling to implement a security plan that offers the assurance they need that defenses can prevent cyber-attacks Increased regulation, higher customer expectations, investment in emerging technology and expanded risk management have placed potentially detrimental pressure on budgets. Coupled with that is the need to be agile […]

How Continuous Controls Monitoring can support Gartner’s top 7 Cyber Security Trends of 2022?

Gartner identified the Top 7 Cyber Security Trends of 2022 – so how can Continuous Controls Monitoring support these emerging trends?

PCI DSS v4 – The 8 biggest challenges

The Payment Card Industry Data Security Standard (PCI DSS) ensures secure payment card data and encourages global adoption of consistent data security measures. Anyone that is involved in payment card account processing needs to ensure that data is stored, processed and transmitted securely. Our Infographic focuses on the 8 biggest changes that you will need […]

PCI DSS v4.0 is coming: how to meet its continuous compliance challenges

If your organisation accepts card payments—think Visa, Mastercard, American Express and so on—then you’ll know it has to comply with the Payment Card Industry Security Standards Council’s PCI Data Security Standard version 3.2.1 (PCI DSS v3.2.1). No ifs. No buts. If your organisation accepts card payments, then compliance is a requirement. And of course so […]

A variety of legacy Systems are an open door to Cyber criminals

It’s true to say that that with the exception of new start-up’s, most businesses have legacy systems to manage. This can be for a multitude of reasons: Firstly, these may be systems inherited and are thus considered, rightly or wrongly, too low risk and therefore not imperative to upgrade; couple that with the cost to […]

Does your data help you thrive or survive?

Our networks are rich with data and the explosion that has occurred, particularly before, during and after covid, has caused severe consequences in many businesses as IT teams struggle to move, store, analyse and protect a business’s prized asset. An IDC report in 2018, predicted that the global data sphere would grow to 163 zettabytes […]

INFERIOR BY DESIGN: THIS IS HOW YOUR GRC PLATFORM IS FAILING YOUR ORGANISATION

What keeps GRC professionals like you awake at night? If you’re anything like most of the other GRC professionals to whom we regularly speak, it’s a question with a very simple answer: the inadequacies of your organisation’s GRC platform. Which matters, a lot. Because to the modern organisation, solid capabilities in governance, risk management, and […]