Understanding your assets is the starting point to securing them

“Asset visibility” is a recognised core concept in Information Security and there are few factors which are more important today than knowing exactly what you have in your estate. Assets can be anything from physical devices also known as hardware, buildings or other infrastructure and non-tangible resources for example cloud resources, and data. Gaining asset visibility is the cardinal starting point for rolling out any cybersecurity programme assuming of course that the aim is to implement the programme successfully. Of course, I cannot refer to people (once upon a time, but hopefully never again referred to as “wetware” or “meatware”) as assets but it is important that you recognise their contribution and importance in the security of any organisation. Humans are the most essential link in any cybersecurity chain.

  • What assets do we have within our estate?
  • What of these assets do we need?
  • Which of these assets do we own or manage?
  • Which of these assets did/do we pay for?
  • Which of these assets would we rather not have residing in our estate?
  • If we were to rank the assets identified above by order of importance to the organisation, which of them are the most important?


After the answers to these have been obtained following an asset discovery exercise, the following may be the next set of considerations:

  • What are the gaps in our controls?
  • Which cybersecurity controls will aid our goal of ensuring “beyond-adequate” security for our assets?
  • With data being described by some as “the new oil” as a way of highlighting its potential importance, do we as an organisation have the right controls in place to protect the data we own or handle?
  • When factors such as industry verticals or attack types faced by our organisation are considered, which of these identified controls are the most important?
  • What is the best plan for putting the right controls in place to ensure we secure our assets beyond achieving the static, bare minimum, “repeat-manually-every-six-months-or-every-quarter” exercise of ticking boxes?
  • As these controls are being rolled out, how do we measure improvements to our security posture and ongoing cybersecurity strategy? What is the best way to identify existing cybersecurity solutions overlaps, controls overlaps or even persisting, stubborn gaps in our security solutions or controls?
  • Do we manage all the above manually? How limiting – or even detrimental – is the manual approach to managing cybersecurity controls? Does it introduce the risk of mistakes and therefore erroneous and potentially costly decisions missed gaps leading to fines for poor security culture resulting in reputational damage, and so on. Is an automated approach preferable, with all the benefits of speed, reduced errors, repeatability, scheduling, measurability and the possibility to make rapid adjustments to a cybersecurity roadmap as required?


With the increasing types and numbers of devices and applications and the volume, variety and velocity of production of new data and recognising the reality of Bring Your Own Device (BYOD) and working from home options being adopted by an increasing number of companies due to the benefits they provide (cheaper or zero office rent costs, lower company bills, potentially more productive employees, etc.) – it is critical that organisations gain real-time, trustworthy visibility into which controls affect the assets that are in use as part of their estate and where the gaps in their security coverage is.

Knowing which controls you have in place or otherwise in real-time helps you plan for the best way to secure your asset estate. Identifying the controls needed to ensure the security of these assets and, unwittingly or otherwise, to support compliance requirements is a smart approach to security today. The alternative is an absence of visibility into some very vital security measurements.

Organisations can choose to capture, measure and review their organisation’s controls using lists and documentation which they create, share and manage manually. Alternatively organisations can offload the task to an automated system that consumes their controls in real-time if they have any controls in place and provides them with actionable insights into the coverage across all their assets, recommendations for the smartest way to improve your cybersecurity posture over a pre-agreed period as well as making recommendations for managing the current risks using mitigation techniques, among other approaches.

The options are quite clear: you can choose to drive to the market, or you can walk there – but you can’t complain if the person who opts to shop online gets there first and gets the best produce. Visibility, Speed and Relevant recommendations.



Recent Posts

PCI DSS v4.0 is coming: how to meet its continuous compliance challenges

If your organisation accepts card payments—think Visa, Mastercard, American Express and so on—then you’ll know it has to comply with the Payment Card Industry Security Standards Council’s PCI Data Security Standard version 3.2.1 (PCI DSS v3.2.1). No ifs. No buts. If your organisation accepts card payments, then compliance is a requirement. And of course so […]

Alert fatigue: missed cyber threats, staff retention issues and, ultimately, business crisis

The ever-growing number of cyber alerts and resultant ‘alert fatigue’ is creating a vicious cycle that can turn into crisis situations for business leaders. But, before we look at evidence of the scale and severity of alert fatigue—and the attendant high cost for businesses—here’s the true and salutary story of Jake. It demonstrates just how […]

Continuous Controls Monitoring: offering a unified approach to the 3 lines of defence.

In your organisation, who is responsible for cyber risk? As organisations grow the answer to this question becomes less clear. In smaller organisations a single person inevitably looks after security and as decisions are mainly based upon perceived risk then they also manage cyber risk. But as organisations grow these roles get split. Naturally the […]

Protecting against supply chain attacks: how Continuous Controls Monitoring can provide assurance

Increasingly, businesses have two supply chains. There’s the familiar physical supply chain, along which physical goods flow—and then, in parallel, there’s an information supply chain, along which data flows. But not always just data. Because connecting a business’s IT systems to those of its customers and suppliers can expose the business to threats, as well. […]

Continuous Control Monitoring: putting audit back in control

For internal audit functions, a worrying circularity occurs when auditing IT controls. And it’s this: to obtain the data that the audit function needs to check, it is necessary for them to go to a plethora of different business functions and request it. In other words, the controls being audited, are owned by the very same […]