CIO Influence
CIO Influence News Security

Organizations Face Looming Cybersecurity Threats Due to Inadequate IT Asset Oversight

Organizations Face Looming Cybersecurity Threats Due to Inadequate IT Asset Oversight

IT asset management (ITAM) utilizes financial, contractual, and inventory information to monitor and make strategic decisions regarding IT assets. Its primary goal is to ensure efficient and effective utilization of IT resources. By reducing the number of assets in use and extending their lifespan, ITAM helps to avoid expensive upgrades. Understanding the total cost of ownership and improving asset utilization are integral aspects of ITAM.(1) Walt Szablowski, Founder and Executive Chairman of Eracent, which has provided complete visibility into its large enterprise clients’ networks for over two decades, advises, “ITAM is not a one-and-done; it is a continuous process that requires regular evaluation and adjustment to align with evolving business needs. It plays a crucial role in the broader cybersecurity strategy and should be seamlessly integrated into an organization’s IT service management processes and risk management framework.”

CIO INFLUENCE: CIO Influence Interview with Pete Lilley, Vice President and GM at Instaclustr

IT assets include hardware and software, such as operating systems, computers, and servers. Assets can be “tangible” (devices) or “intangible” (software). IT asset management involves identifying, tracking, and maintaining individual assets through regular updates, resolving functionality issues, providing subscription renewal reminders, and ensuring that IT assets are replaced or upgraded when they become obsolete and unable to receive security updates.(2)

Managing IT Software and hardware includes the identification and management of cyber vulnerabilities. All assets have cyber security vulnerabilities, so managing cyber threats is essential. A new process of identifying open-source software vulnerabilities associated with purchased software is contained within a Software Bill of Materials (SBOM) that is now part of the documentation supplied by software publishers.

A Software Bill of Materials (SBOM) is a comprehensive inventory of the components, libraries, and modules needed to construct a particular software and their respective supply chain relationships. Studies reveal that 37% of installed software goes unused. Removing unused software and hardware decreases vulnerabilities and prevents unnecessary expenditures. By reducing the attack surface, the overall security exposure is minimized.(3)

ITAM extends beyond asset inventory by leveraging captured data to increase business value. It reduces cost, eliminates waste, and improves efficiency by avoiding unnecessary asset acquisitions and optimizing current resources. ITAM enables faster and more precise migrations, upgrades, and changes, enhancing organizational agility.(4)

Open-source software (OSS) is widely used in modern application development. However, the 2023 Open Source Security and Risk Analysis (OSSRA) report, which examines the vulnerabilities and license conflicts found in roughly 1,700 codebases across 17 industries, reveals significant operational hazards. A concerning number of codebases contain dormant OSS components that have not received updates or development activity for at least two years. This indicates a lack of maintenance and leaves the software at risk. The report shows that a high percentage, 88% to 91%, of codebases are outdated, contain inactive components, or have received no recent development activity.(5)

CIO INFLUENCE: Nextira Selected by Ansys Technology Partner Program to Support Customers Implementing Ansys Gateway Powered by AWS

Open-source software is subject to copyright laws, and using it in an application requires organizations to adhere to the associated license terms. To ensure compliance, many businesses have dedicated legal resources or staff knowledgeable in open-source matters. Using open-source software without complying with the license requirements can lead to legal infringements and liabilities. With open source comprising approximately 80% of modern applications, organizations must be cautious about u********** open-source usage. Copyright owners, as well as nonprofit organizations that support the open-source software movement, can actively pursue legal action against violations, which can cause financial and reputational damage.(6)

Open-source licenses come in two main types: permissive and copyleft. Permissive licenses require attribution to the original developer with minimal additional requirements, while copyleft licenses, like General Public License (GPL), promote code sharing but carry risks for commercial software. Organizations rely on SBOMs to navigate complex software supply chains, identify weaknesses, track open-source usage, and ensure license compliance. Including licenses in the SBOM helps organizations maintain a comprehensive inventory and reduce legal liabilities. Failure to comply with open-source licenses can result in legal disputes and loss of intellectual property rights. Including licenses in an SBOM helps organizations promote transparency, trust, and compliance within software supply chains.(7)

Open-source software has made supply chains more complex and less transparent, increasing the potential for cyberattacks. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced software supply chain attacks. It is important to maintain visibility into open-source software usage and promptly address any identified areas of vulnerability.(8) Software asset management teams should be part of and contributors to their cybersecurity teams. By breaking down these two silos, they become a cohesive risk management team. And when purchasing software or contracting someone to build it, they must secure an SBOM, which is a vital component of risk management and reduction.

Lifecycle management tracks every aspect of asset and license ownership, from acquisition to disposal. IT Service Management (ITSM) tools, configuration management databases (CMDBs), and software asset management (SAM) tools are not sufficient for comprehensive lifecycle management. These solutions lack the necessary detail and will result in incomplete ownership summaries, limiting the ability to maximize asset value and minimize costs. To achieve effective lifecycle management, organizations must track all assets and licenses in their IT environment. By maintaining a dedicated repository, they establish a reliable baseline for every asset and license.(9)

Eracent’s ITMC Lifecycle™ provides comprehensive lifecycle asset management for all assets and licenses, providing continuous tracking from planning and acquisition through refresh and disposition. The data captured in ITMC Lifecycle provides a foundation for many activities, including end-user requests, procurement, SAM, hardware lifecycle management, ITSM, network and endpoint security, automated workflows, budgeting, planning, and more. Additionally, the system facilitates tracking, reporting, and automatic alerts for contracts, agreements, and financial transactions.

Szablowski notes, “It’s like the wild west out there, from an IT asset management perspective. There’s a subversive element. The thinking is that if the software came from a source like Microsoft, it must be good to go. But there can be something in there that may be a ticking time bomb from a security standpoint. And if your internal application development team or a vendor that you hired uses the wrong license type, your company will pay a high price. It’s a real Pandora’s Box. But, in this case, you actually have to look under the lid.”

CIO INFLUENCE: JFrog Software Supply Chain Platform Delivers 393% ROI According to Total Economic Impact Study

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

Veracode DAST Essentials & Veracode GitHub App revolutionize Cloud-Native Security

Business Wire

Marcone Launches First Open AI-based Triage Solution for Field Service Companies

PR Newswire

CoSoSys Releases Enterprise Security and Compliance Focused Endpoint Protector 5.3.0.0

CIO Influence News Desk