The increasing number and maliciousness of cybersecurity threats pose undue business risk to both commercial corporations and government agencies, particularly with regard to the protection of proprietary corporate and personal data. In addition, the vulnerability of business outcomes to application or infrastructure malfunction only adds to the complexity of IT risk management. For this reason, IDC finds:
- Compounding rapid resolution to such threats and breakdown is the almost universal inability to understand what constitutes an enterprise's IT "connected" assets and identify the risk impact from unknown or out-of-date software and hardware.
- Compliance for reasonable risk mitigation becomes visibly jeopardized when obsolete IT assets deliver obvious — yet toxic — points of entry for hackers and downtime.
- IT asset management (ITAM) is no longer about efficiency. ITAM is now an imperative for effectiveness within the 3rd Platform. We recommend redefining the role and contribution of asset management for effective IT governance.
IN THIS STUDY
This IDC PeerScape documents five best practices for successful asset management that is used by one highly visible world-class enterprise for the intersecting — yet transformational — demands of IT, security, and procurement. The practices address the emerging criticality of asset management to new 3rd Platform imperatives. Large enterprises are experiencing an acceleration and maliciousness of cyberthreats to confidential business and personal data. The continued surge in the number of obsolete IT assets is jeopardizing both business and technology deliverables that are essential for an enterprise's success in digital transformation. IT asset management is no longer focused on efficiency. ITAM is now essential for effectiveness within the 3rd Platform. The assurance of clean IT asset data to properly assess the vulnerability of existing software and hardware can be a significant enhancement to the effectiveness in managing cybersecurity, IT financial management, and business application performance.
Pervasiveness among large enterprises are the acceleration and maliciousness of cybersecurity threats to confidential business and personal data. These cybersecurity threats pose undue business risk to both commercial corporations and government agencies, particularly with regard to the protection of proprietary data. In addition, the vulnerability of business outcomes to application or infrastructure malfunction only adds to the complexity of IT risk management.
While responsibility for ensuring adequate cyberprotection and application performance most frequently falls to IT operations, all IT and business executives share in the perceived requirement for due diligence. Given the magnitude of recent damage to companies' profit margins, classified data, and intellectual property (e.g., Target, Sony, Home Depot, JPMorgan, and Best Buy), corporate boards and high-level government appointees are now sharing in the accountability.
IT asset management is an operational practice that traditionally has been focused on improving operational cost efficiency through disciplined portfolio, contract, and device management. The value proposition for ITAM has been linked primarily to financial metrics such as reduced expenses, cost recovery, and procurement. However, IDC believes that it is time to rethink the role and contribution of ITAM to the overall IT governance. We believe that ITAM is no longer about efficiency; it is driven by the need for effective brokering, integration, and orchestration of the 3rd Platform.
This IDC PeerScape provides actionable guidance in reducing the business risk and increasing the critical knowledge of key applications that are associated with cyberthreats as well as resolving critical application downtime. IDC believes that CIOs and other technology leaders can benefit from having guidance on the practices and experiences of enterprises that have already undertaken some of the challenges of implementing ITAM solutions required by 3rd Platform capabilities.
A particular world-class enterprise prioritized the implementation of an ITAM process and toolset within the context of how attacks are able to approach data assets of large enterprises (see Table 1). The event that triggered this enterprise's ITAM initiative for cybersecurity and application performance purposes occurred in 2012 when hackers had leveraged the Adobe ColdFusion product. The out-ofdate versions of ColdFusion provided an entry point into the data structures of multiple enterprises to pull content from Dynamic Link Libraries (DLLs), as implemented in common operating systems (for further details, see IT Security: World-Class Enterprise Eases Cybersecurity Mandates, IDC #251741, October 2014).
The five ITAM practices in the sections that follow are not necessarily obvious or self-evident to those initiating an ITAM effort for purposes of cybersecurity or application performance. However, this worldclass enterprise identified these specific practices as critical to its long-term success in combating cyberthreats and application malfunction. Validation of these practices has come in the form of multiple peer investigations by both government agencies and commercial enterprises, which have consistently stated that this worldwide enterprise is at least one to two years ahead of investigating the organizations' own ITAM initiatives. Interest in the solutions that this world-class enterprise implemented to effectively connect ITAM to cybersecurity continues to snowball.
Practice 1: Focus ITAM on the Most Immediate Cybersecurity Threats
Problem: The continued surge in the number of obsolete IT assets creates open doors to cyberattacks, which leverage the high vulnerability of end-of-life (EOL) IT products that have ceased to receive product updates and patches from vendor sources. Compounding the difficulty of rapid resolution to such threats and breakdown is the almost universal inability to understand what constitutes the enterprise's IT "connected" assets and identify the risk impact from unknown or out-of-date software and hardware.