Our most recent members-only webinar looked at the relationship (and growing partnership) between ITAM and infosecurity. Our expert panel consisted of:
- Teri Bobst, Director – ITAM practice, Cask
- Mike Jones, MD, AirTrack
- Steven McQuade, Senior Product Manager, Iron Mountain
- Shankar Viswanathan, Senior Principal Product Manager, ServiceNow
- AJ Witt, Analyst, ITAM Review
Two sides of the same coin
The thrust of the debate centred around the symbiotic relationship between ITAM and IT security. As AJ stated, ITAM and infosecurity share the same goal of keeping IT on the straight and narrow.
Teri rephrased the old adage, “You can’t secure what you’re not managing.” Ultimately, if you don’t know what you have, it makes it very difficult for your IT security organisation to manage your assets and say they are secure. Since knowing what you have is ITAM’s bread and butter, it is clear that IT security needs ITAM.
But what about the other side of this relationship? How does ITAM need IT security?
For Teri, this is about how ITAM can leverage IT security’s status within the organisation: “Sometimes it can be hard for ITAM to gain traction and to get teeth. It’s historically been seen as a cost centre. Forming a good alliance with your IT security team can really help you get the traction you need. So, if you’re asking for funding for software, this becomes much easier when you have the backing of the IT security organisation. It has the ear of the C-suite.”
Mirrored growth for both disciplines
The scale and maturity path of ITAM has also mirrored that of IT security. Both disciplines started with on-prem hardware and software and then moved into cloud, which brings additional complexities for both parties. By looking at enterprise asset management, loT, etc.., the scale for ITAM has mirrored the growing scope of Infosec.
As Mike Jones explained, “Infosec has now started to look much deeper at the entire stack. It needs to understand the context and the versioning for the different hardware and software components and how they interact, especially when it comes to end-of-life vulnerabilities. If you look at it from this high level, infosec is very much like ITAM.”
Don’t just take our word for it
While the relationship is clear, the panel drew on numerous examples where this relationship is being recongnised by others. For example, the highly regarded National Institute of Standards and Technology (NIST) made the following bold statement in 2018: “an ITAM system is vital for IT security”. Likewise, a recent update to the ISO security standard (ISO/IEC 27001) also declared that ITAM is vital to IT security.
Last but by no means least, even the US President agrees. In 2022, Joe Biden came out with Executive Order 14028, which states that all government agencies must have an asset inventory (hardware and software), and more importantly, they must have a software bill of materials. Software vendors have had to up their game and tell people what’s in their software.
As IT security and ITAM continue to grow in importance, their burgeoning relationship will only get stronger.
If you’re an ITAM Forum member, please log in to access the recent ITAM + Infosecurity webinar on-demand.