The other day, I was listening to Bryan Seely deliver a webinar on cyber security. He was relating all kinds of anecdotes throughout his presentation. It was a great combination of information and entertainment – with some good motivational discomfort that made you want to take a look in the company mirror. Definitely check out his webinars if you get the chance.
At one point he was asked what would be the first thing he would do if he was stepping into a position at a new firm and was tasked with shoring up security. He responded “I would take an inventory”.
Naturally, that piqued my interest, given that I’m in the assets management and supply chain business. The first thing we always do when we step into a new situation with a client is focus on getting our arms around what they have & where they have it. Only then can you move toward whatever their primary goal is (accurate financial reports, streamlined supply chain, etc.).
I hadn’t thought about it nearly as much from a security standpoint. But if you don’t know where your phone, your credit card, or house keys are located – you (I) panic. And my mind can go toward the worst very quickly (as in “I have passwords in there” or “someone can run up my card balance” or “someone could access my home”). Knowing that those items are not where I expect them to be makes me feel less secure until they are found/canceled/locked down.
But what if you don’t know that something is missing? It doesn’t make you any less vulnerable (just less panicked). Not knowing that something is missing is actually a worse situation. Because if that item is found (or taken) by someone with a little less than desirable integrity, they could be using it at your peril for some time – and piling up the damage along the way.
Every asset that an organization owns has value. It wouldn’t have been purchased if there wasn’t a purpose for it to fill. But some assets need much higher visibility than others. Your financial team may define this group based on the purchase value or replacement value of the item. But there are others that are important to include – simply because of the access to your organization that the asset may offer.
For most companies, IT assets are the main members of this “higher visibility” group. Certainly keys, facility access cards, etc. are important to track. But computers/laptops/tablets/phones that can access your network or carry your data are critical. Basically, if the asset can provide access to your building, your people, your products or your data – it should be tracked closely – and accurately.
Most companies have some level of tracking practices in place. These practices were likely defined (at least initially) based on what your organization needed to produce for financial reporting. Unfortunately, those practices may be providing a level of accuracy more closely aligned with your understanding of what you have stored in the garage at home.
It’s also not uncommon for tracking procedures to go without review for some time – even if the business that they were defined for has drastically changed (more staff traveling, more mobile devices in circulation, more remote workers, etc.). Let’s face it, how we do business and interact with our teams and our customers has changed. How we conduct asset inventories doesn’t always keep pace and is typically not very high on a priority list – until something happens.
So where do you start? If you’re unsure of the status of your assets – or like the example earlier – you’re stepping into a new position or are now charted with getting your asset security cleaned up – what do you do?
In my opinion, you need three things: a Baseline, a Process and a Practice.
The Baseline is pretty straightforward, in definition – you take an inventory. In practice, it may be about as much fun as cleaning out that garage at home. And unlike the garage, it may involve multiple locations. But until you know exactly what you have – and where you have it – you can know where you may have security vulnerabilities and risks. It’s not fun – but it must be done – and done right.
The Process is how you keep the garage from getting back to the state where you found it. Once you know what you have and have defined their associated security risks, you can create a tracking plan that addresses those security factors as well whatever the current state of your organization’s structure and how you do business. An effective plan combines the functional processes, the tools, the staff and the expected outcomes to ensure you keep visibility to your assets.
The Practice is putting the Process into action. Anyone who has spent a weekend cleaning out the garage, muttering all kinds of good intentions only to find that a year later, they’re back where they started – did not have a Practice. And a messy garage situation is nothing compared to the problems that could arise if your organization is breached by a missing device. A Practice means having the discipline to insure that the Process is executed – as defined – to ensure you maintain visibility to all of your critical assets.
Naturally, I have some strong opinions regarding the tools and solutions that support creating your Baseline, Process and Practice. But if you’d like a second set of eyes on your situation, a better understanding of risk areas – or even help getting started, let’s talk.
Anne Hale is the Director of Client Services here at HL Group, Inc. She manages our client engagements, works with Wes on sales and marketing and should probably spend a little more time organizing her garage.