Without IT asset management, cyber security becomes guesswork
🙏 Begin your IT security journey at the beginning, not in the middle.
Too many organizations jump straight into firefighting—patching vulnerabilities, responding to incidents, and buying new tools—without ever laying the foundation. The foundation is always IT asset management (ITAM). Without it, everything else is largely built on assumptions.
💾 Think about it: you wouldn’t order a backup server without knowing how much or what data you need to protect. And you wouldn’t buy a firewall without knowing what it is supposed to defend, or how much traffic it must be able to handle. The same logic applies to cyber security as a whole—you must start with ITAM, or everything else becomes guesswork.
👀 You cannot protect what you cannot see.
Without updated and reliable ITAM, risk assessments quickly turn into theory detached from reality. Many organizations say they have X critical systems, and that sounds reassuring. The problem is the Y systems they don’t know about—the ones set up by someone years ago, without documentation, still running in the background, and still connected to the network. X represents the assets you know and track, while Y represents the shadow IT: the forgotten, hidden, or undocumented systems that pose just as much risk, if not more.
⚽ It is a bit like football: to build a strong team, the coach must know exactly which players are on the field, their positions, and their strengths. Only then can he create a winning strategy. ITAM works the same way—without a complete view of all systems, you cannot build a secure IT environment that functions as a well-organized team.
🌐 Whether the environment is on-premises or in the cloud makes little difference; the challenge is the same.
You must know what you have before you can assess whether it is secure or not.
⚠️ At minimum, every device with an IP address must be accounted for.
But the real goal must be to cover all assets—including OT equipment and sensors that may not have their own IP address yet still impact operations and security. Without this broader view, the inventory remains incomplete and the risk picture distorted.
🔑 Frameworks agree:
-
Norway’s NSM grunnprinsipper call for complete and updated asset overviews.
-
ISO 27001 requires organizations to identify, classify, and manage assets throughout their lifecycle.
-
The CIS framework starts with Inventory and Control of Enterprise Assets as Control 01—the very first step toward building a secure baseline.
🚢 Maritime regulations agree too:
-
IMO 2021 requires cyber risk management to be integrated into the ship’s Safety Management System (SMS). A key part of this is maintaining an up-to-date inventory of all systems and assets as the basis for risk assessment.
-
IACS UR E26 (mandatory for newbuilds contracted from July 2024) demands a complete inventory of hardware and software, along with network diagrams and lifecycle documentation, to ensure cyber resilience of ships.
✅ The message is clear: without ITAM, cyber security is reactive and based on assumptions. With ITAM, zero trust becomes possible, measurable, and sustainable.