To keep an organisation safe, security leaders need to be aware of what they’re securing. However, that can be a challenge for smaller companies without a robust security (or even IT) department. As an organisation grows, it can be daunting to ensure everything is accounted for, much less secure it.

This can result in an organisation that doesn’t properly keep track of its data and assets which is a risky position to be in. It can result in hidden, lost, and potentially exposed data, ultimately putting your organisation at risk. This problem is only likely to worsen as organisations continue to expand their digital and cloud-based footprint. The cloud computing market is expected to hit $1.6T by 2030, a significant increase from 2021’s value of $380B. Over 50% of that market value is driven by SaaS companies.

As a security leader, it’s important to balance security and productivity — limiting growth or minimising endpoints, cloud-based servers, and devices isn’t an option. Instead, CISOs need to prioritise data visibility and asset management as a key first step towards organisational cyber resilience to reduce their risk of a compromise or accident causing reputational or financial harm.

The risk of improper asset management

As organisations grow, so does their environment. Every device, employee, application, service, vendor, and location adds to a company’s potential attack surface and malicious actors know this. Not having the right tools or processes to account for this swell in assets can snowball in risk.

This can result in:

#1. Accidental data exposure

The advent of cloud-based infrastructure has helped streamline organisations’ processes and ability to scale quickly but it has also created a new risk vector. Countless exposures often happen as a result of unsecured servers. Databases may be publicly exposed or placed on a site that’s thought to be secure when it’s actually indexed and searchable by Google.

This isn’t hypothetical — it happened to Microsoft in 2021. Over 250M customer records were accidentally exposed after being placed on a database that had no password protection in place, meaning anyone could have found the information and stolen dozens of personal details for millions of people. These kinds of incidents happen constantly — CVS exposed over 1B records in much the same way and smaller companies may not have the benefit of security researchers checking to see if any data has leaked.

If left exposed too long, it can result in worse consequences.

#2. Data breaches and cyber attacks

Not having track of all applications and devices can also result in improper vulnerability management. Software, apps, and devices often require consistent updates to fix discovered vulnerabilities and ensure hackers can’t exploit vulnerabilities, compromising an organisation. But what happens if an organisation doesn’t know that a third-party application is connected to their network? If systems or applications are left in an outdated state, they’re vulnerable to known exploits, making them a prime opportunity for attackers.

Nefarious actors and malicious hackers know that asset management is a challenge for many organisations and base their attacks and methods on this security gap. Against CVEs, zero-day vulnerabilities like Log4J, it can lead to ransomware, APT attacks, and data breaches.

#3. Compliance issues

With the advent of Europe’s GDPR and the broad-reaching CCPA, companies are under pressure to ensure their customer data is kept private, secure, and accessible. A key defining quality of both these regulations is the ability for the data subject (or customer) to request to have all the data a company has on them or to have the company delete the data.

If an organisation loses track of the data and can’t delete or present it to the data subject or if the data gets exposed in a data breach, it can result in a costly compliance investigation and regulatory fines. If this happens, the first person that will be asked questions is the CISO.

The challenge of asset management and data visibility

Despite the need to track and manage an organisation’s assets and data, it’s not an easy task. Data security and asset management often falls under the cybersecurity and/or IT department, which may be strapped for resources and budget. The priority of these departments may not necessarily address asset management, leaving the organisation with a significant cybersecurity blind spot.

If this isn’t addressed early on, the problem becomes even more pronounced as the organisation grows. The company will have to account for more employees, more devices, and have a harder time uncovering unauthorised apps and device usage. Over the pandemic, shadow IT increased 59% due to the shift towards remote work.

Over time, the organisation may also cement its habits and behaviors, making it harder for CISOs to address the issue. Other stakeholders and departments may protest implementing new processes and policies for fear of slowing things down. It’s much more effective to prioritise this as soon as possible in an organisation’s lifecycle. Otherwise, it may become too unwieldy.

Having the right resources and tools can also be a challenge for CISOs who are likely flooded with other priorities. Time is already an issue and CISOs may not be able to properly vet all the kinds of tools, potentially onboarding one that doesn’t offer the comprehensive and in-depth scanning and visibility required in a complex environment.

What CISOs can do

To properly address this issue, it’s important that CISOs:

#1. Understand the risk involved

While it’s easy to consider the issue of asset visibility and data management as an IT or cyber risk, it’s much more broader-reaching. Even an accidental exposure can lead to compliance risk and an active attack can result in a loss of business continuity and revenue.

When making the case to the CEO, the executive team, and the board, it’s important for CISOs to frame this issue as a potential risk to the companies across multiple departments.

#2. Develop a cyber resilience roadmap

Data visibility and asset management is crucial for cyber resilience and should be part of an overall cybersecurity plan.

Planning ahead will also help you communicate your priorities and your organisation’s cybersecurity needs to other stakeholders and department heads. This will help you make the case to procure the appropriate resources and budget.

#3. Work with other vendors and partners

Many companies don’t have the resources or employees to build a robust security department and we recommend using other tools and technology to help fill in the gaps. The challenge of having the proper asset visibility is best solved by third-parties who have technology that will scale with your organisation. Coupled with the right processes and policies, these tools can improve your organisation’s security posture even as you add more devices, apps, and cloud databases.

By prioritising asset management and data visibility, you can put your organisation in a prime position to address new risks and threats as they come.

To best address data visibility and asset management issues, check out Metomic. Metomic helps CISOs accurately identify, map and control sensitive data across all of their SaaS apps, so you know precisely where it is, when it was uploaded, and who has access to it.