Who Would Win a Race Between Oprah Winfrey, Santa Claus, the Easter Bunny, and a CISO with Great Asset Management?
That’s an easy one: Oprah would win. The rest are fictional characters.
I wish I could take credit for that, but it’s something that someone said to me after I gave them a demo during RSA this year. I can’t remember who said it, so if it was you, please let me know so I can give you the credit you deserve!
On its own, it’s a pretty funny joke, but I think the best part is the fact that it highlights something that is taken as a fact of life: asset management will always be a nightmare.
In speaking with hundreds of information security professionals, I can only think of two times when someone said that knowing which assets they were responsible for and making sure they all adhere to their security policy wasn’t an issue. And in both cases, when pressed, they said something like “oh, it’s a problem, sure. It’s just number 523 on my priority list.”
A few examples of my favorite tweets on the subject:
What We Can Learn About Asset Management from an 1850s Watchmaker
One of my favorite documentary series ever is Steven Johnson’s “How We Got To Now”, a PBS show that examines innovations like refrigeration, water purification, and timekeeping. One of the best episodes revolved around Aaron Lufkin Dennison and showed how a change in thinking led to far-reaching innovations.
As a teenager in Freeport Maine, Dennison worked at his father’s cobbler shop. In those days, each pair of shoes was crafted individually, and he noticed his father cutting individual soles for each new pair. That’s just how it was done. Until Dennison had a thought: why not cut the leather for popular shoe sizes all at the same time? Same action, same cut, just batch the material and do it in bulk?
This made the shop vastly more efficient, and in hindsight, we think: it’s so obvious. How is it possible that no one thought to do it that way?
Dennison had the same impact on watchmaking. In the 1800s, watches were only for aristocrats: each watch was meticulously built with many tiny, handcrafted parts. It was a given that they had to be made that way.
Until Dennison noticed that an armory in Springfield Massachusetts made guns much more efficiently by using interchangeable parts. He then applied the same process to watchmaking and was able to create the first production line for mass-produced watches.
The cost of each watch dropped to $13, and hundreds of thousands of these were sold during the Civil War. For the first time, soldiers and farmers could now afford their own pocket watch and precision time-keeping changed nearly everything we do today.
How does this relate to asset management? If you look at all of the different systems that know about devices, cloud instances, and users, you’ll see that all of the information is there….it’s just fragmented in many different silos. The problem isn’t that we don’t have enough information about everything we’re responsible for securing. The problem is that that information isn’t easily accessible and we can’t make sense of it.
If we could just collect and correlate all of that information, we could then know any time a new asset appears, we could see every asset that isn’t matching our security policy, and then we could act on what we learn by using the same solutions to do things like install software, block, scan, etc. It’s as simple as:
- Connect to the solutions that know about assets to get the data.
- Correlate the data and understand how everything fits the policy.
- Use those same systems to perform actions when something doesn’t meet the policy.
I think Patrick Heim put it best during the RSA Innovation Sandbox:
“I’ve lived the pain of never having a straight answer around assets. We never know how many servers there are, virtual machines, and endpoint devices, and we don’t know what’s covered by what scope-wise.
It’s one of these fundamental problems in security that for some reason is really obvious, and many of us have lived with this pain, but nobody’s really solved it. I think Axonius saw this market opportunity and it’s absolutely crazy important to solve.”
Great Asset Management Doesn’t Have to be Fiction
We’re not here to say that if you buy Axonius all of you problems would be solved. They won’t. But we think that our approach can really help those organizations that no longer want to spend time trying to answer basic questions around their assets. Have a look below at our less than 2 minute overview, and if you think it’s interesting, let us know and we can give you a demo.