As first seen in Corporate Compliance Insights, Nlyte’s Chief Marketing Officer, Mark Gaydos, explores why many companies continually find their networks do not meet many compliance mandates and regulations. The simple answer to many non-compliance issues is too many assumptions between IT individuals and the C-Level suite.
Confirmed by the results of a new Technology Asset Management survey, the article is enlightening and alarming, as over 1,500 IT professionals give their honest opinion on the state of today’s largest networks.
Who’s Monitoring IT Assets? “Survey says…”
As organizations digitalize and their compute infrastructures grow, IT resources don’t necessarily flow to the places that need them most. Allocating manpower to ensure IT compliance adherence is one of those resources that often gets neglected. As a result, companies often find themselves guilty of data failures due to weak compliance measures. While being found as “noncompliant” isn’t a crime it does damage public confidence in a company—Equifax is still recovering.
GDPR, HIPAA, PCI, SOX and other mandates are put in place by various agencies as checks-and-balances which provide best-practice guidance. When it comes to IT compliance there are two basic areas: internal compliance for assuring adherence to an organization’s specific rules and regulations; and external compliance which adheres to the government established laws. Then, there are the “in-between” internal and external mandates imposed by organizations such as the Payment Card Industry Data Security Standard (PCI DSS) that provides added security for financial transactions or the voluntary use of the Basel III framework.
Pulling IT staff away from daily tasks to address compliance issues can have its own faults. There is an internal cost associated with shifting IT functions from helpdesk responses and revenue-generating infrastructure upgrades to concentrate on documenting IT processes and procedures. Fact is, there are many other tasks that often take precedence over the daily network scans that ensure the network will make an auditor happy. The belief that compliance issues are a constant focus varies greatly from the C-Suite folks in corner offices to the cable-pulling IT staff keeping the data flowing.
Compliance Assumption Gap
Pulling information together from isolated data sources to provide the required material for audit and compliance reports can be a major obstacle for organizations to contend with. Often these data sources include everything from spreadsheets to post-it-notes, among other 3rd party applications across myriad workgroups.
Who is watching what and how often? The answer to this seemingly simple question can vary greatly depending upon who you ask within a company. A new survey titled, “Technology Asset Management Global Survey: Today’s Challenges of Device Proliferation,” commissioned by Nlyte Software, sheds some light into this question’s answer.
The global survey took a poll of 1,516 technology asset decision-makers within organizations employing 1,000 people or more. Of the respondents, 96% say that hardware and software technology asset control is a top-5 priority for the business—that is no surprise. However, what is a surprise is that almost one third (31%) of those enterprises are still tracking their asset management control manually. When the IT department has limited time to conduct compliance-related tasks, this manual process is daunting and can lead to pushing compliance endeavors further down the calendar page. Thirty-five percent of C-Suite members confirmed that data is captured manually as part of an IT asset management process, but also that it’s known to be quickly out-of-date and prone to human error.
IT assets need to be monitored frequently, but the assumption rate that this occurs varies widely. The Technology Asset Management Global Survey (Survey) found that C-Suite respondents believe assets are being scanned hourly (27%) or daily (35%), yet those at the manager level are less confident (8% and 28%, respectively).
Daily network scans are important because new devices are connected quite often and undetected IT assets are compliance and security risks. When it comes to undetected devices the Survey found:
- 28%/29% of C-Suite/managers believe that 10% of their assets are undetected and unprotected.
- 35%/14% of C-Suite/managers believe that 20% of their assets are undetected and unprotected.
- Only 24% of asset managers believe that 80-100% of their devices had the latest security software and firmware patches.
- 33% of IT devices are infrequently connected to the network, according to asset managers.
Simply put, missed network scanning equates to a greater vulnerability which inevitably leads to compliance issues. This is confirmed by 15% of organizations reporting that somewhere between 80-100% of devices are not proactively managed—which is an open invitation for risk.
Although most IT devices are up to date (on average 67% have the latest security software and firmware patches), less than half (49%) have a solution that scans and validates all devices in order to provide an audit trail for security patch management. In addition, the Survey found that almost half (48%) of devices are not proactively managed at all. Whilst that 67% figure having the latest software and firmware is better than average, it validates that only a third of IT assets controlling such data as personal finance, healthcare, and social security numbers are at risk, outdated, or unmatched.
IT asset scans and recordkeeping cannot be managed manually if organizations wish to be in compliance with imposed mandates and regulations. Even if barcode technology is used, once a section is finished and the auditing employee moves on, somebody could come in right behind and install or remove a device. Achieving IT compliance must be a systematic and automated process that continuously identifies, monitors and audits the full network to achieve and remain adherence.
With data moving to the cloud, into virtual realms and pushed to the edges of the network, the IT infrastructure is far too vast to know what is and—is not—in compliance via glancing at a spreadsheet. Using a technology asset management tool to help simplify the adherence process is a good idea. As the “Survey says,” over 1,500 large organizations believe they are most likely to gain business efficiency (41%), overall cost savings (40%) and data/corporate security (39%) benefits by using a TAM solution.
About the AuthorMore Content by Mark Gaydos