Asset Management: A Route to Resilience

Asset Management: A Route to Resilience

March is National Asset Management Awareness Month—an opportunity for leadership to ask: “What assets do we rely on, and how well are they governed?”

In 2025, 17% of all our risk assessment recommendations were directly or closely adjacent to asset management practices.

We believe comprehensive cybersecurity relies on a people-and processes-first mindset. This month, we’re sharing the top recommendations we’re seeing to help teams kick-start and improve their asset management processes.

GO With the Data Flows

One of the most common recommendations for improving data asset management is to document data flows. It doesn’t need to be fancy. It just needs to work.

The goal is to document your data assets (sensitive, critical, and/or regulated data) in a way that answers:

• Where are they?
• How are they handled?
• What security is in place?
• Who is using, responsible for, or granting access?
• When do we lose visibility?

‍

We’ve seen this approached in many ways — including the dreaded scenario where a critical data asset is lost and everyone (especially legal) is brought in to find it, explain what happened, and make sure it never happens again.

Proactive approaches include

• IT workgroups with bi-weekly meetings and representation from multiple IT departments. These groups bring in internal customers to map data ingress, transmission, processing, and egress.
• Middle leadership workshops that build a list of known storage locations and data-handling processes.
• Leadership-driven surveys starting at the Board or executive level to identify:
  
  • Known storage locations
  • Known data processes
  • An "other" field for unknown or unlisted items

‍

Once you have a list — even if it has gaps or lives in a text file or disaster recovery plan —you can build on what you have and add in details, such as:

• Encryption status
• Applicable regulations (HIPAA, PCI, GLBA)
• On-premise vs. hosted ownership
• Criticality level
• IT service dependencies (email, secure file storage, O365, etc.)

‍

GO Full Circle — Secure from Start to Finish

Understanding the lifecycle of each asset is core to asset management.

Data flows help map lifecycle stages for data assets. Critical infrastructure and hardware assets above a certain dollar value may be captured in your organization’s asset inventory process. However, we consistently see gaps at:

• Procurement
• Disposal

Procurement Considerations

Whether you’re procuring technology, services, or data itself, the opportunities for security gaps start in the beginning steps such as negotiations, requests for proposals, proofs of concept, and vendor onboarding. Five key considerations:

1. How is your Security team participating?

• Security engineers can test new technologies
• Consult IT compliance functions
• Include security in contract redlining

‍

2. What access will vendors or systems require?

• Define standard access routes (APIs, secure connections, etc.)
• Require managerial approval for credentials
• Include vendor termination notifications in contracts

‍

3. How do we maintain knowledge?

• Identify when support services must be updated
• Track assets that fall below inventory thresholds
• Keep BCP, IR plans, BIAs, and DR plans current

‍

4. Do we practice good OpSec during negotiations?

• Require potential new vendors to sign NDAs
• Staff should provide vendors only information required for technology evaluation

‍

5. Are we being strategic with technology?

• Use security to drive innovation and reduce unmanaged risks
• Provide IT and Security timely info to support tech strategies

Disposal Considerations

Three common risk precursors appear in disposal-related findings:

1.  Improper or unsecured storage of media awaiting disposal

2. Outdated or undocumented disposal procedures

3. Retaining data beyond required timeframes

Keeping unnecessary data increases both operational risk and regulatory exposure.

GO Proactive

Treating asset management as a governance function, not just an IT task, enables proactive risk management.

A major 2025 stand-out recommendation was proactive management of End-of-Life (EOL) and End-of-Support (EOS) systems.

Maintaining EOL/EOS systems:

• Is costly
• Is difficult to secure
• Creates business continuity risk

‍

Being reactive with EOL systems is a “playing with fire” scenario in IT asset management.

Successful methods include:

• Building EOL planning into new technology projects
• Establishing quarterly EOL reviews
• Using penetration testing to demonstrate impact

‍

This requires a shift away from firefighting toward long-term planning. It’s also important to appreciate the required shift in company culture away from reactive methods.

‍

Culture strategies that work:

• Executive awareness training for boards and finance teams
• Using technical debt from past projects as examples
• Elevating EOL risk in quarterly security briefings

‍

This March, Own the Road

Asset management is a gateway to effective risk management.

Organizations that understand and govern their assets are better positioned to:

• Protect critical data
• Meet regulatory expectations
• Recover from disruption
• Sustain long-term growth

‍

In an environment of increasing regulatory pressure and operational dependence on technology, asset management is no longer just an accounting function. It is fundamental cybersecurity.