Flexera logo
Image: Will CFOs Take on ITAM to Keep Credit Ratings Intact?
This post originally appeared on the Snow Software blog. Snow Software has been acquired by Flexera.

IT asset management (ITAM) is now a requirement to achieving a good credit rating.

If you’re a Security Operations, IT or ITAM professional supporting organizations with any debt, this is not just another warning to invest in a healthy ITAM practice. This news, recently communicated in a report from the S&P Global Ratings agency, states that an inadequate ITAM practice can impact an organization’s ability to have solid cybersecurity controls, and as a result, creditworthiness will be impacted. If your organization’s credit scores are impacted, the cost of financing will go up, and the organization’s reputation will be damaged. If you receive a performance bonus or have invested in company stock, the impact can be quite personal.

Over the years, governmental agencies and standards bodies such as the NIST, CISA, ISO 27001/ISO 27002, SOC2, etc. have been promoting the need for ITAM in cybersecurity processes. The noise around managing these standards have been amped up in recent years with the following disruptions:

2020 2021 2022 2023
StateRAMP was created to provide a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments. SolarWinds Hack led to executive order for the NIST to publish cybersecurity guidance.

The Texas Legislature passes bill requiring the establishment of a state risk and authorization management program.
FTC warns organizations to patch the Log4j vulnerability.

The COVID-19 pandemic causes a significant spike in Ransomware cases (>500%).
GoAnywhere vulnerability impacts 130 organizations.

Silicon Valley Bank failure triggers FDIC audits.

S&P Global Ratings agency issues report stating inadequate ITAM can impact credit ratings.

 

Even with all the urgings from federal and state agencies and standards bodies, organizations are still managing IT assets in spreadsheets and with tools that have not evolved to meet today’s complex IT infrastructure and application requirements. These are not mom-and-pop shops managing ITAM processes with bubblegum and toothpicks, but enterprise organizations with 10, 20, or 50 thousand or more employees.

Why has IT asset management been ignored?

There are multiple reasons why ITAM is ignored and not properly funded in organizations. Here are a few of the main reasons:

  • Distributed purchasing and users bypassing procurement controls. The majority of applications purchased today are outside IT. With SaaS, all you need is a credit card and internet connection. Most organizations are suffering from application sprawl and are unaware of dozens or hundreds of applications used across the organization. Many ITAM practices are focused on assets they can physically inspect – installed software – and the resulting issue is that no one is focused on governing ITAM for modern technologies.
  • It’s a part-time job. Gartner estimates that organizations with more than 5,000 employees should have a software asset management team of at least six people. A lot of organizations relegate the ITAM function to managing the IT inventory and helping out with big audits or renewals and only dedicate minimal resources to the function. Because of the collaborative and data-intensive nature of the job, it is nearly impossible to make much progress in a part-time capacity. Especially with cloud infrastructure and SaaS applications, the role has shifted to be much more proactive from a governance perspective.
  • The job is not easy. To be successful, ITAM professionals need a mix of soft skills such as listening, idea selling, cross-functional alignment and relationship building along with technical skills of managing projects, vendor negotiations, and being data driven.
  • Revenue-impacting investments win over keeping data secure. This is the same reason why software companies suffer technical debt – everyone wants to work on the shiny, new thing. ITAM has been around for decades, yet we still see unpatched known vulnerabilities, organizations paying penalties for license compliance, managing IT assets in spreadsheets, and having data leak from their company due to unknown applications in use.  

ITAM’s new partner – the CFO

Even with the challenges above, organizations will need to mature their ITAM practices. Now with credit ratings on the line, the CFO will become more invested in ensuring cybersecurity controls are in place and be open to fund a proper ITAM practice for modern-day technology environments. No CFO wants to disclose material weaknesses of internal controls in their financial statements and risk having the cost of debt go up.

Another reason CFOs may be more focused on ITAM is the bridging of FinOps and ITAM practices to create a robust governance framework and optimization roadmap. This is especially true in organizations with significant IaaS spend and needing to get a handle on software cost of goods sold.

Connect with us to determine how ITAM can improve your cybersecurity posture.