In this final installment of Enterprise Asset Management metrics, we're going to connect these with the business, specifically in terms that the business understands.
Let's recap what we're working with:
- % of active vs inactive systems
- % of managed vs unmanaged systems
- % of known vs rogue devices
Ultimately, we're deal with a matter of management or control. If we can manage it, we can manage the risk. These metrics all serve the underlying purpose of maximizing management and minimizing risk,
The traditional and dare I say legacy approach to procurement is to say something like "We need $1M for a network access control system that also means we're going to have to replace all of our network equipment for compatibility" and then you launch into the vendor presentation. The typical executive's eyes are going to go vacant quite quickly!
Instead try something like this: "How much exposure are you, the business, willing to tolerate from unauthorized devices operating on the network?" Their answer may be a resounding none, until they hear that there is a $1M price tag for a completely automated system. They'll likely ask for an alternative proposal. So then you can offer five-day tolerance for $250K. Now there is a clear business decision which can be made.
Assuming they choose the second option, you have a working budget without even needing to explain the tool being used. You might choose to invest in a new asset/patch management tool, a vulnerability management service, and even some training for your staff. What started out as an ask to fix one issue, became a win across multiple areas!
In our next post, we're going to discuss Software Asset Management.
Image Source: Adobe Firefly Generative AI