To protect your IT ecosystem, you need to know what's in it, but for a growing number of organizations, that's easier said than done. According to the latest ESG "Security Hygiene and Posture Management" survey, 69% of organizations report falling prey to at least one cyber attack that started with an exploit of an unknown, unmanaged, or poorly managed Internet-facing asset.

It's easy to see why. As companies continue to scale up cloud-native, multi-cloud, and API-first initiatives, the task of identifying and securing an expanding ecosystem of devices, users, cloud workloads, code repositories, and other assets grows ever more complex.
Nearly one-third of organizations in the survey (31%) said they discovered sensitive data in previously unknown locations. Twenty-nine percent uncovered employee login credentials or misconfigured user permissions, while 28% exposed previously unknown SaaS applications.
When vulnerabilities like these result in a ransomware attack, it can cost an average extortion of $792,493, though it can go much higher. It can also endanger lives, critical infrastructure, or even national security. When vulnerabilities lead to a data breach, it costs an average of $8.6 million per incident for US-based companies ($9.23 million in healthcare). And that's before any regulatory fines.
Complete understanding of cyber assets is critical to any organization's efforts to fend off these attacks and an explosive array of other cyber threats. But gaining that kind of visibility has never been so challenging.
Magnifying the Obstacles of Improving Cyber Hygiene
As discussed in part one of this series, today's blistering threat landscape is expanding just as quickly as your cyber asset ecosystem. As a result, any attempt to strengthen your security posture requires a whole new level of visibility into the cyber assets you have, and to whom and what they are connected.
If any cyber asset becomes compromised, it's critical to understand the extent of the potential blast radius to minimize the damage. The average time-to-discovery for a breach is 316 days for organizations with 50% remote work adoption. When exfiltration can start within seconds of compromise, every moment matters.

Of course, you need to know what assets were compromised to contain the attack. Organizations in the ESG study report sustained efforts to collect, process, and analyze data in order to inventory their asset ecosystem. But for nearly one-third (32%), that process requires accessing as many as 10 different asset inventory tools. Nearly half (48%) say it takes more than 89 person-hours to conduct a full security asset inventory. To their credit, more than three-quarters (79%) attempt to complete this arduous task every month or two.
According to respondents, three significant challenges consistently stand in the way.
- Cumbersome Coordination Across Multiple Organizations
Mergers, acquisitions, suppliers, partners, and customers can all extend the cyber asset ecosystem outside the purview of any single group or organization. For 44% of organizations in the study, establishing an inventory of hybrid IT assets across organizations that manage and provision assets is distressingly hard to manage. - Incompatible Tools and Conflicting Data
Forty percent (40%) of study participants say that siloed tools and conflicting data can make it difficult to track and maintain an accurate picture of assets with any level of confidence. - Constantly Changing & Ephemeral Cyber Asset Landscape
Nearly as many (39%) report that the chances of keeping up with several thousand changing assets is vanishingly small. It's also worth noting that one-third of organizations depend on manual processes to do that—making it nearly impossible to scale cyber asset management.
Crossing the CAASM to Safeguard Cyber Assets
Maintaining visibility while hamstrung by siloed systems and manual processes grows less viable as you expand your operational infrastructure. When survey respondents were asked how their organizations could improve cyber asset management, roughly a quarter suggested establishing business-centric KPIs or the ability to analyze risk scores to determine which assets are truly at risk.
This suggests security management programs in these organizations lean on the informal, disorganized, and immature end of the spectrum. However, as a growing number of companies are discovering, the visibility and context required to implement a strong security program require a layered approach that includes cyber asset attack surface management (CAASM), cloud security, endpoint security, application security and more.

Context is key. It's not the cyber assets themselves that truly matter—it's the relationships between them. If a cyber asset is compromised, it's critically important to understand the full scope of the threat, including things like access privileges in an asset's usage chain.
For those unfamiliar with it, CAASM is an emerging technology focused on enabling security teams to solve persistent asset visibility and vulnerability challenges. According to Gartner, solutions leveraging the technology give SecOps complete visibility and centralized inventory control over all assets, both internal and external, through API integrations with existing tools.
Context and A Single Source of Truth Across the Ecosystem
In the article, "CAASM Should Be an Early Security Investment in Every CISO's Playbook" we make the argument that CAASM should be an early security investment. Also, check out ESG's full 2021 Security Hygiene and Posture Management Survey to learn more about key trends impacting vulnerability management.
More about CAASM

CAASM should be an early security investment in every CISO's playbook
December 15, 2021

The Definitive Guide to Cyber Asset Attack Surface Management (CAASM)
December 13, 2021

CAASM is the Future... CSPM is Dead
September 1, 2021