Will CFOs Take on ITAM to Keep Credit Ratings Intact?

IT asset management (ITAM) is now a requirement to achieving a good credit rating.

If you’re a Security Operations, IT or ITAM professional supporting organizations with any debt, this is not just another warning to invest in a healthy ITAM practice. This news, recently communicated in a report from the S&P Global Ratings agency, states that an inadequate ITAM practice can impact an organization’s ability to have solid cybersecurity controls, and as a result, creditworthiness will be impacted. If your organization’s credit scores are impacted, the cost of financing will go up, and the organization’s reputation will be damaged. If you receive a performance bonus or have invested in company stock, the impact can be quite personal.

Over the years, governmental agencies and standards bodies such as the NIST, CISA, ISO 27001/ISO 27002, SOC2, etc. have been promoting the need for ITAM in cybersecurity processes. The noise around managing these standards have been amped up in recent years with the following disruptions:

StateRAMP was created to provide a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.SolarWinds Hack led to executive order for the NIST to publish cybersecurity guidance.

The Texas Legislature passes bill requiring the establishment of a state risk and authorization management program.
FTC warns organizations to patch the Log4j vulnerability.

The COVID-19 pandemic causes a significant spike in Ransomware cases (>500%).
GoAnywhere vulnerability impacts 130 organizations.

Silicon Valley Bank failure triggers FDIC audits.

S&P Global Ratings agency issues report stating inadequate ITAM can impact credit ratings.

Even with all the urgings from federal and state agencies and standards bodies, organizations are still managing IT assets in spreadsheets and with tools that have not evolved to meet today’s complex IT infrastructure and application requirements. These are not mom-and-pop shops managing ITAM processes with bubblegum and toothpicks, but enterprise organizations with 10, 20, or 50 thousand or more employees.

Why has IT asset management been ignored?

There are multiple reasons why ITAM is ignored and not properly funded in organizations. Here are a few of the main reasons:

ITAM’s new partner – the CFO

Even with the challenges above, organizations will need to mature their ITAM practices. Now with credit ratings on the line, the CFO will become more invested in ensuring cybersecurity controls are in place and be open to fund a proper ITAM practice for modern-day technology environments. No CFO wants to disclose material weaknesses of internal controls in their financial statements and risk having the cost of debt go up.

Another reason CFOs may be more focused on ITAM is the bridging of FinOps and ITAM practices to create a robust governance framework and optimization roadmap. This is especially true in organizations with significant IaaS spend and needing to get a handle on software cost of goods sold.

Connect with us to determine how ITAM can improve your cybersecurity posture.