Improve Your Disaster Recovery Planning

White Paper
Written By Christina Cravens

How to build an accurate IT asset inventory

Modern IT environments — especially at large organizations — are complex, with many dependencies. This causes significant challenges — and costs — when organizations need to recover from data breaches or other IT outages.

According to IBM’s Cost of a Data Breach Report 2024, more than 75% of the organizations that recovered from a data breach needed more than 100 days to recover. The global average cost of responding to a breach increased 10% from the previous year — primarily due to business disruption and post-breach activities.

Research by Enterprise Strategy Group found that 95% of survey respondents experienced challenges related to fully understanding their organization’s IT asset inventory, and 73% of them have “strong awareness” of less than 80% of all assets.

A complete, up-to-date IT asset inventory is essential for business continuity and disaster recovery, managing risk, complying with regulatory requirements, and supporting digital transformation initiatives. But what’s the best approach to building one?

In this paper, we discuss what an accurate asset inventory looks like, why having an accurate asset inventory is important, and the difficulties organizations face when building an asset inventory. We’ll also compare and contrast the different technologies used in modern asset inventory solutions, including sensors, scanners, and connectors.

What does accurate mean for an asset inventory?

When we talk about the need for an accurate asset inventory, the question that often gets overlooked is: What does “accurate” really mean?

In today’s complex IT landscape, many organizations struggle to simply compile a list of the computers they own. However, an accurate asset inventory is not just about having a list of what you own—it’s about understanding every component that contributes to your business operations.

Includes every asset that contributes to company operations

A truly accurate asset inventory should include every asset that contributes to the delivery of your company’s products and services. This goes beyond just servers, databases, and infrastructure. Operational technology (OT), internet of things (IoT) devices, and other non-computer assets that are plugged into your environment should also be accounted for.

Additionally, external third parties—such as cloud providers and software as a service (SaaS) solutions—play a critical role in your operations and must be included in your asset inventory. These elements are essential for ensuring business continuity and maintaining cybersecurity.

In today’s hybrid environments, it’s not enough to focus on only your cloud or only your on-premises assets. You need to consider the complete ecosystem that supports your business—including all assets across your on-premises, cloud, and container environments. By doing this, you can create an asset inventory that not only meets the basic requirements but also drives actionable insights and improves your organization’s resilience.

Includes dependency information

Your asset inventory needs to be more than just a list of assets. You also need to understand, for each of your assets, which assets they depend on in order to function. Picture a map of all your assets, with lines connecting those that are interdependent. That web of connections is a map showing you the structure of your environment.

One particularly important type of asset to pay attention to in regard to asset dependencies is what we call “shadow middleware.” These are systems that are shared by business units and are often used to communicate and exchange information. Despite their critical role, they are often overlooked by individual business functions because they are shared resources and not owned by the individual functions.

In the event of a major failure, which we’ve seen happen all too often, knowing your asset dependencies is crucial. When systems go down, you need to bring them back up in the correct order. If you miss a dependency, your recovery efforts could fail, even if everything else is done right. In the middle of a crisis is the wrong time to be figuring out how your environment functions.

This is also why a static, one-time asset inventory isn’t enough. Your inventory needs to be continuously updated to reflect the ever-changing landscape of your IT environment. Having an accurate asset inventory helps you improve your incident response plans, business continuity and disaster recovery plans, and risk mitigation plans.

Includes business function alignment

Your asset inventory needs to connect assets with the critical business functions they support. Regulations increasingly require organizations to understand how their critical business functions are supported by their infrastructure. This knowledge is not only good to have but essential for protecting the parts of the organization that are vital to its survival.

When we talk about business functions we’re talking about terminology that everyone in a board of directors meeting would understand. Every organization consists of a collection of business services or functions—these are the core activities that keep the organization running smoothly and generating revenue. Examples of business functions include logistics and shipping, finance, and payroll.

Often, the focus in IT and cybersecurity is narrowly placed on keeping servers running, neglecting the critical business functions they support. Focusing on business functions encourages a shift from IT-centric thinking to a more business-focused perspective, allowing executives to focus on business functions like “logistics and shipping” rather than generic IT groupings like “Windows servers.” This approach ensures that asset management is aligned closely with the organization’s overarching business objectives and priorities.

Sometimes, assets are categorized based on who purchased them or which department pays for their upkeep, which doesn’t necessarily reflect their actual role in supporting business operations. Other times employee surveys are used to determine which assets support which business functions, leading to inaccuracies and omissions. Asset mapping needs to be grounded in data-driven proof, not assumptions.

Using concrete, verifiable data to map assets to business functions eliminates uncertainty. Clear evidence showing the connections between assets and their behavior within the network provides a level of transparency and accuracy that is unmatched by solutions that depend on subjective assessments or outdated data.

Continuously updated

What we’re describing here isn’t a one-time project where you can assign three or four employees to create an asset inventory, then put it in a three-ring binder and put it on the shelf for the day you need it. Generally, Redjack has found that customer environments change by an average of 5-15% a month. You have to continuously update your asset inventory so that it accurately reflects the current state of your organization. To do this, you need an automated asset inventory technology solution that can stay on top of how your business operates.

Why is an accurate asset inventory so important?

You can’t protect what you can’t see & don’t understand

An accurate asset inventory is the foundation of effective cyber resilience. You can’t protect what you can’t see and you can’t patch what you don’t know you own. From an attack surface management perspective, you need to understand what your attack vectors are. From a disaster recovery perspective, you need to have strategies to bring assets back online in the case of a failure or ransomware attack. But you can’t do either if you don’t understand your environment.

Simply having a list of assets isn’t enough—you need to understand which ones are most critical to your business, and what their dependencies are. Knowing which assets are the most important to the continued health of your organization makes all the difference in your protection strategy when you have limited resources to spend.

Required by regulators

Recent regulations, such as the Digital Operational Resilience Act (DORA), emphasize the need to not just have an asset inventory but to maintain a constantly updated, prioritized asset inventory.

However, compliance alone isn’t the goal. Many companies comply with regulations but derive no business benefits from the compliance artifacts they developed in order to do so. On the other hand, companies that treat their asset inventory as a transformative tool, rather than just a regulatory checkbox, can gain significant business benefits, driving both security and operational efficiency.

Foundation for IT, cybersecurity, risk, and compliance use cases

An accurate asset inventory is the backbone of any successful digital transformation initiative, providing the clarity and context needed to drive strategic projects. Whether it’s migrating to the cloud or implementing a zero trust architecture, understanding your assets and how they support your business functions is essential.

Here’s how an asset inventory serves as the foundation for critical IT, cybersecurity, risk, and compliance efforts.

  • Digital Transformation: Most digital transformation projects fail because organizations don’t understand how their infrastructure works. An asset inventory gives you this understanding.

  • Cloud Migration: You can’t migrate a portion of your infrastructure to the cloud if you don’t understand how it works in the wider context of your environment. An asset inventory gives you that context.

  • Zero Trust: In order to convert your enterprise to zero trust, you need to understand how your current authentication systems work in your environment. An asset inventory gives you this understanding.

  • Vulnerability Management: Security analysts are facing alert overload. You need to be able to triage your vulnerabilities so that you can focus on the most critical assets, allocate resources efficiently, and take a risk-based approach. An asset inventory provides you with the contextual information necessary to do this.

  • Incident Response: Understanding how assets are connected is crucial for efficient incident response, enabling rapid decision-making and targeted actions to contain and mitigate incidents. Accurate, real-time information on asset interactions and dependencies also supports thorough forensic analysis, helping to uncover how the incident occurred and what was compromised.

  • Business Continuity and Disaster Recovery: Ensure that recovery plans are capable of quickly and accurately restoring critical business functions. An asset inventory identifies exactly which assets provide critical functions and provides the dependency information necessary to bring them back online quickly.

  • Quantum Readiness: This involves analyzing the encryptions your organization uses and your encrypted communications so that you can prioritize which are most vulnerable, and which need to be updated first when quantum encryptions become available.

These use cases are all, at the end of the day, transformation efforts. So, you can think of your asset inventory as your digital transformation enabler. It’s the starting point, as well as providing a map, for many different projects that your company wants to do to get ahead and be competitive in the marketplace.

The current state of asset inventories is poor

The truth is, most large enterprises are missing a significant portion of assets from their inventories—generally at least 20%. In many cases, organizations know less than half of their existing assets.

This is because organizations generally use a list of devices that have an endpoint solution installed and/or what their vulnerability scanners can find to create an asset inventory. If that’s your approach, you’re not even close to having a complete asset inventory. Missing 20% or more of your assets isn’t a small oversight—it’s a serious vulnerability.

What’s also concerning is the gap in understanding how your infrastructure supports core business functions. Ask most enterprises to list all assets tied to a critical business function, and they can typically identify only about 30% of them. They don’t know about their shadow IT, they don’t know which third parties they’re connected to, and they don’t know what shared resources their business function relies on, but are not directly owned by them.

If an organization had a complete and accurate inventory of all assets supporting its business functions, recovery from events like ransomware attacks would be swifter. The fact that many companies struggle to bounce back from such incidents highlights the current deficiencies in asset management.

What makes asset inventories so difficult?

Creating and maintaining an accurate asset inventory is a challenge for many organizations. Despite how important it is to know exactly which assets exist within your infrastructure, numerous factors make this task difficult to achieve. From shadow IT to the complexities of bring your own device (BYOD) policies, the scale and complexity of modern IT environments often outpace traditional methods of asset tracking.

Shadow IT

Employees doing things off the books and using unauthorized software, applications, or hardware without the knowledge or approval of the IT department or management makes it difficult to track and manage all assets effectively.

Bring Your Own Device

If you have employees who use personal devices (such as smartphones, tablets, and laptops) for work-related tasks and accessing corporate networks and data, it makes it difficult to track and manage all assets effectively.

Scale and Complexity

Organizations often have a large and diverse IT environment with numerous assets spread across multiple locations, networks, and platforms. Managing and tracking all these assets is a complex undertaking, especially in large enterprises with decentralized operations.

Additionally, assets are constantly changing due to factors such as technology upgrades, new installations, decommissioning of old assets, and employee turnover. Generally, Redjack has found that customer environments change by an average of 5-15% a month. Keeping track of these changes in real time is challenging, especially without automated tools.

Incomplete Documentation

Legacy asset inventory solutions focus on compiling a database of existing documentation. They compile existing asset information from multiple asset management systems, such as endpoint management databases, configuration management databases (CMDB), and other asset-tracking software. However, asset documentation in these systems is frequently outdated or incomplete. This makes it challenging to create and maintain a centralized asset inventory.

Limited Resources

IT and cybersecurity teams face resource constraints, including budget limitations, staffing shortages, and time constraints. These limitations hinder their ability to dedicate sufficient resources to creating and maintaining an accurate asset inventory, especially if they have to rely on manual audits to create an inventory instead of using an automated tool.

Given these challenges, the need for automation in asset inventory management becomes clear. Automated tools help organizations overcome these hurdles by providing real-time, accurate, and complete asset visibility. By automating the asset inventory process, organizations can ensure that their asset inventory is not only up-to-date but also resilient enough to adapt to the continuous changes within their environment.

Technologies used to build an asset inventory

The most common approaches are using scanners, connectors, or sensors. Each has its pros and cons. Download the full version of this paper using the form below to see the detail.

An accurate asset inventory is essential for cyber resilience

Building an accurate IT asset inventory is not just a regulatory requirement; it’s a strategic imperative that drives sustainable business value.

By moving beyond basic lists and embracing advanced tools like sensors and real-time monitoring, organizations can achieve comprehensive visibility into their IT environments. This visibility enables more effective risk management, enhances cybersecurity efforts, and supports critical digital transformation initiatives.

An accurate and continuously updated asset inventory not only ensures compliance but also aligns IT assets with core business functions, ultimately creating a resilient foundation for long-term success.

Want to read the rest of the white paper? Fill out the form below to get a PDF version that includes more detail.

 

Download the White Paper

Christina Cravens

Christina is the Chief Growth Officer at Redjack.

https://www.linkedin.com/in/christinacravenscmo/
Previous

Eight Cyber Resilience Priorities for 2025
Next

Redjack for Mergers & Acquisitions