In cybersecurity, “asset management” doesn’t typically get top billing, yet it’s arguably the star of the show. It’s virtually impossible to lock down all those devices, networks, Internet-of-Things sensors and the like, if you don’t even know what you have.
“Ten or 15 years ago, things were pretty simple: We had workstations and servers. Now with the addition of mobile computing, cloud computing and IoT devices, being able to manage and inventory all those assets has gotten a lot more complex,” said Tom Kennedy.
Kennedy is vice president of Axonius Federal Systems LLC. Prior to joining Axonius, he was vice president of public sector at Rubrik, helping accelerate the company’s federal sector growth. He also served as vice president and general manager of public sector at Veritas.
Axonius Federal is focused on delivering asset visibility and control, “and there’s been a lot of government policy that’s put tailwinds behind us in solving this problem,” Kennedy said.
Government agencies are under pressure to ensure strong asset management, as they look to meet a variety of compliance obligations. There’s Executive Order 14028 on Improving the Nation’s Cybersecurity, as well as the Cybersecurity and Infrastructure Security Agency’s binding operational directive 23-01, which specifically called out the importance of identifying and inventorying IT assets on federal networks.
In addition, the government’s move to zero trust architectures requires agencies “to understand where your users and your devices are,” Kennedy said. This, too, demands strong asset management.
Past cyber asset inventorying strategies are falling short. Agencies have typically depended on “agents,” digital devices that track technology assets.
“But agents get broken, they get lost, they get removed,” Kennedy said. And agents can’t keep up with the expanding landscape of mobile devices.
The Axonius solution collects information from across the entire IT environment. As technologies change — which they do all the time — the system stays current. The solution then goes further by correlating asset data to establish a single source of truth.
“Your vulnerability scanner might record a device as Tom’s Device, while your network access control might call it Thomas’s Device,” Kennedy said. With potentially dozens of systems identifying the same asset in different ways, “you need a way to correlate that, so it’s recognized as a single device,” he said. That’s what Axonius delivers.
With pressure on agencies coming from multiple directions, from executive orders to CISA directives, Kennedy sees ample opportunity for growth.
“This is a top-of mind-problem across the government right now,” he said. “A lot of government policy has been stimulating discussions for us, where agencies say, ‘Hey, how can we efficiently solve this?’ and we have a great solution for that.”
In making the pitch, the team will talk not just about IT inventories for compliance, but also about the range of added benefits.
“Once you have that comprehensive and dynamic cyber asset inventory established, that enables other use cases,” he said. Inventories empower “vulnerability management: being able to understand the blast radius of your vulnerabilities quickly and efficiently through the click of a button.”
A strong cyber asset inventory likewise helps agencies “to find gaps in coverage, or unknown assets,” he said. “When you’re developing your overall cybersecurity posture for your agency, it’s impossible to protect the devices that you can’t see.”
In fact, a recent report from the Enterprise Strategy Group found nearly 70% of organizations have experienced breaches through unknown assets.
“It’s really important to have that comprehensive view so you can confidently avoid breaches coming through unknown unmanaged assets,” Kennedy said.
When it comes to reshaping a key government process (in this case, asset management) a strong pitch is just the starting point. Kennedy said agencies may stumble to put a solution in place on account of their own internal arrangements, in which IT resources typically don’t all sit under one umbrella.
“This requires a lot of breaking down of silos. Each cybersecurity tool has a specific owner, and sometimes sharing data with other owners is a challenge,” he said. To that end, Axonius focuses on education, “bringing groups together to explain where we’re trying to take this: That we’re giving the agency the entire view that they really need and want.”
With a Federal Risk and Authorization Management Program application still in process, Kennedy is optimistic eventual approval will open new doors. Axonius already has an on-premise offering, and with a hosted solution it will be able to meet an even wider range of agency needs.
“We know that there has been demand for that,” he said.
The company also is helping agencies to make the financial case. While various mandates require improved asset management, those mandates don’t come with funding. Axonius helps build a strong business case, demonstrating not just improved cyber outcomes, but also the ability to leverage a cyber asset inventory in order to rationalize — to pare down duplicative or unnecessary technology spending.
As a 20-plus-year veteran of the GovCon space, Kennedy said he’s pleased to work at the intersection where a great solution fulfills a real government need.
“We have a huge emphasis on creating positive outcomes for customers,” he said. “And we have this technology that can really make a difference in the government mission.”