In September 2020, a large government agency suffered a data breach that exploited the information of 46,000 veterans to divert medical payments. That's pocket change compared to another organization's shocking data breach that occurred in 2015. As a result, in August 2020 that same organization finished paying for an 18-month credit monitoring services contract to the tune of $400 million.
Working primarily with NASA and The United States Department of Energy, I know how high the stakes are for the federal space. A data breach for a major retailer can be devastating to its brand image, for example — but an attack on a federal agency could be a national security risk. Today's hackers have the most sophisticated tools in digital history to exploit and steal data, but what they want more than anything is an entry point. One of those entry points can appear from poor SAM practices.
Now, compared to emerging tech, I know SAM isn't the sexiest talking point in the digital workplace, but it's one of those critical enablers for holistic cybersecurity and there's no way around it. Hackers don't care what they're infiltrating, whether it's Internet of Things (IoT) sensor data or a 20-year-old hard drive — they only care how to get their foot in the door. SAM is "another door to lock" within your organization (even if it's a tiny side door). And surprisingly, SAM is one of the more overlooked and messy processes for government IT teams.
The software lifecycle has many moving parts. For government agencies, it starts with procurement, which has unique purchasing contract requirements such as GSA, SEWP and others. But the brunt of the work occurs in the management stage, which involves monitoring usage, licensing compliance, software entitlement visibility, reusing and much more.
That's a lot to account for and in the bustle of the management process (one that's commonly ill-defined and not standardized), software often becomes out of date, which means it no longer produces patches to fix software vulnerabilities. As we've all seen in the IT world, out-of-date defenses don't hold a candle to new and increasingly intelligent cyberthreats.
According to SAM research from Deloitte, 72% of IT leaders say they haven't created a formal SAM strategy and 74% haven’t created a formal SAM function. The reasons? Technology complexity, complicated licensing agreements and immature processes, to name a few. To me, these findings suggest that even if an agency were to invest in a SAM tool, getting strategic with that investment is another story altogether.
When I speak with federal agency clients, a lot of groundwork needs to be done before they decide on a SAM solution. Here are steps that need to be taken:
Armed with better SAM strategies, tools and methods, organizations can feel good knowing they've checked one more “peace of mind” box when it comes to securing all possible entry points from data theft. But the work doesn't stop there. Having a well-defined process goes a long way — not only for SAM, but also for any IT asset that could open the door to cybercrime.