Best Practices for IT Asset Management

#GRC It’s how little of the job is actually about finding the risk and how much of it is about tracking what people decide to do with it. One of my early projects involved reviewing a system where access wasn’t being removed when employees left. I flagged it, explained the impact, walked through the risk. Everyone nodded. And then… nothing changed. A few weeks later, during a walkthrough, someone asked, “Was this risk ever reviewed or accepted?” That’s when it clicked to me. It wasn’t enough that I’d raised the concern. I hadn’t captured who made the decision to leave it as-is, or why. There was no clear record of what was said, or when it was decided. Now, I always document those moments. Not just the risk, but the conversation around it; who was involved, what they agreed on, and what context shaped that choice. Not to point fingers. Just to keep a history. So if that risk resurfaces, we’re not scrambling to remember what happened or why. For anyone learning GRC .. spotting a gap is just one step. The actual work is in following it through; making sure it’s not just noted, but owned, discussed, and either acted on or intentionally accepted. And keeping that trail matters more than you think. Here’s a few of my recommendations: 1. Risk Acceptance vs Risk Mitigation (Article by TechTarget) Breaks down how risks are either accepted or acted on, and why documenting the decision matters. https://lnkd.in/g82uYRk6 2. Hyperproof Risk Ownership and Documentation Best Practices A plain-language overview of how GRC teams manage risk conversations, decision logs, and assignments. https://lnkd.in/gzWZUBah 3. GRC Fundamentals Training by ISACA (Free & Paid Options) Includes lessons on risk management, documentation, and audit readiness. https://lnkd.in/gDPyqv24 4. The Importance of an Audit Trail (OneTrust Resource) Covers why clear documentation is your strongest evidence in any control or risk review. https://lnkd.in/gfB5EE5k

Adoption Isn’t a Stage — It’s a Culture Too often in SaaS, we treat adoption as a box to check. Onboard → Train → Launch → Done. But real adoption doesn’t happen on a timeline. It happens when a product becomes part of how a company works. Adoption isn’t a stage. It’s a culture. And if we want to drive durable customer value—and retention—we need to stop thinking of adoption as a milestone and start thinking of it as a mindset. Many teams celebrate when a customer hits first login or completes onboarding. And those are important signals. But usage ≠ value. Clicking ≠ change. If we stop there, we risk mistaking activity for impact. We've delivered "Check-the-Box" Adoption. What happens next? – Usage flattens. – Executive sponsors disengage. – Value conversations at renewal feel strained. Adoption isn’t one CSM-led push. It’s an ongoing, cross-functional commitment, owned with your customer to make sure the product sticks—and stays central to that customer’s goals. A company with adoption culture doesn’t just ask, “Are users logging in?” They ask: - Are the right people using it? - Are they using it in the right ways? - Is it tied to their workflows, KPIs, and outcomes? - Does leadership see its strategic value? This requires more than training. It requires: - Customer maturity assessments to identify what success looks like for them - Executive alignment early and often—not just at kickoff or renewal - Ongoing sustainable enablement, not just onboarding - Success plans that tie product use to business objectives The best companies embed adoption thinking into every customer touchpoint—because they know that usage without purpose is noise, and purpose without usage is risk. Instead of asking, “Have they adopted?” Ask, “Are we helping this customer build a culture of adoption?” Because when customers adopt your product as part of how they work, you don’t just win renewals—you earn relationships.

Let's stop treating bad adoption as a product problem 🤦♂️ It's a problem with DEMONSTRATING VALUE. And it might be silently killing your growth. Your product team is building amazing features. But they can't force users to embrace them. Adoption is the ultimate cross-functional challenge. When marketing positions the product one way... When sales sets different expectations... When customer success struggles to demonstrate value... When product builds features without clear use cases... Users fall through the cracks, and adoption suffers. Here are eight things that CAN really move the needle on adoption: 🟢 **Demonstrating value early and clearly.** I've seen adoption rates vary from 40% to 85% based on how quickly users experience their "aha moment." Don't bury your value proposition under complex features or lengthy setup processes. 🟢 **Not overwhelming users on day one.** Start smaller, introduce core features first, and you'll be setting the stage for broader adoption opportunities in the future. Each new feature should solve a clear problem for the user. 🟢 **Moving from feature-focused to outcome-focused demos.** One company spent months trying to improve adoption by showcasing every feature. The most important lever was shifting to demonstrations that showed outcomes that users actually cared about. 🟢 **Educating beyond the initial onboarding.** Users need to know about new features, learn best practices, and feel connected to a bigger community. They also need to grok why it's worth investing time in the product so they can defend the business value to leadership. 🟢 **Nailing contextual guidance.** Seeing value in the right context is critical for a user staying engaged. Don't make users hunt for help or figure things out on their own—bring information to them when and where they need it. 🟢 **Integrations, integrations, integrations.** The more your product is embedded in a customer's workflow and systems of record, the more likely they'll adopt it fully. There are three aspects to this: connected data, streamlined workflows, and expanded use cases. 🟢 **Broadening the use cases for your product.** The more problems you solve for your customer, the more champions you'll have. Expanding horizontally within an organization builds resilience against churn. 🟢 **Measuring the right adoption indicators.** Do you know what features are predictive of long-term success? Focus on tracking meaningful engagement, not vanity metrics. The companies that win don't silo adoption responsibility—they make it everyone's mission. #productadoption #customersuccess #productmanagement #saas

The average enterprise can only account for 40% of their IT assets' true lifecycle costs. According to Flexera's 2024 State of ITAM Report, this visibility gap leads to millions in unnecessary spending annually. You know what you purchased. You might know where assets are deployed. But do you know the actual utilization, support burden, and total cost of ownership across every asset? This incomplete lifecycle visibility creates costly blind spots: ✅ Software purchased but never deployed ✅ Licenses active for departed employees ✅ Hardware running past end-of-support dates ✅ Cloud resources billing you indefinitely ✅ Refresh cycles following calendars, not usage patterns Forward-thinking organizations are eliminating these blind spots with ServiceNow ITAM by connecting every lifecycle stage: ✅ Procurement to Deployment: Automated tracking from purchase to user assignment ✅ Usage to Optimization: Real-time utilization metrics for reclamation ✅ Support to Retirement: Incident history linked to refresh planning ~40% of organizations report saving $1–10 million annually through IT asset management, and more than 1 in 10 save over $25 million each year by optimizing software and hardware assets. The true advantage? Complete visibility across your entire technology landscape. Is your ITAM program connecting these critical dots? Or are you still managing different asset types in separate systems? At AJUVO, we've helped enterprises eliminate these visibility gaps with ServiceNow ITAM implementations that deliver measurable cost savings and risk reduction. ➕ Follow me, Nicole Hoyle with AJUVO, for practical ServiceNow guidance that delivers real business outcomes.

Picture this: I'm presenting to our financial firm's leadership, drowning in blank stares after rattling off IAM system stats. Then our CISO asks, "But are we actually safer?" Cue awkward silence. 🦗 That day changed everything. We realized we'd been measuring IAM success all wrong. It's not about accounts managed - it's about risk reduced. Here's what we learned: 1. Speak Risk Language:   Showing a 60% drop in unauthorized access attempts got the board's attention. Risk is business-speak. 2. Find Risk Hotspots:   80% of our risk came from 20% of accounts. This led to tough talks about access policies. 3. Embrace "Oops" Moments:   Tracking risk revealed control failures, leading to a 40% security posture boost in 6 months. Key Wins: - 70% faster ex-employee access revocation (3 days to 2 hours) - 50% fewer password-related breaches - 95% access certification accuracy (up from 62%) Challenges? Plenty. Resistance to change, translating tech to risk metrics, legacy system headaches. But preventing a potential data breach turned skeptics into believers. Quick-start guide: 1. Assess risks to identify critical access points. 2. Align IAM metrics with business risk frameworks. 3. Start small - improve one high-risk area to demonstrate impact. We shifted from "look at all this IAM stuff" to "here's how we've cut risk." It elevated IAM from a tech function to a strategic asset. Fellow IAM leaders: What's your top risk reduction metric? What curveballs did you face? How has this focus shift changed the game for your team? Let's learn from each other!

The 𝗔𝗜 𝗗𝗮𝘁𝗮 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 guidance from 𝗗𝗛𝗦/𝗡𝗦𝗔/𝗙𝗕𝗜 outlines best practices for securing data used in AI systems. Federal CISOs should focus on implementing a comprehensive data security framework that aligns with these recommendations. Below are the suggested steps to take, along with a schedule for implementation. 𝗠𝗮𝗷𝗼𝗿 𝗦𝘁𝗲𝗽𝘀 𝗳𝗼𝗿 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 1. Establish Governance Framework     - Define AI security policies based on DHS/CISA guidance.     - Assign roles for AI data governance and conduct risk assessments.  2. Enhance Data Integrity     - Track data provenance using cryptographically signed logs.     - Verify AI training and operational data sources.     - Implement quantum-resistant digital signatures for authentication.  3. Secure Storage & Transmission     - Apply AES-256 encryption for data security.     - Ensure compliance with NIST FIPS 140-3 standards.     - Implement Zero Trust architecture for access control.  4. Mitigate Data Poisoning Risks     - Require certification from data providers and audit datasets.     - Deploy anomaly detection to identify adversarial threats.  5. Monitor Data Drift & Security Validation     - Establish automated monitoring systems.     - Conduct ongoing AI risk assessments.     - Implement retraining processes to counter data drift.  𝗦𝗰𝗵𝗲𝗱𝘂𝗹𝗲 𝗳𝗼𝗿 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻  Phase 1 (Month 1-3): Governance & Risk Assessment   • Define policies, assign roles, and initiate compliance tracking.   Phase 2 (Month 4-6): Secure Infrastructure   • Deploy encryption and access controls.   • Conduct security audits on AI models. Phase 3 (Month 7-9): Active Threat Monitoring • Implement continuous monitoring for AI data integrity.   • Set up automated alerts for security breaches.   Phase 4 (Month 10-12): Ongoing Assessment & Compliance   • Conduct quarterly audits and risk assessments.   • Validate security effectiveness using industry frameworks.  𝗞𝗲𝘆 𝗦𝘂𝗰𝗰𝗲𝘀𝘀 𝗙𝗮𝗰𝘁𝗼𝗿𝘀   • Collaboration: Align with Federal AI security teams.   • Training: Conduct AI cybersecurity education.   • Incident Response: Develop breach handling protocols.   • Regulatory Compliance: Adapt security measures to evolving policies.  

𝑵𝒂𝒕𝒖𝒓𝒂𝒍 > 𝑹𝒂𝒕𝒊𝒐𝒏𝒂𝒍 As CSMs, we often focus on rational value—proving ROI, showcasing features, and providing data-driven insights yet we struggle with driving adoption and consumption. The problem is — 𝒉𝒖𝒎𝒂𝒏𝒔 𝒅𝒐𝒏’𝒕 𝒂𝒍𝒘𝒂𝒚𝒔 𝒎𝒂𝒌𝒆 𝒓𝒂𝒕𝒊𝒐𝒏𝒂𝒍 𝒄𝒉𝒐𝒊𝒄𝒆𝒔. Let's consider this simple thought experiment: if you're on a subway and overhear two strangers raving about a restaurant, you might trust their excitement more than Yelp reviews when choosing where to eat that evening ¯\_(ツ)_/¯ 𝐖𝐡𝐲? Because humans are wired to trust people over statistics. Natural tendencies often win over rational reasoning. So how does this apply to Customer Success? 💡 𝐀𝐝𝐨𝐩𝐭𝐢𝐨𝐧 𝐢𝐬 𝐄𝐦𝐨𝐭𝐢𝐨𝐧𝐚𝐥 𝐁𝐞𝐟𝐨𝐫𝐞 𝐈𝐭’𝐬 𝐋𝐨𝐠𝐢𝐜𝐚𝐥 Instead of waiting for customers to “realize” value through metrics, create experiences that feel natural. Gamify engagement, make onboarding frictionless, and reinforce micro-wins to trigger a sense of progress and success. 💡 𝐋𝐞𝐯𝐞𝐫𝐚𝐠𝐞 𝐏𝐞𝐞𝐫 𝐈𝐧𝐟𝐥𝐮𝐞𝐧𝐜𝐞 Humans trust humans (especially their co-workers or industry peers). Instead of just mechanically relying only on documentation or training videos, create internal customer communities, user groups, or champion-led showcases where customers or prospective users learn from peers. 💡 𝐃𝐞𝐟𝐚𝐮𝐥𝐭 𝐭𝐨 𝐅𝐚𝐦𝐢𝐥𝐢𝐚𝐫𝐢𝐭𝐲 Start by understanding how customers have adopted similar products—what worked, what didn’t. Use those insights to shape your approach, aligning adoption strategies with familiar workflows, communication styles, and past successes. Give them pre-built templates, code, workflows, accelerators that come close to what they want to achieve or looks familiar (uses/shows products or processes or terminology they use in their work). When adoption feels intuitive, it happens faster. 💡 𝐁𝐮𝐢𝐥𝐝 𝐔𝐫𝐠𝐞𝐧𝐜𝐲 𝐭𝐡𝐫𝐨𝐮𝐠𝐡 𝐒𝐨𝐜𝐢𝐚𝐥 𝐏𝐫𝐨𝐨𝐟 Showcase customer success stories in a way that sparks FOMO. “𝘛𝘦𝘢𝘮𝘴 𝘭𝘪𝘬𝘦 𝘺𝘰𝘶𝘳𝘴 𝘩𝘢𝘷𝘦 𝘢𝘭𝘳𝘦𝘢𝘥𝘺 𝘢𝘶𝘵𝘰𝘮𝘢𝘵𝘦𝘥 𝘟 𝘱𝘳𝘰𝘤𝘦𝘴𝘴𝘦𝘴 𝘢𝘯𝘥 𝘴𝘢𝘷𝘦𝘥 𝘠 𝘩𝘰𝘶𝘳𝘴” is more compelling than listing product features and benefits. The best adoption strategies don’t just make rational sense—they feel instinctively right. CSMs who align with natural human behavior, accelerate adoption without waiting for customers to “get it.” Don't get me wrong- the value & RoI, the "numbers" are also important but in a different context and stage (eg: a Renewal or Expansion conversation). How are you designing for natural adoption in your CS motion? Please share below 👇

Still managing hardware assets with spreadsheets, crossed fingers, or triggers from a ticketing system? That approach may work—right up until an off-network laptop misses a critical patch and becomes an attacker’s way in. Your hardware isn’t just equipment; it’s a living attack surface. The moment a device is forecasted, it starts accumulating risk, yet many teams wait until deployment to record it—and stop tracking once it drops off the network. That gap is where most breaches begin. The Ultimate Guide to Hardware Asset Management flips the script with an 11-phase lifecycle framework that keeps every asset in view before it’s online, while it’s online, and long after it leaves the network. You’ll learn how to: - Automatically ingest asset data at the forecasting stage, not weeks, months, or years later - Maintain end-to-end visibility—from initial forecast through final depreciation - Eliminate blind spots caused by shipping, storage, or off-network use - Reclaim idle devices and slash unnecessary CapEx and OpEx - Keep audit-ready records and prove compliance at every stage Why this matters: Because blind spots aren’t just accounting errors—they’re open doors for attackers, audit failures, and budget overruns. When your asset platform integrates with procurement and financial systems from day one, you gain continuous visibility, which leads to stronger security and tighter cost control. Hardware shouldn’t be a black hole of risk and expense. With end-to-end lifecycle tracking, it becomes a strategic advantage. ============== Download the guide to see how leading organizations are closing off-network device visibility gaps (link in comments).

The Biggest Mistake IT Leaders Still Make It’s not about budget. It’s not about tools. It’s this: Assuming technology alone is the solution. We’ve all seen it, great system, solid plan… completely flops. Because no one built support around it. Here’s where things go wrong (and how to fix them): 1. Users aren’t involved early enough ↳ The tool gets built for them, but not with them. ➜ Fix: Invite key users into early planning. Let them help shape the rollout, and they’ll help carry it too. 2.Training is treated like an afterthought ↳ “One session and a PDF” won’t change habits. ➜ Fix: Train to solve real problems. Use scenarios they recognize. Focus on “how it helps,” not just “how it works.” 3. The rollout feels like punishment ↳ “Here’s your new system, good luck!” ➜ Fix: Position changes as relief, not burden. Show what it replaces or improves. Share quick wins early to build momentum. 4. Success isn’t measured in people terms ↳ Dashboards look great… but no one’s using the tool. ➜ Fix: Add adoption and experience metrics. Track usage, survey confidence, and listen to feedback loops, just like you would for performance. Technology doesn’t transform anything by itself. People do. With the right support. Where have you seen this go wrong, or surprisingly right? I'll go first : An IT team I worked with picked a tool without talking to customers first. It promised big savings and smoother workflows. On paper? It looked like a win. In practice? Users hated it. It didn’t solve real problems, adoption tanked, and they had to start over—this time with users involved from day one. ♻️ Repost if you’ve learned that change only works when people are part of the plan. 🔔 Follow Bob Roark for human-centered IT strategy that actually works.

𝗗𝗮𝘆 𝟭𝟬: 𝗣𝗿𝗲𝗽𝗮𝗿𝗲𝗱𝗻𝗲𝘀𝘀 𝗮𝗻𝗱 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 We know the cost of response can be 100 times the cost of prevention, but when unprepared, the consequences are astronomical. A key prevention measure is a 𝗽𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗱𝗲𝗳𝗲𝗻𝘀𝗲 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝘆 to anticipate and neutralize threats before they cause harm. Many enterprises struggled during crises like 𝗟𝗼𝗴𝟰𝗷 or 𝗠𝗢𝗩𝗘𝗶𝘁 due to limited visibility into their IT estate. Proactive threat management combines 𝗮𝘀𝘀𝗲𝘁 𝘃𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆, 𝘁𝗵𝗿𝗲𝗮𝘁 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻, 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗲, and 𝗿𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲. Here are few practices to address proactively: 1. 𝗔𝘀𝘀𝗲𝘁 𝗩𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 Having a strong understanding of your assets and dependencies is foundational to security. Maintain 𝗦𝗕𝗢𝗠𝘀 to track software components and vulnerabilities. Use an updated 𝗖𝗠𝗗𝗕 for hardware, software, and cloud assets. 2. 𝗣𝗿𝗼𝗮𝗰𝘁𝗶𝘃𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 Identify vulnerabilities and threats before escalation. • Leverage 𝗦𝗜𝗘𝗠/𝗫𝗗𝗥 for real-time monitoring and log analysis. • Use AI/ML tools to detect anomalies indicative of lateral movement, insider threat, privilege escalations or unusual traffic. • Regularly hunt for unpatched systems leveraging SBOM and threat intel. 3. 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆 𝗮𝗻𝗱 𝗥𝗲𝗱 𝗧𝗲𝗮𝗺𝗶𝗻𝗴 Uncover vulnerabilities before attackers do. • Implement bug bounty programs to identify and remediate exploitable vulnerabilities. • Use red teams to simulate adversary tactics and test defensive responses. • Conduct 𝗽𝘂𝗿𝗽𝗹𝗲 𝘁𝗲𝗮𝗺 exercises to share insights and enhance security controls. 4. 𝗜𝗺𝗺𝘂𝘁𝗮𝗯𝗹𝗲 𝗕𝗮𝗰𝗸𝘂𝗽𝘀 Protect data from ransomware and disruptions with robust backups. • Use immutable storage to prevent tampering (e.g., WORM storage). • Maintain offline immutable backups to guard against ransomware. • Regularly test backup restoration for reliability. 5. 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝗣𝗿𝗼𝗴𝗿𝗮𝗺𝘀 Stay ahead of adversaries with robust intelligence. • Simulate attack techniques based on known adversaries like Scatter Spider • Share intelligence within industry groups like FS-ISAC to track emerging threats. 6. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆-𝗙𝗶𝗿𝘀𝘁 𝗖𝘂𝗹𝘁𝘂𝗿𝗲 Employees are the first line of defense. • Train employees to identify phishing and social engineering. • Adopt a “𝗦𝗲𝗲 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴, 𝗦𝗮𝘆 𝗦𝗼𝗺𝗲𝘁𝗵𝗶𝗻𝗴” approach to foster vigilance. • Provide clear channels for reporting incidents or suspicious activity. Effectively managing 𝗰𝘆𝗯𝗲𝗿 𝗿𝗶𝘀𝗸 requires a 𝗰𝘂𝗹𝘁𝘂𝗿𝗲 𝗼𝗳 𝗽𝗲𝘀𝘀𝗶𝗺𝗶𝘀𝗺 𝗮𝗻𝗱 𝘃𝗶𝗴𝗶𝗹𝗮𝗻𝗰𝗲, investment in tools and talent, and alignment with a defense-in-depth strategy. Regular testing, automation, and a culture of continuous improvement are essential to maintaining a strong security posture. #VISA #Cybersecurity #IncidentResponse #PaymentSecurity #12DaysOfCybersecurityChristmas