In today's ever-expanding digital world, organisations pour resources into preventative security measures like firewalls, multi-factor authentication (MFA), and least-privilege access control. While these are undoubtedly vital, many organisations still fall victim to significant breaches despite their hefty investments. Why? Because these controls are only truly effective against risks you know about.
Visibility is the cornerstone of effective security design, laying the groundwork for all prevention efforts. Only when you genuinely understand every asset you possess—whether sanctioned, unsanctioned, or forgotten—can you build a security programme that is prioritised, risk-informed, and balanced. Without this clarity, controls are deployed in isolation, leaving critical gaps across the entire security lifecycle: governance, prevention, detection, and response.
The Unseen Passage: A Museum Security Parable
Imagine a prestigious museum filled with priceless artefacts. Its security appears impeccable: visitors pass through turnstiles, undergo bag checks, use access cards, and are monitored by trained guards, CCTV, and motion sensors. From the security team’s perspective, all entry points are fortified, ensuring multiple layers of defence.
However, hidden deep within the museum’s foundation, a disused service tunnel exists. Unknown to current staff, absent from updated floor plans, and long neglected after facility upgrades, this tunnel connects directly to a quiet storage corridor deep inside the building, bypassing these defence measures. This overlooked infrastructure represents a significant hidden risk.
Digital Parallel: Shadow IT and Unaccounted Assets
A similar risk unfolds in digital environments. While robust controls might protect your known assets, a parallel ecosystem of Shadow IT and other unaccounted systems often operates completely out of sight. These assets—untethered from governance—can undermine the entire security posture of an organisation.
As an example of Shadow IT, consider a marketing team, eager for efficient collaboration, that signs up for a new cloud-based project management tool. It’s user-friendly, boosts productivity, and its free tier meets their immediate needs. This tool, however, holds sensitive campaign data and client lists. Because it was adopted without IT or Security department approval—the marketing team bypassed standard procurement processes in favour of speed—it remains entirely off the organisation’s asset inventory. No security assessments are performed, no access controls are implemented, and its data storage location is unknown. Should this service be compromised, or a former employee’s access not revoked, it creates a wide-open back door to critical information, completely bypassing the robust preventative controls guarding the known digital estate.
Why Discovery Is Essential
This scenario highlights a critical Cyber Security principle: “You can’t protect what doesn’t ‘exist’.”
The use of Shadow IT is on the rise in many organisations, largely due to the proliferation of cloud services, mobile devices and IoT devices. This creates part of the “unknown” problem, where business leaders and security teams are unaware of these assets and, consequently, don’t incorporate them into their cyber security strategy.
Furthermore, there’s another dimension to this issue: abandoned and/or forgotten assets. Whether it’s an abandoned testing programme for new cloud software, an overlooked critical DNS hosting service, or infrastructure that wasn’t properly decommissioned within a cluttered server rack, these assets may also potentially pose significant risk to your oranisation’s security posture.
This is where discovery becomes vital, not just as an infrequent or once-off event, but as a continuous, adaptive, and integrated blend of technologies, processes, and a team of skilled and knowledgeable personnel. By continually and proactively discovering the digital assets within your estate, you ensure that these assets are known and accounted for when designing your cyber security strategy.
Visibility Isn’t Just Knowing – It’s Seeing Into the Asset
Context is a crucial aspect of visibility. Returning to our museum example, once the service tunnel is discovered, imagine if the security team were to just acknowledge its existence and move on. The same risk is still present, with the only difference being that it is now “known”.
Context is the vital factor that informs the security design process and guides the balanced allocation of resources (e.g. time, budget, personnel…), all informed by visibility into the entire estate.
This concept allows us to gather critical information about an asset, like the service tunnel, which can then be used to determine the best way to secure it, including:
- Vulnerabilities: Where does the tunnel end? Are there any structural weaknesses or points of easy access?
- Threats: Who could use this tunnel, and what vulnerabilities could they exploit?
- Criticality and Purpose: Is this tunnel still needed? What business function, if any, does it support? Can it be sealed off to eliminate the risk entirely?
Detection: The Second Half of Visibility
This brings us to a crucial point: detection isn’t a parallel concept to discovery; it’s the second act of visibility.
Knowing an asset and it’s potential risk is foundational but not enough. Without the ability to observe activity, detect changes, and trigger alerts, a discovered asset becomes a passive liability.
In the museum example, imagine if the guards simply locked the service tunnel’s hatch (e.g., a preventative control such as MFA). What happens if that door is accidentally left unlocked or is breached? In this example, the security team must take additional measures such as installing card readers at entry points, installing cameras, and motion sensors.
These detection measures assist security teams to:
- Distinguish malicious activity from normal operations.
- Support rapid incident response by providing real-time alerts and insights.
- Guide prioritised mitigation and forensic investigation.
- Create a key link in the security lifecycle chain, for continuous improvement and feedback loops.
Ultimately, detection completes the visibility equation. It transforms passive knowledge into actionable insight, shaping the response capability of the security lifecycle.
Recommendations: Rebuilding on a Foundation of Visibility
To close these dangerous gaps, security teams must invert their approach: visibility comes first, controls come second. This informed visibility, complemented with context across the entire estate, allows for a strategic allocation of IT resources.
Prioritise Continuous Discovery and Identification:
- Automated Asset Discovery: Continuously scan your entire estate for unidentified assets, including hardware, software, networks and cloud technologies.
- Unified Inventory: Implement and maintain a centralised inventory of all digital assets. This provides a holistic view of your assets and their associated attributes, to inform security posture design and assessment activities.
- Classification: Map assets with their associated attributes, such as criticality, sensitivity, and risk profile, to support risk-based prioritisation and ensure focus on what matters most.
Elevate Detection Alongside Prevention:
- Centralised Logging: Ensure all in-scope assets feed essential telemetry and/or logs into a unified detection platform for comprehensive monitoring.
- Behaviour Analytics: Deploy detection technologies that continuously assess the behavioural patterns of users and the systems/services themselves.
- Continuous Exposure Monitoring: Incorporate technologies and continuous processes to identify and assess your organisation’s evolving exposure to risks, encompassing vulnerabilities, misconfigurations, and unmanaged assets, thereby ensuring a dynamic and proactive approach to mitigating potential attack vectors.
Additionally, ensure further overarching governance is applied, and the necessary policies and processes are in place for the sanctioning and procurement of new assets.
Conclusion: From Uncertainty to Assurance
Cyber security is often perceived as a technology problem, but its true foundation is strategic clarity. Without comprehensive visibility, security teams are working from incomplete maps, however well-equipped they may be.
Whether it’s a forgotten service tunnel beneath a museum, an unsanctioned cloud app storing customer data, or an overlooked system that could prove an issue after the fact, the lesson is the same: you cannot secure what you do not fully understand. This understanding must be informed by deep visibility into the entire estate, complemented by the context that allows for a balanced and effective allocation of resources.
By anchoring security programmes in continuous discovery, contextual awareness, and integrated monitoring, organisations can transform their investments into meaningful outcomes. Prevention becomes targeted, detection becomes timely, and response becomes informed.
Visibility isn’t just the first step—it’s the lens through which every control must be applied.
Final Thoughts: The Broader Reach of Visibility
While this article focused on visibility in the context of digital assets, it is important to highlight that this principle extends to other crucial areas as well:
- Third Parties and Supply Chains: Imagine an attacker sneaking inside the museum via a delivery crate—visibility into your supply chain partners is equally vital. Your organisation’s risk exposure is increasingly tied to your vendors’ security posture. Without continuous discovery and assessment of these external entities, their vulnerabilities become your own, creating pathways for sophisticated attacks.
- Emerging Technologies: New technologies constantly reshape the threat landscape. Understanding their potential impact and security implications from the outset—whether adopted or still on the horizon—is crucial for proactive security. Without this forward-looking visibility, organisations risk creating new, unmonitored blind spots, essential for securing innovation safely.
