Showing posts with label SAM. Show all posts
Showing posts with label SAM. Show all posts

Monday, February 28, 2011

Software Asset Management - 2011

What is it about 2011 that makes me think...we have officially reached "the future"? 

Is it just that I'm now so old that when I thought forward to the future it was anything after 2010? Probably...but since old age seems to keep growing further and further away from me as I age, I refuse to accept that as the answer, LOL! 

What will happen to Software Asset Management in 2011? My crystal ball is far from perfect but I'll take a stab at predicting this year anyway... 

Software audits rise - sorry, I know you've been hearing that threat for years but based on what I've seen so far in 2011 I think you can count on it as a fact. As the economy (and therefore companies) see an improvement I think you'll find publishers starting to come forward to find out what you have (and haven't) been doing in the past couple of years. They know you've been spending less money with them, so they want to make sure you've been licensing appropriately. Software audits are expensive (even if you're fully compliant and don't have to buy anything), so before you respond please reach out to us to see how we can help! 

Cloud Computing continues to grow and initially companies will manage these in a decentralized fashion (you buy it, you manage it). Hopefully some will remember lessons learned from the past and have these managed centrally by their Software Asset Manager. When I spoke on this topic at the IAITAM Conference two years ago there was a lot of uncertainty from Software Asset Managers as to who owned this responsibility - frankly the role that owns it is the role that steps forward to take control of it. My suggestion is that a saavy SAM Manager will realize that they add value to this function and this function adds value to their position. If you don't have your controls in place for managing Cloud contracts, please talk to us about appropriate processes and controls. 

The role of the CIO will become more ambiguous. OK, so this isn't SAM but it is important to SAM. I think we are clearly seeing the assimilation of IT into the whole of the business. Regardless of industry, IT is critical to all areas of the business and business owners are going to want more control of it. While a certain amount of centralization and segregation of duty is imperative to maintain controls and manage cost, I will not be surprised to see the role of the CIO disappear. However; on the flip side, I think you will start seeing more former CIO's transition into the role of the COO (possibly a natural evolution as CIO's have long been advised to become intimately familiar of all the business units they are serving). If this transition does take place, you might well see the role of SAM Manager follow suite (especially if the SAM Manager has taken on the Cloud Computing aspect). 

Is my crystal ball failing me or do others see the same? Let me know! 

One thing I do know for certain is that Cynthia Farren Consulting will launch an updated website in 2011 (OK, I cheated...since it already launched earlier this month). We tried to simplify matters and provide more valuable content - let us know how we did!

Thursday, August 13, 2009

What Your Software Inventory Tool Isn't Telling You!

Hopefully by now you've realized that in order to manage your software (or other IT assets) you need to have an inventory tool. As you will know from my other posts, you can't stop there...but it is a good place to start.

However; you need to understand your tool and how it reports data to you. Otherwise you might get an ugly surprise later on down the road when you find software installed on your systems that wasn't showing on your reports!

Inventory tools have a database of software titles associated with publisher and typically associated with a flag to indicate if it is licensable software (versus freeware, etc). The completeness of this database is the biggest value to you of the tool. With most tools if an executable is not in this database than it gets grouped into a "Misc" category and will fall into an exception report, a "catch all" report or might not be reported at all.

This could include new releases from publishers or simply publishers that your tool publisher doesn't categorize. These "unidentified" programs can cause you a lot of headaches - from a security, licensing and support angle.

Most inventory tools are updated on an ongoing basis as the publisher becomes aware of new software, but if you're not keeping current on your maintenance with that software you might not be getting this updated information.

Protect yourself - keep your maintenance current on any inventory tools you use, check the frequency of the tool publishers updates and include a check of "Misc" or "Catch All" software reports in your Software Asset Management process.

Additionally, if you are concerned about potential risk in this area you might want to consider having all of your software identified. Software ID Technologies has services that will identify all software in your environment. We've teamed with them on a number of engagements and they do a good job of taking the mystery out of those "unidentified" applications.

Thursday, July 16, 2009

Software Asset Management, Common Sense and Saving Money

Have you ever noticed how cyclical everything seems to be in this world? Well, one of the cycles I've watched since the early 1990's has been Software Asset Management.

The cycle (at least in the US, I frankly didn't track it much internationally) seems to be: Avoiding the topic, Awareness of an issue, Deciding to do something about the problem, Doing a full fledged project, Pairing that project down, Letting nature take care of itself and then the cycle starts again.

Obviously there may be some missing stages and some more "refined" terms than those I used but the basic concept is the same. When times are lush we seem to get into this phase where we feel the need to do a full bore SAM methodology but as soon as money and resources get tight we abandon the methodology in favor of "just making due".

This topic has been reinforced to me lately through two things: (1) a brand new client who emphasized the desire to have a "ala carte" proposal for SAM implementation - our existing clients know that providing options is the ONLY way we work, and (2) reading a fellow SAM practioner's (Kylie Fowler) blog which focuses on the "practical" side of ITAM and SAM (check it out...some great information).

In all our methodologies, let's not loose sight of the basic concept here...SAM is supposed to save money, manage risk and provide the business with the technology tools needed to be competitive. None of this requires complexity, extraordinary costs and it should all fit easily into common sense business practices.

If you're finding yourself ignoring your SAM methodology to run your business, do a quick re-evaluation of the methodology. What is valuable and what is just extra work? Streamline it, modify it, replace it with something simpler...do what you have to do, but don't abandon or ignore it altogether as you'll then be doomed to repeat the cycle (losing out on all those great cost savings and risk management in the meantime!).

If this is still too much for your business right now - consider outsourcing your SAM. We do this for a number of clients and they've found that (a) our costs are ridiculously low compared to in=house, (b) we typically save them more than our annual fee in increased savings, and (c) it frees their staff up to focus on running the business. Talk to me if this is of interest to you.

Thursday, October 25, 2007

Software Asset Management – A Regulatory/Industry Compliance Perspective

Software Asset Management (SAM) not only makes good business sense (lowers cost of software ownership, is integral to good security and enhances the productivity of technology workers) but it is also a key component in most of the regulatory and industry compliance requirements facing businesses today.

OK, I stretch on a few like HIPAA and Gramm-Leach-Bliley (GLB)…you can technically comply with these without SAM as long as you have hardware asset management, but still – you need to know where your computer assets are, who has access to them and be able to restrict what data can be loaded onto them.

But for Sarbanes Oxley (SOX) and the Payment Card Industry (PCI) Standards, it goes beyond that to actual SAM.

For SOX, there is a COBIT™ control objective which loosely states “Ensure that only appropriate software is installed in the environment”. Well, if you take that apart (which your auditors do…) then “appropriate” would mean (a) that you know what is appropriate and what is not, (b) that you have this documented somewhere, and (c) that it is licensed correctly. Additionally, to prove that you comply you need to be able to show what is installed in your environment and prove that you have a process that is documented and followed for periodically checking this information.

For PCI, you need to maintain a vulnerability program which has two requirements: (1) use and regularly update anti-virus software and (2) develop and maintain secure systems and applications. Both of these requirements come with a list of required items but basically it comes down to being able to ensure that every system has the most up-to-date virus protection and the latest approved security patches for all applications running on those systems. How do you ensure this information if you (a) don’t know what’s installed and where, and (b) don’t have a way of verifying what patch level it is at?

SAM makes good business sense, and it is required by many of the major regulatory/industry compliance requirements…so why are so many companies still avoiding it? Why the piecemeal approach that I see so often in the business place? Why do CIO’s and CFO’s eyes roll back in their heads when you mention SAM? I realize IT staffs are frequently overloaded and often do not have the necessary current information to maintain a SAM program – but isn’t that why we outsource?

Would love your insights…

Tuesday, July 31, 2007

Software Asset Management – Luxury or Necessity?

I was speaking with a friend to day who asked me the question…is what you do a necessity or a luxury? I immediately responded that SAM is a necessity – but at the same time it made me really think about his question and about why he was asking it.

He’s a mortgage broker – and if you’ve watched the news at all, you know that there is a lot of pain going on in that industry. However; there is a lot of pain going on in a lot of industries right now, which is why he asked the question. If you think about it, while SAM is always important and there are always significant business reasons to do it – when things are tough financially and operationally it makes it even more important.

You can look at the figures all over and you will constantly see evidence that SAM saves companies around 30% on software costs in year one and about 10% on an annual basis. When you factor in the soft dollar savings on increased operational efficiency the savings go up dramatically. I know these numbers to be true based upon the results our clients have seen.

You could make the argument that while SAM is important, companies don’t need to hire consultants to do it for them so the hiring of a firm such as ours could be considered a luxury. True, companies can do it themselves…but unless you’re going to invest the time, money and energy to train someone within your organization to become a SAM expert – you will probably expend a fair amount of personnel time and then turn around and hire a professional when you don’t get the results you’re expecting.

Implementing a SAM program frequently involves a lot of esoteric knowledge – knowledge that is not necessary for ongoing maintenance but is necessary to provide the accurate evaluation of the current license and process status. Hire a professional to set up your program – let them put their expertise to work for you and train your staff on what it will take to maintain the program going forward.

So, unless you’re not going to buy software – SAM becomes even more important to you in lean times as it saves you considerable money, and hiring a professional to set up your program allows you to leverage their historical knowledge and expertise while at the same time ensuring that your staff only has to learn the pertinent information to maintain your program.

Has your company established a SAM program? Did you do it yourself or hire a professional? What was the outcome?

Thursday, June 21, 2007

What's an acceptable "out of compliance" number?

I was privy to an interesting conversation a few weeks ago...the topic was "What level of non-compliance is acceptable?". Basically the basis for the discussion was that being illegal on some licenses was to be expected but at what level does it become an issue.

Before jumping into all sorts of morality issues, I'll stop myself and instead put this in the context of...assuming it will cost me money to prove every single license, is there a point at which I can say "under this amount is not worth the cost"?

Now, morally I don't feel there is a number greater than zero that can be acceptable. If you can't prove licensing for a single product, you owe it to yourself and the publisher who invested their time and resources into its creation to buy the product (and then keep better records).

Getting off my moral high horse I will point out that running even a single copy of software that you can't prove licensing for is a risk to you and your organization. As with any risk to your organization, your organizations risk assessment framework should address this topic for you. But remember - you can't manage what you don't know and you can't apply a risk assessment if you don't have the details!

What are your thoughts?