By Paul ‘Doc’ Burnham & Rod Potter
ITAK Volume 6 Issue 6
How many times have we all heard that SAM (Software Asset Management) is just an IT issue and IT needs to handle it? While it is true that SAM is associated mainly with IT, it is not true to say it only affects IT. The fact is – SAM is something that affects most areas within an organization. Some of the most common areas include IT, security, procurement and individual business units.
Here are some of more common functions that SAM affects and supports:
- License Management – relates to understanding how software is licensed and used. For example: selecting and using the “right” license by metrics (by user, by processor, by device, etc.) to provide cost savings through license optimization, flexibility in how and who can use the software, and reduced license management efforts. Organizations also benefit from reducing or eliminating both under-licensing and over-licensing of software. Benefits of proper licensing include reducing the risks related to audits, unbudgeted software expenses, as well as cost savings by not purchasing unneeded software. In addition to IT, it commonly affects business units and procurement.
- Financial Management – relates to the cost and control of software assets. This includes managing cost associated with purchasing and renewing licenses, software maintenance and support, as well as accounting for those software assets. While these efforts can be quite challenging, they are necessary for organizations to demonstrate good financial stewardship; especially if the organization include software on their Fixed Asset inventory. In addition to IT, it commonly affects business units, procurement and finance.
- Platform Stability – relates to negative impacts on critical business applications or network stability through interoperability issues. These may be caused by the installation and use of non-approved or unauthorized applications. Such interoperability issues may be present even when there are no security threats present. In addition to IT, it commonly affects security, business units and end-users.
- Productivity – relates to those unexpected challenges resulting from compatibility issues due to varying file formats or untested application support. Although there are often work-around solutions available to reduce or avoid impacting end-user productivity, applying them individually rather than through centralized SAM can be a waste of time and resources. In addition to IT, it commonly affects business units and end-users.
- Business Continuity – relates to not only disaster recovery but also IT service management. Knowing what applications are installed on what devices is critical in a disaster recovery situation, but it is also critical for day-to-day IT service management. The ability to quickly and accurately determine what applications are affected when a particular device fails can be the difference between a single device outage and a major system failure that could result in significant losses. In addition to IT, it commonly affects security, business units, end-users and the disaster recovery operations.
- Security – relates to compromised network or data security. Protecting the integrity of the network and data means identifying real or potential threats and eliminating them. So whether the threat is an application not being at the correct patch level or some unauthorized application such as malware or peer-to-peer file sharing being installed, the ability to quickly and accurately identify and eliminate the threat is critical to preventing a security breach or system compromise. In addition to IT, it commonly affects business units, end-users, and especially senior management.
- Corporate/Regulatory requirement – relates to those requirements an organization has defined for itself or that a regulatory agency has specified. These may include: internal policies such as which user roles may have a specified software title installed; or statutory requirements regarding taxation of software used in a particular country; or legal restrictions on data collection regarding software usage (as with the European Works Council Directive). Some of the other external regulatory requirements include:
o US related: Sarbanes-Oxley (SOX); Health Insurance Portability and Accountability Act (HIPAA); Electronic Records and Electronic Submissions CFR 21 part 11; Financial Modernization Act of 1999 (GLBA); Federal Desktop Core Configuration (FDCC); and US Presidential Executive Order 13103.
o Non-US related: Deutsche Corporate Governance Kodex (DCGK) (Germany); Corporate Law Economic Reform Program Act 2004 (CLERP9) (Australia); Loi sur la Sécurité Financière (France); The King Reports on Corporate Governance (South Africa); and Clause 49 of the Listing Agreement to the Indian Stock Exchange (India).
In addition to IT, it commonly affects security, finance, internal audit, business units, end-users, and especially senior management.
- Mergers, Acquisitions and Divestitures – relates to understanding not only what software assets are being used by the affected activities, but also how those software assets are being used and what software assets are actually owned. Usually these software assets constitute a large value component in these activities, but if they are not properly transferred, the receiving organizations will not actually receive that value. Worst is that the gaining organization may be held liable for any license compliance issues that arise. In addition to IT, it commonly affects business units, finance and especially senior management.
- Outsourcing – relates to an organization’s decision to outsource some or all of a particular function. While it is common for organizations to outsource, it is also common for the organization to not fully understand the challenges outsourcing presents, especially related to software and regulatory compliance. Examples include: is the outsourcer authorized to use the organization’s software or which data can outsources have access to? Then there are issues of accountability and liability related to outsourcing. Usually it is the organization that does the outsourcing and not the actually outsourcer that is accountable and liable for wrong doing or violations of licenses or regulatory requirements. In addition to IT, it commonly affects security, business units, end-users, human resources and senior management.
From the functions listed above, it is easy to see that SAM is not just an IT issue, but something that affects the whole organization. Unfortunately it seems that we in SAM have not been very successful at communicating this to the rest of the organization and we need to change that.
That change starts with communicating with the multitude of stakeholders throughout the organization and understanding what benefits they would like to see that SAM can provide. One thing all organizations need, but most lack, is the ability to have a quick and accurate software inventory. This is something that SAM can provide, but as we know, it is easier said than done mainly because of the inconsistencies between the multiple discovery tools we use. By designating a single source of truth for software inventories and having standardized reporting from the various discovery tools, the inconsistencies can be reduce and even eliminated. This article does not go into the different methods for accomplishing this, but only points out that it is a key way that SAM can provide value to the organization.
While we in IT may understand that SAM affects more than just IT, we must also be able to communicate the value of SAM to the other stakeholders throughout the organization. Organizations that ingrain and integrate SAM throughout the entire organization are better able to recognize and benefit from SAM. So remember, SAM – it’s not just for IT anymore.