Modern corporate computing environments are constantly changing, threatening to leave ITAM teams behind if they are not ever-vigilant as to what assets are incoming, moving around, and ultimately outgoing. Any hint, clue, tell, or warning that changes are afoot would be welcomed with open arms. The best most ITAM professionals can hope for is an understanding project manager who invites them to the stakeholder’s meeting, or a mindful service manager who submits timely work orders.
However, there is a group within most medium-to-large businesses that has a two week (sometimes four!) preview into what changes are coming down the pike: Human Resources. This article will describe how an HR-ITAM partnership would positively affect ITAM hardware asset tracking, software license reclamation, and improve the overall end-user experience.
_The Joiner-Mover-Leaver Cycle_
Just like all hardware and software assets follow the asset lifecycle, so to do human resource assets (read: employees). There are three states, described below:
Joiners are net-new employees, and are first known to HR when they receive a candidate’s acceptance letter. But that belies all the other information HR has a gathered about the Joiner, even before the candidate is identified. Useful information like, where the job is located, what department it is part of, who the reporting manager is, the joiner’s start date, etc. Even better, modern HR management systems will codify these details into a rating system, which will reveal common details across different job functions. For example, all management positions at a certain location might require VPN access for disaster recovery purposes will have the same coding for “manager,” “location,” and “essential employee”. Or perhaps all the senior members of the project management office at headquarters will need a Project 365 subscription would all have the same coding for “location,” “department,” and “title”.
The trouble is, few IT organizations pull HR job coding information into their CMDB/Asset MDR, and tie it to hardware and software profiles. Typically, it is up to the hiring manager to swivel-seat this information into an onboarding request within the ITSM Service Catalog. And if the manager forgets or is away for a time, there is a real chance the Joiner will arrive onsite, on their start date, but without any of the expected tools and assets in order to do their jobs.
Leavers are , in short, merely the opposite of Joiners. Some employees dream of walking out like the hero of a certain Johnny Paycheck song, but very few just unceremoniously up and quit. Typically, Leavers give their managers a notice of some sort (in North America, decorum insists on two weeks notice) who then informs HR. Then again, just as with the Joiners, most ITSM service catalogs expect the manager to also make a decommission request to retrieve hardware, suspend system access, and archive user data for legal hold purposes. And what of, shall we say, unwilling departures? For divestitures, layoffs, and firings, these decisions do not happen in a vacuum and every good HR system will have a date stamp for the event. HR can still keep the details of the unfortunate events close to their chest, and an automated system can still notify ITAM at the desired time.
“Movers” are just that, those employees working their way up (sometimes down) the corporate ladder. The trick to handling Movers is to remember they are simultaneously leaving one role and joining another. The HR department simply kicks off their Joiner and Leaver processes at the same time. And so could ITAM.
The question, however, is why? Consider that the end-user is staying within the company, what does having a Mover process gain ITAM? First, IT Security best business practices require users to only have access to the critical data their job requires. When an end-user moves to a new role, the data requirements might also change, and best to swap the entire desktop or laptop for a fresh image to ensure any locally saved personally identifiable information (PII), protected health information (PHI), and/or personal financial information (PFI) is protected. Second, this is a good opportunity to engage the Mover and catch unknown or unidentified resources that might not appear on discovery scans. Shadow IT is a particular bugaboo of modern ITAM teams, especially from X-as-a-Service (XaaS) tooling that leaves no more of a footprint than an external webpage and a login account. A little detective work during a Mover event and ITAM can better help enforce corporate policy, data security, and their own knowledge surrounding subscription assets.
_How JML Changes ITAM Processes_
What benefits, then, can a IT Department expect when HR and ITAM work together? Here are a few of the most important:
1) It gives the IT Department more time to succeed by removing process bottlenecks. Anytime someone is tasked to swivel-seat information from one system (HR) to another (Service Catalog) risks friction and delay. Furthermore, waiting for the hiring manager to file a work order adds nothing — no new information, no new data attributes — that HR doesn’t already know. Plus, since HR also has most of this data codified, automation should be a simple affair within modern HR and ITSM tools.
2) It saves money by moving assets through the asset lifecycle more efficiently. One of ITAM’s primary functions is to improve the total cost of ownership (TCO) of hardware and software assets. The sooner unneeded assets can be returned to service will increase their usefulness and improve the TCO outcome. It also lessens the likelihood of a forgetful or distracted manager from forgetting to kickoff the recovery process and leaving the hardware to atrophy in a desk drawer or supply closet. And do not forget, any asset returned to service is an asset not purchased anew. Finally, on the subject of purchased assets, a two week lead-time can allow the ITAM purchaser to take better advantage of hardware vendors and software publishers purchasing incentives and bulk-order price breaks.
3) It saves money by freeing up managers to do their thing. Hiring and firing managers add nothing to the process of adding or removing end-users, hardware, and software to the environment. So if HR’s JML processes automatically inform and kickoff ITAM’s deployment and/or recovery processes, managers can spend the rest of that time doing more relevant and productive tasks. And that is a direct and measurable benefit the HR-ITAM partnership can provide to the business as a whole.
4) It improves the IT Department’s reputation with the end-user community. “You never get a second chance to make a good first impression,” as the old saying goes. Having all the new employee’s equipment, workspace, login accounts, etc., ready to go when they arrive on the first day sets a good tone for the relationship. Also consider the advent of remote learning and online training; new employees are expected to be productive from the get-go and would have great difficulty if their workstations were not ready when they are.
_If HR Balks, Ask IT Security_
Not all Human Resources departments are keen on sharing data, and rightfully so. They possess a growing amount of sensitive and private data about our coworkers that has the potential to be abused. What can an enterprising ITAM professional do when faced with an HR department that doesn’t want to help automate Joiner-Mover-Leaver processes? The question then, is, who can act in lieu of the HR department: a group who, by the very nature of their work, must be good stewards of PII, PHI, and PFI?
IT Security, especially the Identity and Access Management group (IAM), fit the bill. IAM is the group tasked to create, track, and manage the various user accounts within medium to large organizations. But because they are part of the IT Security group, they are held to the same (if not higher) data protection standards as HR. IAM can liaise between HR and ITAM, retrieving the data attributes ITAM needs to respond to JML activities while ensuring the rest of the HR information stays with HR.
As cross-tower partnerships go, having Human Resources engage directly with IT Asset Management makes the most sense. Thanks to the concept of Joiner-Mover-Leaver, HR can provide ITAM a full two-week preview of what to expect for new hardware and software deployments, retrievals, and opportunities to reign in Shadow IT expenditures. And should the HR department raise concerns about how much employee data is shared, the Identity and Access Management (IAM) team can step in and ensure best business practices surrounding PII, PHI, and PFI are followed.