As a consulting leader in the SAM space, it is great to get exposure to so many different verticals, people and situations that allow you to expand, learn and grow. It has been refreshing to see how many different people are maturing their SAM practices through creative processes and leveraging emerging technologies to provide maximum value and ROI. In the end, it’s all about the protection of your company from security exposure and financial risks.
Companies cover the spectrum as it relates to managing their assets. Some have chosen to take on proactive steps of mitigation and, surprisingly, many larger organizations have chosen to ignore their assets and deal with it if/when an event occurs. I have personally found that many of the larger companies (including Fortune 500) that I’ve worked with simply don’t maintain a program that protects their assets appropriately. It is often shocking to see how immature many larger organizations really are!
What’s your level of Maturity?
Measuring maturity requires a general understanding of what the levels are and where your company needs/wants to be. In short, you’re either Reactive or Proactive.
Reactive programs typically provide a point-in-time, best guess snapshot of a company’s assets and current license positions. Often completed in hurried state for immediate initiatives such as a publisher audit or upcoming renewal, reactive programs are often unreliable or incomplete.
Basic SAM – Basic SAM programs are delivered in an ad-hoc basis and are often composed of discovery and license data that comes from the minds of product owners and is not managed or maintained. There are no implemented policies, procedures or mechanisms for ensuring the ongoing capturing and accuracy of information.
Standardized SAM – Standardized SAM programs are implemented when companies “kind of/sort of” implement SAM and make an initial attempt at formalizing a program, but there is no follow-up or real sponsorship. Discovery and licensing is maintained in spreadsheets or other repositories that are not maintained and the data become stale quickly.
Proactive SAM programs have a high level of executive-level sponsorship and take advantage of formalized SAM processes to provide near real-time access to data. The data is reliable and enables the business to make informed decision to reduce security and financial risks.
Rationalized SAM – Rationalized SAM programs have sponsorship from the organization and have implemented, adopted and enforced visions, policies and procedures. A software lifecycle process is maintained and best in breed tools are used for discovery, entitlement management and license positions.
Dynamic SAM – Dynamic SAM builds upon Rationalized SAM to fully optimize the lifecycle of software asset management. Tools play an integral part of Dynamic SAM and provide direct integration of SAM processes into a company’s ITSM functions to automate features such as reclamation, service desk requests, provisioning, procurement, blacklisting and contract management.
Next Steps to Maturity
Now that you’ve identified where your maturity stands, it’s now time to act. To start to take steps towards maturity, you must first determine where the organization desires to be and align that with the current state.
Complete an Assessment & Roadmap – An assessment exercise will help to work through alignment to identify gaps and to begin to outline a roadmap to get to the desired future state. During this analysis, you should review your approach towards managing the entire software lifecycle and where your current people, processes, and tools (or lack thereof) align to best practices.
Make it Appealing – One of the primary steps towards advancing the efforts are to gain executive buy in to understand the value in SAM and to support an action plan. Determine what influences can help to drive a mind shift towards implementing a SAM program. In many cases, typically security and financial risks are key influencers. Your assessment should help set the tone and sense of urgency towards your cause.
Achieve Iterative Goals – Your roadmap shouldn’t assume that you will hit all the goals of an effective SAM program in a big-bang approach. You must have smaller, short-term, incremental goals defined that will show the most value in the shortest time frame. Select higher risk items, such as higher-cost or higher audit risk publishers, first to show immediate value to the company and your executive sponsors. Also, it’s typically better to deliver with incremental costs that can be budgeted towards smaller, incremental projects vs. the sticker shock of a huge SAM initiative that may be shot down.
Be Patient – Remember, Rome wasn’t built in a day and neither will your SAM program. Continue to build off each of your smaller projects and watch your SAM program grow and mature along the way. It can seem overwhelming at times, but it is a journey. Celebrate each win as your program evolves!