Software Asset Management (SAM) Is Not A Compliance Report

Since the inception of SAM, its initial purpose from ITIL v3 was always around the process and governance of the management of software.  Furthermore, within the ITIL documentation this is the management and control of SAM throughout the software lifecycle – from requirement to retirement.

What transpired over the past decade has certainly been the shift in focus from process and governance to compliance reporting.

This is mainly down to the fact that soft benefits of process improvements are less immediately impactful than the hard benefits of compliance risk and optimisation.

That is to say, by clearly reporting a compliance shortfall or risk to a customer is much more likely to get the desired impact and response than a process improvement.

As such, the vast majority of customers now look to jump to the compliance report before assessing process, policies and governance structures in place.

Whilst these services are extremely valuable and allow organisations to manage and mitigate risks more effectively than they would have without it, this is software licence management and not software asset management.

If we recall the initial premise of SAM was focussed on process, any ‘SAM’ service you are delivering (either internally or outsourced) that doesn’t review processes isn’t SAM.

Furthermore there has been lots written recently taking an alternative view on the value of an effective licence positon (‘ELP’) aka a compliance report.  Whilst I think there is still value in the ELP, it must be contextually referenced across an organisation’s requirements and not just a standalone report.

What’s Changed or Changing?

An ELP / Compliance Report as noted above, as a standalone report, doesn’t offer value to customers.  It notes risks, issues, threats and opportunities, but the report is always out of date.  This is because a huge amount of time and effort is expended on the provision of the report and is a point in time review.

Whilst the benefits of risk mitigation and optimisation remain the value add services, the source of how an issue manifests itself still remains within the processes that underpin an organisation’s software management.

As an example, an ELP may provide a risk of £20k that resides within Microsoft software.  If the outlay of £20k was concluded to correct this non-compliance through an out of audit settlement this would be viewed as a potential cost avoidance as some of the audit penalties could be significantly higher.  If no process assessment was conducted the organisation could be in the same compliance risk situation in 6-12 months again and as such the value of this report will soon be eroded.

Utilising the output and mapping this across processes to identify gaps and fix the gaps will then fix the initial challenge and create and implement an improvement plan.

What Value in SAM?

SAM is now more being integrated across IT reporting and associated ITSM, IT Ops, Security and HR as a lot of the data captured through SAM is the same that is needed to run Change, Problem, Event, Configuration, Demand and Incident Management.  There is also critical data sources that can augment visibility of IS risks such as patching reporting to circumvent any wide scale malicious attacks such as WannaCry and Petya.  It has recently been disclosed by an MP that the Wannacry issue cost the NHS £180,000 in introducing emergency measures although this doesn’t include individual trusts and other NHS organisations.

So by ensuring processes are mature and optimised across the wider stakeholders of an organisation the following areas can be averted:

• Manage and control the software estate
• Logical links to expand SAM into ITAM to have a single pane of glass for all asset management
• Manage and mitigate risks in compliance, security and other vulnerabilities
• Ensure that integration is optimised to enable issues across ITSM functions to be remedied through SAM intelligence (E.g. Consistent failure of assets linked to end of support dates)
• Avoid duplication of data, technologies and effort

How Can SCC Help?

SCC have developed a set of services to enable the following key stakeholders to be aligned to ensure that effective SAM / ITAM can be delivered to your business.

This allows a closer relationship on how IT assets are being used and the impact of change which can then benefit your business.

Contact SCC today: [email protected] to ask about of SAM Maturity Assessment offerings that will assist in generating a roadmap to enhance and optimise your software investments across its lifecycle.