Managing software isn’t sexy. In a world where CIOs and other IT leaders are fixated on digital transformation, moving to the cloud, data center consolidation, and other pressing priorities, the tasks of software forecasting, licensing and procuring, provisioning, tracking, updating, and patching can seem mundane and easy to ignore. It’s sort of like the plumbing behind the walls in your building.
But just like plumbing, software is as essential as it is hidden -- running throughout the enterprise and supporting business operations and assets. The fact is, software itself is a very valuable asset. And the practice of software asset management (SAM), which includes modifying the purchase, licensing, deployment, and use of software, can bring a host of long-term benefits, including cost savings and protection against financial and legal risks.
SAM can also strengthen the larger firmament of IT asset management and IT service management in the organization: From an IT asset management standpoint, the underlying data gathered via SAM can be used to populate and corroborate a configuration management database (CMDB); and it can be used to enhance IT service management effectiveness by providing deeper validated data about what software is running on which systems.
So why aren’t more companies actively focused on SAM? According to a recent survey, 74% of IT leaders said they don’t have a formal SAM function, and 83% don’t view it as a strategic initiative. Let’s take a closer look at some of the reasons why SAM doesn’t typically get short-listed as an IT priority, and in an era when software is increasingly pivotal to operations, cybersecurity, and cost savings -- why it probably should.
Barriers to SAM awareness
SAM can be a driver of return on investment that can reap cost savings on licensing alone. In software asset assessments performed by Deloitte, many companies had unrealized cost savings totaling 25% of their annual maintenance spend. So, what is keeping most IT executives from putting SAM into action?
One reason is likely that poorly optimized software utilization tends to raise eyebrows, but not full-scale alarms, in the organization. It causes some pain, but not enough to take radical action. Software deployed in the absence of a good SAM function, for instance, can lead to paying for software nobody’s using, redundant software purchases, and extra licensing fees from over deployment. But such problems are typically met with a reactive, isolated response. If a software vendor audit uncovers more usage than licenses, an IT manager is more likely to negotiate an agreement to pay for the over usage, and in lieu of fines or fees, buy additional software from the vendor (which is often not needed). This practice perpetuates the problem and fails to dig into solving the underlying issues causing excess usage.
SAM can also fall between the cracks when there’s a disconnect within an organization's business units and its sourcing or procurement functions. Imagine the purchase of software tied to some upcoming project slated for the next fiscal year. Few organizations have adequate follow-through mechanisms to go back to sourcing or procurement to update them if that project gets delayed, changed, or canceled. The result is unused “shelfware” that cuts into the bottom line — especially given that, in Deloitte’s experience, annual maintenance is usually between 18% and 21% of software’s costs.
Raising the stakes on software security
Unfortunately, the cost of doing nothing about SAM is rising -- beyond the level of nuisance and into the realm of the critically important. The reason is that a newly connected and complex digital ecosystem is creating new security risks around software that make it vulnerable to cyberattacks. By some estimates, fewer than one in five companies are free of software vulnerabilities that external cyber attackers could use to gain access to their IT systems.
Simply put, you can’t secure software in your environment that you don’t know about. Ignoring the tracking and management of software means ignoring a big piece of your security picture. Consider the case of WannaCry. The worst part of this 2017 ransomware attack was how preventable it was. As WannaCry hit, a patch for the operating system software vulnerability it exploited was available. Those who applied the patch were largely protected, but those who did not were hit hard.
Poor SAM is a lost opportunity for IT security insights. It’s a lack of visibility into threats and vulnerabilities that would be more apparent if the software landscape were better understood.
Choices in implementing SAM
Even those organizations with a newfound appreciation for SAM face a big choice on implementation: whether to go it alone or find an advisor who specializes in SAM. Unfortunately, as easy as it is to ignore SAM, it’s also very complex once you start paying attention to it. Working with a managed services provider offers several potential benefits. The provider can offer a disciplined approach, utilize leading SAM technology platforms, and can bring software license subject matter specialists so you don’t have to dig through contract and license terms to reconcile usage to entitlement. Most importantly, they can often provide predictable outcomes and trustworthy data to enable critical business decisions.
Software is not a regulated business like the energy sector, where there are standards and processes that govern the whole market. Instead, software is a skein of many different, vendor-specific licensing rules, processes, operating standards and other minutia. Things get massively complex very quickly; a large organization can have hundreds or thousands of software programs spread across many databases with all types of different licensing metrics.
Given the long and steep learning curve, many enterprises may opt for some form of managed services approach to SAM. That’s because doing SAM on your own can quickly become overwhelming — a full time job that, in our experience, few IT leaders may have the bandwidth to take on. As one CIO told me recently, “I don’t have a way to train my IT folks to do SAM. I don’t even have a career path for them.”
Hopefully by now, it’s clear that -- whether you’re inspired by the carrot of cost savings and efficiency, or the stick of flying blind on security without a good understanding of your software environment --investment in SAM is something nobody can afford to ignore. While highly regulated sectors and those involving operational technology or critical infrastructure add urgency to the need, SAM is something from which every industry -- and every company -- can benefit.
Dave Dawson is a principal in Deloitte’s Risk and Financial Advisory practice where he leads the US and Global delivery of Software Asset Management solutions to clients. He has more than 20 years’ experience in consulting services and business contractual relationships specific to the technology sector.