11th May 2009
Every organisation has an objective to develop ‘world-class’
products and services, creating more competitive offerings, while
driving down costs and increasing margins and
productivity.
However, in order to achieve this business goal, most
organisations aren’t following a comprehensive IT compliance programme, or focusing on managing
business risks more effectively to ensure continuity of business
processes.
The benefits of good Software Asset Management (SAM) practices
have been so widely documented it is interesting that there is
still this inertia in the market. Why is this?
It’s a risky business
Too often, organisations take inadequate licensing as a given,
and fail to prioritise good Software Asset Management as a
necessary business process. In doing so, they fail to realise that
being under licensed can potentially cost them money, in terms of
fines and settlements from software publishers, and ultimately
affect their company’s reputation. All organisations should
view the lack of control of software assets as a risk to their
business, especially if they cannot quickly and easily demonstrate
the ‘rights to use’ for all software they are using.
The first step for any organisation embarking on a software
compliance or SAM programme is to undertake a review of their IT
infrastructure and processes so that they can gain a view on
vulnerabilities and areas of unmanaged risk. By identifying,
qualifying and prioritising business risk, these organisations are
then in a position to attach a level of exposure against this in
order for the business to take a view and decide what it wants to
address first.
For example FAST customer, Portsmouth City Council risked being
under-licensed in some areas and over-licensed in others before
joining the FAST Compliance Programme. This meant that
the council risked using software illegally which could have
resulted in an uncapped fine and up to 10 years imprisonment,
leaving the organisation vulnerable to unlimited fines as well as
damaging its well established reputation. Together with FAST
Portsmouth City Council put in place a 4-step software management
programme to not only ensure it became compliant but that it was
future-proofed and could maintain compliance moving forward.
An ever moving target
In FAST’s experience, software audits are not conducted
frequently enough - in fact there are many UK businesses that have
never carried out a full software audit. Because many
businesses fail to take SAM seriously, they rarely ever manage to
get on top of the problem, and those that do fail to put effective
processes in place to ensure that compliance becomes business as
usual.
Part of the reason software compliance is swept under the carpet
is that it can require a shift or change within the organisation.
Businesses rarely know what’s actually in their software estate
because they never make it a priority to find out. Every
organisation knows exactly how many company cars it owns yet many
do not have an accurate picture of how many PCs or software
licences it has.
The job of monitoring software assets is often given to someone
of a junior position, who may not be aware of its importance. Or IT
is tasked with the responsibility, on the assumption that they have
the training and education needed to keep the risk of
non-compliance under control. FAST recently ran a survey and
found that 42% of respondents said they did not have sufficient
manpower to manage their IT assets effectively and 49% of
organisations said the responsibility for software compliance rests
with one individual. That’s a lot of responsibility!
Compliance is hotting up
FAST runs annual research with its customers and results
from the most recent 2007 Survey highlighted increased activity
around software compliance. Although, software compliance is
not a new issue, the survey demonstrated that the pace of activity
was hotting up. Penalties are becoming more serious with
potential imprisonment rather than just a slapped wrist. This,
along with the Government stepping up activities with Trading
Standards to have more foot soldiers policing the
industry. Since 6th April 2007, Trading Standards have had a
duty to investigate copyright offences and this year the Government
announced an additional £5 million of funds to enable Trading
Standards to carry out investigations of copyright
offences. An increased crime penalty from 2 years to 10 years
imprisonment for online copyright offences and unlimited fines is
now in force. And there is also the potential of increased
damages payable if a company is sued for software misuse.
In the same survey, when asked why they had joined the FAST Compliance
Programme, nearly two thirds of the respondents stated
that they were concerned that their organisation needed to put in
place the correct policies and procedures to control their IT
environment. 21% of organisations surveyed wanted to send
out a strong message to employees that IT compliance is a serious
matter and others highlighted the need to be able to demonstrate an
accurate ALP (Actual Licence Position) to any software publisher
that requests such information.
The complexity of technology
Software used to be simple, one licence per computer - not any
longer. As an organisation’s use of software becomes more
diverse, the perceived need to have a greater number of more
complex licensing models will only expand.
Additionally, there are so many new ways to deliver software,
such as Software as a Service (SaaS), hosted or virtualisation
models, it is no wonder this is causing confusion for both vendors
and users alike. This is because neither contingent feels it
has enough information to venture into a model that breaks with
former licensing tradition and potentially introduces many unknown
components.
For example, in a virtual environment, the connection has been
broken between the footprint on the physical machine and what
software is running. Non-virtualised environments have
well-known methods and metrics for measuring the usage of software
licences. With software so critical to most company’s
operations, the burden of proof often rests with the customer, and
without accurate software usage metrics, which understand the
various virtualisation models, that proof can be elusive.
Enforcing policy
But while technology has its place, companies should never be
lulled into a false belief that they can buy a magic tool that will
solve all their problems without having to lift a finger - for
any SAM programme to be successful, it is vital that organisations
marry process with products. Careful planning and implementing
best practice policies and procedures are also
paramount. Amazingly, the number of illegal downloads from
peer-to-peer still out strip legal ones by a ratio of 1 to
3. So once a company has defined its processes, it also needs
to ensure that these are enforced throughout the
organisation.
If you want to ensure that the liability for software misuse
remains with the employee, the business must define its
disciplinary process and be very clear that any individual found to
be breaking the rules is reprimanded. Many organisations do
not actively enforce their IT policies and then wonder why empty or
inconsistent threats fail to encourage behaviour
change. Additionally policy and procedure reviews help with
regard to keeping up to date with current legislation, regulation,
business and technology requirements.
For example FAST customer, Dacorum Borough Council did not have
any specific controls in place to govern the use of IT before
embarking on the FAST Compliance Programme and as a result
software procurement was very ad hoc. Subsequent to FAST
presenting to the Council’s Chief Executive and corporate
management to raise awareness of the project, the importance of
having robust IT policies was bought to the forefront. To
address this the Council constructed detailed IT policies and
procedures to establish clear guidelines on how IT equipment was to
be managed from procurement through its lifecycle to disposal.
Buy-in from the board
And finally, SAM can impact and/or improve so many areas of the
business; it’s not just about the software. Our advice to
customers is that they should ensure that SAM is a board level
issue. If SAM is merely perceived as yet another ‘IT project’
convincing the board that investing time and money up front will
lead to significant savings and benefits down the road will be an
uphill battle.
Although software compliance should be one of the top priorities
on the board agenda, recent surveys indicate that it is only a
board-level issue for around one-third of UK organisations. If
companies want their SAM programme to succeed, it is imperative
that they attain senior management awareness and buy-in.
It should be noted that often the board is guilty of assuming
that IT management has all of the measures in place to control
licences. The reality is that more often than not they don’t -
because they simply aren’t aware of the potential implications or
they don’t have the skills and knowledge to deal with it.
Continuous improvement
The road to software compliance is a journey of continuous
improvement, a way of business life. Get it right and it will
deliver huge rewards. One lasting thought around - compliance
can be likened to visiting the dentist. You can see your
dentist once every 5 years and end up in a lot of pain and a hefty
bill or you can make a conscious effort to change and put in place
a teeth hygiene programme with regular 6-monthly check-ups - the
choice is yours! Remember:
- There are two reasons why organisations should look to manage
their software assets, compliance and cash
- Vendor software audits are set to increase in 2008 and
onwards
- Licensing is becoming increasingly complex, as is
technology
- Penalties are becoming more serious with potential imprisonment
rather than just a slapped wrist
- Government is stepping up activities with Trading Standards to
have more foot soldiers policing the industry
- The first step for any organisation embarking on a SAM
programme is to undertake a review of their IT infrastructure and
processes so that they can gain a view on vulnerabilities and areas
of unmanaged risk
- Careful planning and implementing best practice policies and
procedures are paramount to the success of any SAM programme
- Organisations need to ensure that they have an ongoing SAM
strategy in place to manage compliance on a continual basis.