The measure of a Software Asset Management (SAM) program’s maturity is founded in the understanding of how well one’s organization performs the foundational building blocks for Software Asset Management. ISO/IEC 19770-1:2012, “Information Technology — Software Asset Management, Part 1: Processes and Tiered Assessment of Conformance” (ISO 19770) provides the industry with an international standard for leading practices and assessing one’s SAM maturity tier. ISO 19770 categorizes all of the foundational building blocks of a SAM program into three primary and associated secondary components:
- Organizational management processes for SAM
- Control environment for SAM
- Planning and implementation processes for SAM
- Core SAM processes
- Inventory processes for SAM
- Verification and compliance processes for SAM
- Operations management processes and interfaces for SAM
- Primary process interfaces for SAM
- Life cycle process interfaces for SAM
One’s SAM program maturity is measured against the achievement of the individual building blocks that support each of the various secondary categories. ISO 19770 sets forth what best practices need to be achieved and measured against to determine which SAM maturity tier would characterize one’s SAM program. These same building blocks may be used, where applicable, to measure and assess one’s Hardware asset management (HAM) program.
The following diagram is a composite view of how the building blocks are distributed across the SAM maturity tiers.
Each of these SAM maturity building blocks brings a different focus and function to the SAM process. The maturity tiers build upon each other, as each building block is advanced in capability and functionality. The premise for moving from one tier to the next is to ensure that all of the foundational building blocks for the tier are met before moving to the next tier.
The impact for skipping one or more of the building blocks when moving to the next tier is the ability to maximize the benefit of the SAM processes from those skipped functions. The reason for the need to embrace the ISO 19770 building blocks is not for “certification” but to facilitate the true value of your SAM program. It provides your organization with a road map around what to focus on along your SAM journey.
The real challenge that is in front of all organizations is how they embrace and execute on their maturity journey. Each step toward the progression from one tier to another brings a different set of challenges and the need for advancements in people, processes and technologies. When you look closely at the required building blocks to achieve Tier 3 and Tier 4, you realize that the journey to SAM maturity becomes more about an IT organization’s digital journey.
When you look closely at the foundational building blocks for Tier 3 and Tier 4 SAM maturity, the following key words appear in many of them:
- Automation or automated
- Real-time monitoring
- Security compliance and management
These words are “disruptive” terms for most SAM organizations. It is important to note that, many times, these words are confused with SAM tools, rather than about changing the way we would traditionally look at SAM processes and procedures.
With a change in perspective and embracing one’s digital journey for their IT organization, these terms become the foundational building blocks for the digitization of the SAM program, which will drive the advancement of the SAM maturity program. Therefore, a firm’s willingness to embrace disruptive technology solutions that enable the digital journey will, in fact, advance one’s SAM program maturity.
By embracing the idea of a SAM program’s digital journey, we are able to expand the aperture at the way we view technology solutions in support of SAM, and we are then able to leverage the advancements in robotic process automation (RPA) and cybersecurity technologies to enhance our SAM maturity journey. Since ISO 19770 was introduced in 2012, the technology advancements allow us to approach differently how one’s organization could advance from Tier 2 to Tier 3 or Tier 3 to Tier 4.
When focusing on the “automated” and “real-time” disruptive terms, you begin to realize that each SAM program will be challenged to achieve these building blocks with how they perform their functions today. These terms imply speed, accuracy and responsiveness that go beyond traditional processes that many, if not all, SAM programs have today manual processes.
These terms aren’t only about bringing SAM applications into use, but are meant to drive out manual repeatable processes that are in place today. By focusing on these processes, we are able to reduce potential errors, as well as increase accuracy and the speed to process the data.
RPA is the first approach to embracing and beginning the disruptive digital journey through the use of a software “robot” (i.e., a program) that is designed to replicate the actions of a human being interacting with the user interface of a computer system. RPA can provide advanced solutions to eliminate manual work, especially if used with other complementary technologies, such as SAM license management applications and software discovery technologies.
When driving the automation within one’s SAM program, the true benefits of RPA may be achieved by integrating software bots with these SAM technologies to significantly reduce manual work. The RPA components perform work as if they were a “virtual employee” performing repetitive tasks at the UI level in an unattended, reliable fashion. By removing the human factor in these repetitive manual tasks associated with the interaction of two systems, it allows for more accurate data and faster processing to support near real-time monitoring and reporting.
By leveraging RPA and removing the repetitive activities from their daily tasks, it will enable the SAM team members to focus on the critical business functions required from the SAM program. The team will now be able to focus on the business metrics, contract management, cost elimination and product standardization activities.
Cybersecurity is the second approach to embracing the disruptive digital journey through the integration and synchronization of IT security and IT asset management teams. Today, rather than working together to leverage the information that is available within the Information Technology Asset Management (ITAM) database, the IT Security team tends to operate independently of the ITAM team.
When considering the potential regulatory implications of security breaches and the risk to a firm’s reputation in the industry, security breaches have a tremendous focus at the board level. Firms are making major investments in the area of identity management to ensure that those who are actually accessing their systems are, in fact, the individuals actually connecting to the systems and accessing the data. Unfortunately, there isn’t a tremendous amount of investment being made in the linkages in people, process and technology for the IT security team to connect to the ITAM team.
According to ISO 19770, to be able to advance to Tier 3 and Tier 4 SAM maturity, there are two foundational building blocks that are tied to security:
- Software asset security compliance (Tier 3)
- Security management process linked to ITAM process (Tier 4)
Therefore, the current state of integration between IT security and ITAM must change. The key to this shift is to educate the IT security team on the value of the information that resides within ITAM. When functioning properly and driving value to the business, the ITAM team has the following, but not limited to, data points:
- Hardware IP address
- Hardware location
- Hardware make and model
- Software and its version installed on the hardware device
- Security Software and its version installed on the device
- Applications installed on the hardware device
- The security team will be able to know who is authorized to access the applications
- Databases accessed by the applications on the hardware device
These data points, along with all the other data captured in the ITAM database, can provide invaluable insights to the IT security team by providing them critical data input to the IT security building blocks that will support the Security team in proactively addressing the following:
- Any risk or exposure associated with outdated antivirus or malware software versions
- Pinpointing applications that are impacted by a breach
- Documenting which application users may have been impacted by the breach or introduced the security threat into the environment
- Detailing what databases may have been corrupted or attacked due to a breach
- Adherence to regulatory requirements by being able to document what the potential data exposure may have been, based on the breach
These linkages between ITAM and IT security effectively change the way security can be managed. They enable the security team to have a quicker, more proactive impact in the case of a breach that would allow one’s security team to limit the exposure by being able to quickly hone in on what infrastructure and data has been impacted by the breach thus reducing the potential ramifications of the breach to the business.
Once again, it is about changing one’s aperture in addressing and solving a potential business problem by using a completely different lens, i.e., the role of ITAM in IT security breaches.
In the end, the issues facing ITAM organizations across the globe are when and how will they embrace the “digital journey” as they mature their programs. This digital journey is required to achieve Tier 3 and Tier 4 maturity. By thinking about how they can leverage RPA for eliminating manual repetitive processes and connect into their cybersecurity programs, these digital-enabled ITAM programs can bring greater value and insights to the business beyond license counts and contract renewals.
The future is about real-time automation and security. Are you ready to embrace your “digital journey”?