Beyond Compliance – SAM and the CIO Agenda

By Jan Hachenberger

What’s on the CIO agenda?

The agenda of CIOs is packed, packed with requirements to make a company’s IT more reliant and available, more elastic and scalable, not to be forgotten more efficient, so all in all more business oriented and demand driven. Their company’s future may be at stake! And with new disruptive technologies, products, services and business models being introduced in ever shorter time intervals the timeline to make all this happen is also getting shorter, very short.

CIOs need to embrace change. They need to redefine the IT core and take charge of their organization’s response now to secure long-term business success.

Understanding the impact that the aforementioned developments will have on a company’s products and services, its business model of course must be number one priority for CIOs. Based on solid facts and figures they then need to develop a digital business strategy, acquiring the necessary skills, and getting the organization to buy into the required changes. All this should be easy, or is it?

According to a study of KPMG dating back to 2014 the “… majority of CIOs (58 percent) and almost half of the CEOs (43 percent) are involved or very involved in their firm’s digital business strategy, but only a small number are actively leading the effort. This low rate of leadership is troubling. Given the magnitude of the impact that digital disruption is likely to have and the significant organizational change effort required for transformation, the absence of strong executive leadership is likely to present a greater risk to success.” (Digital disruption – dive in to thrive. Key findings from KPMG’s CIO Advisory Survey, 2014)

What are CIOs waiting for?

Two years have passed since KPMG conducted the aforementioned study and the question that needs to be answered is: “Have CIOs managed the change?” If I would be asked my answer wouldn’t be a “yes”, but a “no” sounds pretty negative. I would also say, the challenge is still on.

Whenever I talk to CIOs about their long-term agenda it becomes obvious that:

  • CIOs fire fight problems, e.g. IT incidents, cyberattacks, low performance of IT service providers, and all of this on a day-to-day basis. They don’t have enough time for strategic thinking.
  • CIOs struggle with IT legacy which in a few words is “IT first, business later.” IT is not seen as a business supporter, neither by the company’s management, nor by IT users. And due to the ever faster changing business requirements the gap between business and IT is getting bigger and bigger.
  • CIOs can’t rely on support from or the innovativeness of their own IT organization. The “good old experts”, i.e. IT admins with a focus on specific technology, lack the necessary skills to deal with new technologies, nor do they speak business or consider themselves service managers.
  • To choose technology trends to follow (IT innovation agenda) or technologies to retire, necessary skills to build up or to hire, or fundamental decisions like a target operating model for IT coupled with a sound sourcing strategy CIOs – most of all – look for reliable information regarding the current state of their IT but can’t find it.
Where is help?

Ok, full stop! Saying that there is no information available for CIOs seems farfetched. One could comment the last statement and say “The information is there, but it has not yet been discovered or thoroughly analyzed.” But even that would be a half-truth. Over the last years companies have been audited by software publishers on their license compliance. Most audits revealed license gaps which in the end – stipulated by regulatory requirements and new industry standards, e.g. ISO/IEC 19770 – led to the implementation of what is called “Software Asset Management” or “SAM”.

SAM by definition is “a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization.” Sadly enough that business practice often serves only one purpose: Compliance! SAM collects and maintains a pool of information which then is analyzed, aggregated and documented in a table called “Baseline” or “Effective License Position”. And all the raw data, the information behind the management summary of missing software licenses or a license surplus, is kept in a series of black boxes, e.g. a SAM tool, discovery and metering tool or configuration management tool, sometimes just a collection of Excel files or simple notes.

What SAM can do for CIOs?

If CIOs would look into those black boxes they would find treasure, valuable information they can put to good use, e.g. information on

Hardware (per device)

  • Serial number (ID)
  • Manufacturer Model
  • CPU
  • Purchase date
  • Purchase price
  • Status
  • IP address
  • Last user

Software (per deployment)

  • Publisher
  • Product
  • Version
  • Edition
  • Deployment date
  • Authorized User
  • Last user


  • Country
  • Legal entity
  • Address
  • Room
  • Department (Cost Center)
  • Relationships
  • Domains
  • Datacenters
  • Clusters
  • Hosts
  • Guests

License agreement (per agreement)

  • Agreement number
  • Contracting parties
  • Participating (third) parties
  • Reseller
  • Start date
  • End date
  • Reporting process
  • Audit process
  • Warranties
  • Confidentiality

License (per license)

  • Publisher
  • SKU
  • Product
  • Version
  • Edition
  • Quantity
  • License metric
  • Use rights
  • Transitions
  • Purchase date
  • Purchase price

User (per user)

  • ID
  • Name
  • Email
  • Department (Cost Center)
  • Type
  • Security group membership
  • Role(s)
  • Active start date
  • Active end date
  • Last logon
  • Last access
  • Last use

Do you recall the conversation between Aladdin and the merchant in Disney’s Aladdin? The merchant says: “Do not be fooled by its commonplace appearance. Like so many things, it is not what is outside, but what is inside that counts. This is no ordinary lamp [… or SAM black box, editor’s note]!” Somehow it’s the same situation with license managers that try to sell their insights to the CIO, insights such as:

  • Business requirements
  • Shopping cart utilization
  • Special demand
  • Demand timing
  • Deviations from standard processes
  • Escalations
  • Asset status
  • Price history
  • Asset value
  • Asset distribution
  • Asset heterogeneity (standards)
  • Asset utilization
  • Support and maintenance
  • Total cost of ownership
  • Known vulnerabilities
  • License status
  • Price history
  • License value
  • Support and maintenance
  • Incompliance and root causes
  • Shelfware and root causes
  • Life cycle status
  • Expected upgrade date
  • End of support date
  • Expected retirement date
  • Licensing options
  • Reseller
  • Agreements
  • Products
  • Metrics
  • Process requirements
  • Toolbased data collection and analytics
  • Manual data collection and analytics
  • FTEs
  • Required competencies

With information – or better intelligence – provided by SAM CIOs will find solutions for some of their challenges, not necessarily in a direct way, sometimes SAM will only open a door, show a way. CIOs still have to walk the walk. Despite the limitations SAM will help in the following areas:


  • Increased license complexity means greater instability and uncertainty regarding compliance.
  • Understand the cost of compliance and the risks of being found out of compliance.
  • Take a strategic decision on the level of compliance to be ensured and the cost of risk you may take.


  • Develop a better understanding of how your business is using software and maintenance offerings to better predict overall software cost and asset values.
  • Achieve or increase ROI of your software assets.
  • Flexible, simplified license agreements are a prerequisite to adjust license inventory to your actual software requirements. Review your agreements on a regular basis.
  • Make sure license price reflects the value of software as part of a broader solution.


  • Software licensing conditions are constantly changing and becoming increasingly more complex (technology dynamics).
  • The complexity increases when companies act as license consumer as well as IT service provider in an international context.
  • Understand your business demand and its dynamics and understand the license scheme of vendors. Find the best fit.
  • Define your license strategy in line with the business strategy. Anticipate technological innovations or other relevant changes, e.g. M&A.


  • SAM helps to identify business critical software, IT services and solutions.
  • Use SAM insights to derive an IT sourcing strategy for your company.
  • Knowing which software is relevant to ensure business continuity and performance helps to determine strategic software vendors and to develop the vendor relationship accordingly.
  • Monitoring IT performance is key to manage SLAs with your internal IT service department or external service providers and to align IT with business strategy.

In short: SAM can do more. Implementing SAM, not just as another control method for compliance but rather as a strategic management function, will create benefits for companies and CIOs in particular. Compliance is always associated with risk reduction, i.e. cost avoidance. With Strategic SAM the business case of SAM focusses on actual cost reduction, higher transparency, solid information as a foundation for profound decisions, decisions that CIOs have make in the development and execution of a digital business strategy

About the Author

Jan Hachenberger is Partner at ConSalt Unternehmensberatung GmbH