Yes SAM! But How to Implement?
In Part 1, it was demonstrated that Software Asset Management (SAM) offers plenty of advantages to organizations, ranging from minimizing the purchasing and maintenance cost of installed software to not exposing organizations to unnecessary security, legal and organizational risks. Of course, one wonders how Software Asset Management (SAM) can be implemented within your organization.
1. How to implement SAM
Implementation of a SAM framework
The creation of a strong business case for a SAM implementation, especially in these turbulent economic times, is an important factor in the conversion of SAM into a success story. With a tight hand on one’s purse and even shrinking IT budgets, it is necessary for organizations to avoid all costs emanating from incompliance with software contracts or holding onto installed, but unused, software.
However, implementing an effective SAM program is a complex process. The complicated license terms and conditions for installed software, virtualization, cloud computing, software as a service (SaaS) or the use of other IT-technologies do not make this easier. Due to the complexity, when implementing a SAM program, it is essential to receive full support from management and involve all relevant stakeholders from the start.
Preparation and planning
A number of things are essential for the successful planning and implementation of a SAM program. The main points that have to be dealt with are:
- Developing a business case in order to get the necessary support within the organization
- Performing a risk assessment to determine the priorities of the implementation of a SAM program
- Planning and managing of the SAM program
In the preparation phase, it is advised that everyone involved in the SAM project is fully aware of his or her role in the process.
Standards and Best Practices
Due to the fact that more and more organizations are aware of the advantages of an effective SAM program, different standards and best practices have emerged which propose guidelines for developing SAM. Examples of these standards and best practices are the International Organization for Standardization (ISO) and IT Information Library (ITIL).
The ITIL Guide for Software Asset Management SAM describes a practical approach to managing software assets. In accordance with ITIL V3 and ISO/IEC 2000, this guide was published to support the implementation and maintenance of all SAM processes and procedures within an organization. ITIL helps to align the business and IT context within an organization and supports the development of SAM throughout the assets’ life cycle.
ISO/IEC 19770 is an international standard for SAM that is composed of different parts. In this article, we shall limit ourselves to elaborating on a part of this standard which is four tiers in SAM. This part of the ISO/IEC 19770-1:2012, formerly known as ISO/IEC 19970-4, emerged thanks to feedback from the market regarding the original parts 1, 2 &3 and it describes the phases needed to create an effective SAM program. These phases are called tiers. Below is a concise overview with a focus on the four SAM tiers as described in ISO/IEC 19770-1:2012.
Figure 1: 4 tiers in SAM (source: ISO/IEC 19770)
- Tier 1 – Trustworthy data: When organizations reach this tier, the organizations are capable of determining exactly which software is installed. Having disposal over correct and reliable data is a base requisite for SAM. This allows organizations to start actively managing their portfolio of software assets.
- Tier 2 – Practical management: Organizations make the first steps in active management of software assets. The basic SAM management controls are implemented throughout the organization. In addition to the controls, the SAM roles and responsibilities are defined and attributed. Both the risks and opportunities relating to active management of software assets become recognized.
- Tier 3 – Operational integration: Further development on the foundations of the first two tiers, SAM becomes fully integrated in the operational processes within an organization. This brings along a sharp change in efficiency and effectiveness with regard to the SAM program and the management of software assets within an organization.
- Tier 4 – Full ISO conformance: Organizations are “best-in-class” regarding strategic management of software assets. In addition, more demanding and advanced aspects of strategic management of software assets, such as full integration in the strategic planning of an organization, become supported.
2. Deloitte’s pragmatic approach
The approach set out by Deloitte is a structured pragmatic approach (Figure 2: A pragmatic approach on SAM) that combines the best of various existing standards.
Figure 2: A pragmatic approach on SAM (source: Deloitte)
In the first phase, it is ensured that complete and accurate data regarding installed software, existing software contracts, and available licenses within an organization are available. Having correct information is the first requirement in order to allow proper decision making within an organization. Having knowledge of which software licenses are already in place, and which software is installed and used, is indispensable to organizations in order to be able to actively manage software assets.
In the second phase, potential “quick wins” are identified to reduce the risks and costs related to the use of software. A risk driven approach is applied to achieve a cost effective management of software assets with a minimum amount of effort.
In the third phase, building further on the gathered data in the first phase and the identified “quick wins” in the second phase, the existing controls within an organization are assessed in order to see if these controls are also suited for cost effectively managing software assets in the future. The different roles and responsibilities, knowledge of licenses and software contracts, and processes and procedures are examined in order to come to a practically feasible and effective SAM program.
Therefore, it is necessary that all roles and responsibilities within an organization are clearly described. The different roles involved in SAM depend strongly on the complexity of the IT environment. The principal roles that should definitely be filled out in order to successfully implement SAM are: 1. Sponsor; 2. Software Asset Managers (control role in the entire SAM process, responsible for managing the SAM implementation process and providing information about SAM within the organization); 3. Software Library Manager; 4. Product Responsibles (responsible for managing an application or software product, as well as reporting on the use or the installation hereof); 5. Procurement; 6. Legal and 7. Auditors.
To assure further formalization, it is necessary to document the different processes and procedures within an organization. Organizations typically have documentation of many processes and procedures that interface with SAM. These are located in existing domains such as change management, incident management, and software release management. For this reason, writing additional procedures can be postponed until a later phase of the SAM implementation process but a gap analysis on the existing processes and procedures against, for example, those defined in IAITAM’s Best Practice Library needs to be executed in an early stage.
Choice of technology
The choice of the supporting tools and technology plays an important role for a swift implementation of SAM within an organization. Discovery tools are used to gather information about the used hardware and installed software within an IT environment. This information can be managed by inventory tools in combination with license and contract management tools. The complexity and the type of technology that needs to be chosen is directly related to the complexity of the IT environment.
During the post implementation phase of a SAM program, there is a special role designated for internal or external auditors. In order to assure the effectiveness of the SAM program, auditors have to test whether the management of software assets meets the compliance goals of the organization. If certain compliance goals are not yet defined, they need to be set up in such a way that they are clear to everyone to ensure that the organization fulfils all of the terms and conditions to which it is bound.
The implementation of a SAM program, and its regular review by auditors, does not ensure that all of an organization’s employees are aware of the procedures that must be followed and which processes are in place. A key element in a successful implementation of SAM is communication. Training sessions and regular communication can help to make everyone in the organization familiar with the new guidelines.
Software asset management can offer organizations plenty of advantages from reducing users’ costs of software to limiting security, legal and organizational risks. Despite these clear advantages, many organizations today have only taken the first steps in developing an effective SAM program. Organizations need to realize that the importance of SAM is significant. They cannot afford a step-motherly treatment towards a program which leads to an improved profitability in IT investments and at the same time minimizes the various risks related to the use of software.
Due to the actual economic climate, many IT departments struggle with lowering or stagnating budgets. As a consequence, cost savings which are achieved by means of developing SAM are extra advantageous. For many organizations that only want to focus on their core business, hiring an external SAM and license specialist, or completely outsourcing SAM, are valid options as well.
For the organizations that realize that SAM isn’t a ready-made or a tool-only solution and that also realize the strategic value that SAM can offer to the overall business goals, developing a SAM program can deliver a significant competitive advantage. SAM will increasingly play a more important role in the coming years due to the high dependency rate on software for many businesses. Thus, for many organizations, the question is not “whether,” but rather “when.”