My current role involves going about organisations in the North of the UK and advising them on best practice in regards to software asset management. “Do we go down the FAST route? Or do we follow ITIL? Or perhaps we should consider ISO certification?” Of course, some organisations are legally bound to follow regulations pertaining to Sarbanes Oxley, or NHS Connect.
To consider software as an asset (in isolation) could be a good starting point, but as IT matures and infrastructures grow, keeping track of software could be as troublesome as platting sand. I have seen some organisations that are FAST compliant but who have taken 20 minutes to find a licence; others who say that ITIL is the way forward, yet upon closer scrutiny they have “cherry picked” the elements that serve their immediate purposes. I have also been into companies that say they are ISO 27001 compliant, but when I ask them how many installs of MS Office they have, the IT Manager concerned shuffles like a school boy awaiting punishment from a headmaster. And let’s not forget, as a publicly listed company on Wall Street Lehman Brothers was SOX compliant, and had additional constraints placed on it by the SEC.
So with all these standards abounding, and seemingly falling short, what is it that distinguishes those organisations that are well run, and perhaps those that might be ticking boxes to ensure they have a certificate on the wall?
Regardless of the approach adopted, IT should support business strategy first and foremost, but then ensure that its own strategy means it is open to scrutiny. Remember, if a software vendor comes knocking, no amount of umms and errs are going to have them looking at the next company down the street.
Once IT is comfortable supporting a business, it should then consider what operations it needs to conduct to keep performance at an optimal level, bearing in mind that change is a constant factor to watch out for. Software should be managed at every stage of its lifecycle through a company: Requisition, acquisition, testing, installation, movement/change, upgrade/transfer, retirement and finally disposal.
Whichever benchmarks are chosen to ensure that software is effectively deployed and properly utilised, do it with passion and commitment. Principles borrowed from the Deming cycle (plan, do check and act and back to plan again) should ensure that we don’t rely on facts and figures from when software was first installed, or that we trust blindly to a “true up” in a few years time. The ideas of systematic auditing and reconciliation are crucial to demonstrate not just that a company was once compliant 12 months ago, but that it is still compliant and still in control of its assets.