In the business world, we generally think of workers as an asset to the organization—and for good reason. However, in the IT world, workers are, in many ways, regarded as a liability. We know that without certain controls in place, enterprise desktops drift toward a state of disarray, growing evermore populated with applications that may drain productivity, threaten security, and create license risks.
Though not true of all employees, there are some (especially those just now entering the workforce) who will install just about anything on their computers without understanding (or necessarily caring about) the potential risks. I think this comment to a post on our company blog about BSA audits sums it up rather nicely: “I’d say it may be a generational thing. I feel satisfaction, not shame, when I pirate a song, movie, or program.” Get enough of those folks working at the same place, and you’ve got a real problem on your hands.
Which is why all organizations should establish a sensible software usage policy that articulates a set of guidelines related to the procurement, installation, and use of software both within—and in some cases, outside—the company’s walls. We often assume that if we establish bulletproof systems for purchasing, tracking, maintaining, and reporting on installed software that we can tackle the problem of “clueless” end users, once and for all. But while it’s easier to turn our efforts inward to try to engineer a system that contains the inevitable “leaks“, the brutal truth is that unless we have the luxury of completely locking down every PC, we must at some point turn our attentions toward users.
The content of your software usage policy will depend on a wide variety of factors, including the size of your organization, the presence of a mobile workforce, your risk profile on a number of different fronts, and the software needs of your users, to name just a few. For example, if you work for a software development firm, and your programmers need relatively unfettered access to a wide range of development tools, you’ll need to build flexibility into your software usage policy. However, if you work for an insurance company, you may allow only designated personnel to purchase or install software and maintain a list of approved software–that is, if you don’t lock down the desktops completely.
Not only is it important to provide guidelines for software installation and use, but it’s also important to help users understand why such guidelines are in place. While the potential risks may seem obvious to those of us who work in IT, such threats are often not well understood by the workforce, especially if they aren’t power users. The better your employees understand the “why” of the software usage policy, the more likely they’ll be to comply with its stipulations.
At the very least, your software usage policy should include:
Download a full software usage policy template to customize for your own organization.
A final thing to consider is how and when to communicate the software usage policy to employees. Do you require all new employees to read and sign the policy during their first week on the job? Is it a part of employee training? Do you e-mail the policy out annually as a reminder? How do you communicate changes? The answers to these questions may change over time as you measure the effectiveness of the policy in curbing risky activity.
In summary, you can’t afford to ignore the significant role your end users play in your ability to ensure your organization operates within the boundaries of its license agreements. The right technology and effective processes, while absolutely vital to the success of your SAM program, rarely go far enough toward addressing a dynamic environment in which applications residing on desktops fluctuate on a daily basis. By developing, communicating, and enforcing an intelligent software usage policy, you’ll add much-needed balance to your SAM program, and ensure it remains on firm ground.