If you’ve been assigned responsibility for sorting out that prickly mess called software, you might be asking yourself – Holy moley! Where do I start?
If you are a newcomer to managing software, may I offer you two pieces of advice? You might be feeling slightly overwhelmed by the enormity of the problem. If you want to sleep at night and not blow a fuse try to grasp two concepts:
Theoretically, with intellectual property law, every license is sacred and should be treated with equal respect. But I’m assuming you don’t have an endless pot of money for SAM and have finite resources. So we have to be a little pragmatic about things, as I have mentioned before, we have to pick our battles. Your job is to provide the best IT environment for your users, at the lowest cost, with lowest risk. As any good IT security professional will tell you, your job is about mitigating risk, not eliminating risk.
Your estate will always be in a constant state of flux. I have known (very occasionally) of SAM gurus that have left their company because they managed to ‘get it nailed’, got bored, and moved on. But on the whole just assume that the goalposts will always be moving. It’s at times like these you might say SAM is like painting the forth bridge, but it turns out the forth bridge is now finished, drat!
Ahhh, now we’ve got that out of the way, we can relax and get on with the task at hand.
The Pareto principle applies here; in that 80% of your financial burden and compliance risk is likely to be found in 20% of your software estate.
If you are starting out, you may be looking down the barrel of several hundred or several thousand different vendors. I would wager, that no matter what sort of organization you work for, the vast majority of the compliance headaches and money spent on software in your company could be found in the top 10 or top 20 vendors.
So in short, by carefully picking some vendors, you make a massive impact to the control, costs and risks of your software estate in a fraction of the time it would take to gain control of the whole estate.
Factors to think about when selecting your top vendors to focus on:
Vendor License Type
|Volume Desktop||High quantity of low value installs||e.g. Adobe, Microsoft – usually a big $$$ number.|
|Premium Desktop||Low quantity of high ticket items||e.g. AutoCad, not many but expensive. Good opportunity for quick win.|
|DataCentre||Low quantity of high value items||e.g. If you can get access to this environment to audit properly – some big ticket items in here. Complex but big $$$ numbers.|
|High Risk||Low quantity, zero value but high strategic risk||e.g. Some zero cost items that might help you win friends and influence people with your SAM project. Service Packs missing, AV missing, malware, key loggers etc.|
|Minutiae||Everything else||That long list of ‘other vendors’. They are important – but let’s get these big Kahunas out of the way first.|
Trying to demonstrate compliance for every single piece of software in your organization can only lead to disappointment. In an ideal world every software publisher should be treated equally, but we don’t live in an ideal world with infinite SAM resource and infinite budget. Picking off big targets and delivering compliance will help build momentum in your SAM practice and justify further investment in dealing with the smaller vendors. All the process improvements, controls and benefits accrued managing the top vendors will naturally have positive benefits to all other vendors.
What happens once I have things under control or at least moving in the right direction for my top 10?
Sit back, crack open one of your favourite recreational beverages, and bask in your SAM glory….
…Then think about expanding your list. The top 10 could be the top 20 and so on. Look at what you’ve learnt and try to apply it to a larger group, whilst not losing the progress you’ve made on the top 10, keep it current.