Sorry, I’m guilty as charged. Guilty of creating a sensational article title to gain your attention. But, as I work on this post, my daughter is about to become a teenager and her favorite form of communication is sarcasm.
So, please forgive me as I turn off the teenager speak and return to speaking the direct truth, which is fitting for the start of this article. I promise, no more sarcasm. Only help in getting your organization up and running with, or doing better at, software asset management (SAM).
The search for truth and setting the right expectations
There are many definitions of SAM, but let’s focus on ITIL’s definition for the purposes of this article as many others have a similar theme/focus. ITIL defines SAM as:
“All of the infrastructure and processes necessary for the effective management, control and protection of the software assets within an organization throughout all stages of the lifecycle.”
The key points in this definition are:
- Scope – understanding “all of the infrastructure”
- Processes – so it’s not just technology
- Management – “control and protection…throughout the lifecycle.”
From a more general perspective, the primary end goals of SAM typically span one or more of the following: ensuring compliance, mitigating risk of penalties, avoiding security breaches, reducing the risk of unplanned costs, and optimizing investments (i.e. lower costs).
All easier said than done, which is the point of this article. There is no “easy button” for most, regardless of the available SAM tools and content. A former co-worker of mine coined the phrase: “SAM is a dark art.” Which is apropos for this article as it implies that SAM is much more than a tool or technology. Instead, it requires skilled resources and the right technologies to cover the platforms, titles, and license models within scope.
In my experience, many organizations start with unrealistic expectations because they haven’t been exposed to the challenges inherent in building a SAM program. It’s therefore critical to understand the common challenges (of SAM) in order to build a successful and sustainable SAM program.
The 3 most-common SAM mistakes
The most-common mistakes made by organizations attempting to implement a SAM program can be boiled down to the following three points:
- Setting unrealistic expectations when planning or maturing one’s SAM program.
- Not identifying a roadmap (i.e. a phased approach) with a clear and prioritized list of requirements.
- Not performing the proper due diligence with SAM vendors to fully understand what’s achievable out-of-the-box (OOTB) versus what requires customization and/or professional services/consulting. The latter of course has a significant impact on cost.
Any one of these three common mistakes can delay, or even kill, a SAM project.
Please indulge me for just one minute with an analogy based on a true story. The names have been changed to protect the innocent.
Picture SAM as an onion. As you peel back the layers, your eyes begin to water. Soon you realize that there are many more layers than you expected. As you peel additional layers, the tears really start to flow – until you’ve got nothing left except pieces of onion everywhere, red eyes, and some empty Visine bottles strewn across the floor.
Snapping back to reality, and away from the onion analogy, you realize that many of the challenges were not anticipated. Your management is also getting restless because of the growing costs with limited value and you underestimated the level of resources and consulting required because the tool was supposed to automate most, if not all, of your requirements.
Unfortunately, this is a common scenario which prevents organizations from building, establishing, and sustaining a successful SAM program. In fact, some of these same challenges occur when implementing a broader IT asset management (ITAM) program. You can refer to my blog How to Build an Asset Management Program: 7 Keys to Success for more information on the ITAM front.
To help you drive the discussion and begin to set the proper expectations when planning to implement a SAM program, the next section highlights a range of SAM misconceptions and fundamental truths.
Challenges and fundamental truths of SAM
Below is a collection of some of the most common challenges and truths about SAM, which I’ve seen organizations either ignore or discount over the years. Many of these are the result of organizations jumping in too quickly without any experience, setting unrealistic expectations, and not defining a focused scope with a phased approach (in other words, the three common mistakes identified above):
- No single tool/solution – No single tool can discover all of your organization’s software and the data necessary to measure all license models (i.e. there’s no such thing as an out-of-the-box (OOTB) SAM solution for all software). Some tools are better with certain vendors and/or platforms than others. Some vendors bundle and/or partner with other technologies and content to broaden their coverage. For example, on the discovery front, some software requires usage information and/or specific configuration settings (i.e. Oracle database licensing), while on the licensing front, the product use rights (PUR) can be very complex (think MIPS and points-based licensing). On either front, very specialized knowledge is required to create and maintain this level of specialization. This is just one factor as to why a phased approach is essential for SAM success.
- Content drives automation – In today’s SAM world, content is a critical success factor. Without it, the onus is on the customer to create and maintain it, which is not practical unless the scope is very limited. Content covers a wide range of areas including, but not limited to, discovery, license models/SKUs/PURs, maintenance, and end of life. For example, with PURs, the default license can be associated to the discovered software, significantly reducing the effort to measure compliance.
- Complex and ambiguous – License models can be complex and ambiguous, and they’ll continue to be even more so. Datacenter software tends to be the most complex. Some information required to measure compliance may be difficult to collect. Not all vendor terms are clear and/or measurable and new license models continue to emerge. Note: Prior to the purchase of any software, organizations should verify the compliance terms in order to avoid any ambiguity. If you don’t know what to measure, you cannot be confident in your compliance position.
- Standards slow to adopt – Organizations have been slow to adopt the primary standards for SAM (ISO/IEC 19770-1, -2 and -3) to further enhance automation and reduce the dependency of content services. As adoption grows, these standards (particularly -2 and -3 below) will reduce the dependency on content which is essential today to drive automation and reduce the SAM effort: i) ISO 19770-1 provides a process framework for SAM (note: it’s a great standard to evaluate and baseline your SAM program). ii) ISO 19770-2 provides the standard for software tagging (i.e. discovery) which software vendors are slowly adopting. iii) ISO 19770-3 provides the transport format, which is intended to drive standardization on the entitlements front.
- Cloud complexity – Cloud licensing adds complexity as this is typically (but not always) less of an issue regarding licensing and compliance and more about usage and optimization. Hence, some cloud vendors are getting better at controlling the usage to avoid non-compliance, which shifts the primary focus on the customer to ensure that they don’t over purchase (i.e. optimization over compliance) – an improvement over traditional on-premises software. The tools and technology to capture and manage cloud-based software are emerging and will become more prevalent in the next few years to improve optimization.
The devil is always in the details. If you have a limited scope (e.g. Microsoft Windows desktop software), there’s less complexity than a scope that covers multiple vendors and/or platforms (i.e. data center, cloud, etc.).
Be cautious of anyone who, or any vendor that, contradicts any of these fundamental truths when the scope goes beyond a very limited set of titles, vendors, or platforms. To help, below are a few initial questions to ask SAM vendors to quickly identify the depth of their SAM solution and the vendor’s knowledge of this space.
Some key questions for SAM tool vendors
|INITIAL CLARIFICATION QUESTIONS||FOLLOW-UP QUESTIONS|
|Does your solution discover all software OOTB?||· Which methods (i.e. registry, signatures/files, etc.) are used to discover different titles and platforms (i.e. Oracle, cloud, etc.)?
· If content/signatures are used, which vendors and software titles are covered? Ask for specifics, not generalizations.
· What is your strategy to create and maintain these signatures? (i.e. Do you focus on a platform, vendor, or something else?)
· How do you handle customer requests for additional vendors and titles? Are there costs? If so, what are they?
|Does your solution normalize all software OOTB?||· How is the information normalized?
· Is there normalization content? If so, how is it maintained?
· How do you handle customer requests for additional vendors and titles? What is the process? Are there costs? If so, what are they?
|Does your solution handle all license models OOTB?||· Which license models are covered? Provide examples of complex license models and how you handle them (e.g. multi-use rights, upgrade or downgrade paths, MIPS, Oracle database licensing, etc.).
· What is your strategy to create and maintain license models?
· How do you handle new license models or customer requests? Are there costs? If so, what are they?
· Do you focus on certain platforms and titles?
|Beyond what has been covered (e.g. normalization, signatures, license models), what other content do you leverage to identify software and automate license compliance calculations?||· SKUs
· End of Life
Note: This is not a comprehensive list of questions, but they could be used to identify key areas which are commonly overlooked when evaluating SAM solutions. For a more in-depth SAM evaluation source, please refer to the final section of this article.
Finding the truth
As I complete this article, I keep thinking of Jack Nicolson in the movie “A Few Good Men” when he emphatically says to Tom Cruise from the witness stand: “YOU CAN’T HANDLE THE TRUTH!!!” I’m not sure why I can’t get that scene out of my head, because it conflicts with the intent of this article. In my experience, it’s not that organizations cannot handle the truth – they can. They just need to find and understand the truth before starting a SAM program. So now the question is, “How do I find the truth?”
The best source of truth about SAM is with those who have the real-world experiences of implementing formal SAM programs. There are a range of sources, but as a software vendor, I prefer to be agnostic on this topic as this is not intended to be a promotional tool, but rather an independent, educational tool.
That said, I do feel comfortable referring to several independent industry organizations including: The ITAM Review, The International Association of Information Technology Asset Managers, Inc. (IAITAM), and the International Business Software Managers Association (IBSMA). All of which provide great content, guidance, and training around SAM.
For example, The ITAM Review provides a solid SAM Tool Selection Kit, which includes an in-depth questionnaire to assist in the process of selecting a SAM tool. This can serve as a great tool for internal discussion on your organization’s requirements and to help drive it towards realistic goals and expectations.
One last thought to leave you with – if someone was to ask me: “What one thing should I focus on when establishing a SAM program?” I would say educate yourself and your organization. Talk to other organizations who have built SAM programs. Find out about their successes and failures (i.e. lessons learned). Information is power. Don’t be afraid to ask questions and challenge generalizations where something may seem too good to be true. In the case of SAM, there’s the chance that this could happen if you don’t dig deeper. Find the truth to find success!