As an IT Strategy, Planning and Governance professional and having successfully leveraged principles of software asset management to deliver multifold savings on IT budget, one of the questions I get frequently from Software Asset Management professionals is:
“How do we prioritize our efforts? Our CFO wants to see quick returns, but after implementing our software asset management solution the list of unaddressed software exceeds 1000, which is overwhelming for a small team like ours.”
The above scenario is not uncommon for SAM professionals, the typical approach of picking top 10 software vendors based purely on volume fails to objectively address the risk and effort required in the cleanup. Here is a better approach.
For each software vendor discovered by your SAM solution classify them on a 2X2 matrix comprising risk on one axis and volume on other.
to be present on large volumes of desktop computers and servers. If the SAM solution has sprung up some surprises then make sure to align internal stakeholders and proactively engage the vendor’s sales team before an unpleasant audit notice arrives on your desk. Be watchful of press releases from your company which signal the number of employees as discrepancies in licenses purchased and publicly available employee count could signal non-compliance to vendor audit teams. Anything in this quadrant undoubtedly become your number one SAM priority.
HRLV (High Risk, Low Volume) – Here I would include specialized software which have low installations but carry a high non-compliance risk due to their high unit price. Specialized modules in ERP, Database and IT Server management software often make this list. One of the reasons why software in this quadrant becomes tricky is due to complicated metrics (Indirect usage, CALs, Cores) used by some vendors. As the penalties for noncompliant installation are very high, it is recommended to carry out internal cleanup before sourcing additional licenses.
LRHV (Low Risk, High Volume) – This could include software titles which are free for personal use, however, they require a license when deployed in a commercial environment. Popular file compression utilities like Winzip, Avast antivirus, and TeamViewer and pdf converters often fall into this quadrant. A low risk does not mean to remain non-compliant, it simply means that in a rare audit, exposure per computer will be less than high risk software. Management approach for applications falling this area will be to carry out remote uninstallations and make replacements with free alternatives.
LRLV (Low Risk, Low Volume) – This could be a long tail of software which is either wrongly classified by Software Recognition Service or is random software installed by users due to lack of administrative controls on PCs. In an uncontrolled environment, this quadrant could have games, entertainment, and education software. My recommended approach is to educate users and advise them to remove all non-business software from computers, whatever is left can be removed using automated tools (SCCM, PDQ, Snow Automation Platform etc.) or taken care when computers come for reimaging, break-fix.
What is being suggested here does no way mean that an organization should not pay for the software which is used. All software is the product of hard work by IT professionals and should be paid for. Moreover, it is in the organization’s best interests to stay compliant and avoid costly fines and damages to reputation. With thousands of applications in many enterprises, SAM leaders need to take a pragmatic view and work out where to prioritize – selecting which vendors and software to tackle first. These guidelines give them a good start in keeping their companies SAM compliant.
LRHV (Low Risk, High Volume) – This could include software titles which are free for personal use, however, they require a license when deployed in a commercial environment. Popular file compression utilities like Winzip, Avast antivirus, and TeamViewer and pdf converters often fall into this quadrant. A low risk does not mean to remain non-compliant, it simply means that in a rare audit, exposure per computer will be less than high risk software. Management approach for applications falling this area will be to carry out remote uninstallations and make replacements with free alternatives.
LRLV (Low Risk, Low Volume) – This could be a long tail of software which is either wrongly classified by Software Recognition Service or is random software installed by users due to lack of administrative controls on PCs. In an uncontrolled environment, this quadrant could have games, entertainment, and education software. My recommended approach is to educate users and advise them to remove all non-business software from computers, whatever is left can be removed using automated tools (SCCM, PDQ, Snow Automation Platform etc.) or taken care when computers come for reimaging, break-fix.
What is being suggested here does no way mean that an organization should not pay for the software which is used. All software is the product of hard work by IT professionals and should be paid for. Moreover, it is in the organization’s best interests to stay compliant and avoid costly fines and damages to reputation. With thousands of applications in many enterprises, SAM leaders need to take a pragmatic view and work out where to prioritize – selecting which vendors and software to tackle first. These guidelines give them a good start in keeping their companies SAM compliant.