While bringing many benefits to a company’s IT infrastructure, software now presents a particularly vexing problem for most organisations. On one hand, enterprise applications are mission-critical, running every facet of operations, from front-office to back-office. On the other hand, software is one of the most difficult of corporate assets to manage – resulting in massive financial waste, inefficiency, and cybersecurity risk.
The Challenges of Software Asset Management (SAM)
Most organisations spend approximately 25 percent of their IT budgets on software. Yet, unlike physical assets such as office fit-out and hardware, software is extremely difficult to keep track of and inventory appropriately. Consider all the desktops, laptops, mobile devices, servers and clouds onto which software is installed. Consider that machines are purchased and retired, employees update devices on their own and introduce additional applications, employees are hired and leave the organisation, and merges and acquisitions occur. Adding to the logistical challenge of keeping track of these devices is the difficulty found in keeping track of the software installed onto them.
As well as the physical location of software, organisations must track how that software is being used and whether or not that usage is compliant with the software contract. Every software license agreement consists of dense and complex terms relating to usage and this must be tracked, managed and understood to ensure an organisation’s compliance with the software. If an organisation’s usage exceeds those terms, this would be considered out of compliance, and the organisation can be subject to unbudgeted “true-up” penalties. The contrary is also true: if those licenses aren’t being fully utilised then a company has purchased “shelfware’’- unused or underused software that is sitting idle and still costing the company money.
The Cost of Unmanaged Software
According to a recent report by IDC, software license complexity will indirectly cost organisations an average of 25% of their annual software license budgets. To address this issue, leading organisations have implemented comprehensive Software License Optimization programs. These programs consisting of people, processes and automated technology to substantially eliminate the inefficiencies, waste and un-budgeted software license compliance risk that is linked to an unmanaged software domain.
According to a report from Gartner, the six critical elements performed by the Software License Optimisation solution should include:
- Platform discovery
- Platform and software inventory
- Normalising inventory
- Reconciling external information
- Optimising license position
- Sharing information
IT Asset Management or SAM teams within an IT Operations group will be the general lead of the implementation of Software License Optimisation programs.
Cybersecurity Risks of Unmanaged Software
Another issue associated with an unmanaged software estate is the fact that it also creates an extremely high cybersecurity risk for companies. Security standards and requirements frameworks have been developed by myriad organizations, including The SANS Institute, which has created prioritised list of security controlsthat are crucial in improving organisations’ risk stance against real-world threats.
SANS has identified a number of Critical Security Controls, the first of which focuses on an organisations’ ability to active manage – inventory, track and correct – all hardware devices that are on the network. The second focuses on inventory of authorised and unauthorised software. Organisations must actively manage all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution. A report from the Business Software Alliance (BSA)/IDC has also stressed the role that Software Asset Management plays in cybersecurity. The report explains that an organisation’s network is at its greatest malware risk when multiple unlicensed software licenses are left running and unmanaged. The report concludes that lowering the incidence of unlicensed software will lower cybersecurity risk.
Software vulnerabilities are the exploitation vehicle for cyber criminals as they habitually use them as gateways to exploit corporate networks. The average cost of cybercrime is over $12.7 million per organisation in the US and the average financial loss was up over 34% in 2014 over 2013 – and high-profile breaches can lead to brand and reputational damage as well as losses of up to hundreds of millions of dollars.
According to a recent report by Secunia (recently acquired by Flexera Software), during 2014, 15,435 vulnerabilities were discovered in 3,870 software products, a 55% increase in vulnerabilities continuing a 5-year trend. 83% of all vulnerabilities had patches available on the day of disclosure, proving that you can patch most vulnerabilities if you know what to patch.
For this reason, Software Vulnerability Management has now become an essential component of any secure organisation’s overall security framework. Software Vulnerability Management consists of two essential components, starting with vulnerability intelligence and assessment. Research and tools are used to identify and validate software vulnerabilities, discover corporate hardware and software assets so CSO’s can determine whether known vulnerabilities exist on their network (similar discovery and inventory is also needed for effective SAM, as noted above), tools and workflow to assess and prioritise risks, and a flow of reports to provide intelligence and clarity into the process.
In addition, Software Vulnerability Management has prompted solutions for organisations as it includes security patch management to apply remediation patches to known vulnerabilities, tools to test those patches and package them before handing them off to the deployment system, and reporting capabilities to verify that the patch has, indeed, been installed.
Where SAM and Cybersecurity Intersect
Organisations need the ability to discover and inventory their hardware and software assets effectively, comprehensively and continually if SAM and cybersecurity are to be integrated successfully. A Report from the IDC has also discovered a correlation between cybersecurity and ITAM. IDC found that the effectiveness in managing cybersecurity and application performance is often reliant upon the assurance of clean IT asset data to correctly evaluate any possible vulnerabilities of existing software and hardware. IDC recommends that future ITAM initiatives focus first on the demands of IT security.
For Software License Optimisation, software/hardware discovery and inventory functions are currently performed largely by ITAM or SAM teams within the IT Operations Group. Similarly, effective, comprehensive and continual software/hardware asset discovery and inventory is required for effective Cybersecurity principles and Software Vulnerability Management fundamentals. Both IT Security and IT Operations teams within organisations are unnecessarily performing these tasks, significantly duplicating the effort, time and money.
Organisations now face the challenge of recognising that siloed SAM and security teams are performing similar activities of different strategic initiatives – Software License Optimisation and Software Vulnerability Management. This is not only wasteful and inefficient – but it can also result in gaps in coverage and risks, when one department isn’t aware of the other’s activities, or isn’t performing the same activity with the same processes or equal thoroughness. Now that SAM and cybersecurity have converged, enterprises have the opportunity to adapt new and effective. By merging overlapping SAM and security efforts, organisations can reduce wasteful software spend, while simultaneously eliminating a dangerous cybersecurity gap.
 IDC, Market Analysis Perspective: Worldwide Software Licensing and Provisioning, 2015, Amy Konary
Research Vice President, September, 2015
 Gartner, Focus Your SAM Tool RFP on Six Requirements for Best Results, Hank Marquis, September 10, 2015.
 IDC PeerScape: Practices for IT Asset Management, Bill Keyworth, July 2015.