Shortcuts to SAM Immaturity

This article was prompted by a discussion with an ITAM Review reader, asking how they should maximise the value of an expensive tool deployment that wasn’t, as yet, delivering results.ITAM tools can be seen as a magic bullet for software asset management – buy the tool, install the agents, all good to go, right? This is far from the truth.

Having a tool can actually be counter-productive, because it generates a pressure to deliver against its purchase cost and ongoing maintenance. In this article we’re going to summarise what to do next now that you’re in this unfortunate situation. I’m going to pull together content The ITAM Review have produced over the years on this subject – a sort of greatest hits of best practice.

This first article will assume that you’re a new SAM Manager with the task of maximising value from your toolset. It will look at what to do first in practical terms, and what your next step is. By the end, you’ll have reached a state of SAM Immaturity.

Why a tool can’t solve the problem

Think of a factory. You can build a state-of-the-art factory full of technology, but it will produce nothing without two further things – people, and processes. You (still!) need people to run the production line, and you need procedures to tell them what to produce and how to do it. You could build a product without the factory, the factory just makes it more efficient. Starting with a factory is not the way to go when building a product, and the same goes for ITAM.

What should I do first?

The ITAM Review’s recommended approach is the 12-box model. This covers building maturity in the People, Process, and Technology domains in detail.

Martin Thompson has written a companion book “Practical ITAM” and we also have an on-demand online course available in LISA. Finally, we also offer regular in-person training.

The 12-box model scales to any deployment scenario and we provide a free maturity assessment to help you identify where you need to focus your efforts.

Shortcuts to SAM Immaturity

I realise that you may want to get up and running quickly – I know when I was parachuted into just such a scenario I barely had the time to think let alone read a book. Whilst we don’t recommend this approach if you have no alternative it does give you an easy-to-implement plan to prove to your new boss that SAM is worth investing in. My practical approach to ensuring I was delivering on investment within 3 months was as follows:

1. Do the 12-box assessment. Do this as soon as your boots hit the ground and share it with your boss as a baseline. What this will probably do is provide you with more questions than answers but this is good. It gives you a conversation-starter with your manager and makes them aware of the scale and scope of an ITAM function. Agree with them where you should focus your efforts and build a Plan for the next month, quarter, and year.
2. Make your Plan SMART:
   1. Specific – don’t try to boil the ocean. Pick something small that you know you can deliver. I started by highlighting £25k’s worth of unused Visio & Project licenses which my Desktop team harvested and redeployed. If you don’t use this software take a look at Adobe & Autodesk – you will find savings.
   2. Measurable – the great thing about much of SAM Operations is that your progress is measurable. I started a “Wins” spreadsheet listing by date every cost-saving or risk reduction I’d found. Listen to this podcast on how to quantify the financial benefits of SAM.
   3. Actionable – pick something that you have at least some degree of control over. A good one is committing to producing KPIs on the SAM Operations function. See here for a list of initial KPIs you should be able to extract from your tool to demonstrate value.
   4. Relevant – find an area of importance to the organisation. This may be getting involved in an upcoming renewal. My first job as a SAM Manager was to compile an Oracle Server Worksheet – a real baptism of fire! I was able to immediately deliver hundreds of thousands of dollars in cost avoidance by researching (via ITAM Review content no less!) how to compile one correctly.
   5. Time-bound – make these objectives monthly, quarterly, and yearly – and commit to reviewing your progress against them on time. Being able to tick them off as you make progress is great for building self-confidence.
3. Review your existing processes

Processes are required in order to ensure that all software use is compliant with license terms. At a minimum you need support from an Acceptable Use Policy, a Software Deployment Policy, and a Software Purchase Policy. At this stage you just need to understand your policy landscape rather than make drastic changes. You really don’t want to be throwing policy at people to make them do what you want, but if you have to you need to know what authority you can bring to bear.

Acceptable Use Policy (AUP) – check if your AUP has clauses preventing the use of unauthorised software and unlicensed software.

Software Deployment Policy – typically these ensure that software is only deployed through official channels – e.g. via an authorised request to your Service Desk. As with the AUP the aim is to make people think twice before installing, for example, Dropbox.

Software Purchase Policy – you know that you’ve got good inventory, but this doesn’t help if you’ve no idea of what software you’re entitled to run. Gathering historical entitlement history is a long-term job. Whilst important it isn’t essential to success. The most pressing need for it is in the event of an audit so it isn’t a priority for all vendors. Your best approach is to get a process in place to ensure all new purchases are recorded. Work directly with Procurement, Finance, and IT to get copies of PO’s raised and goods received and record them in your tool. Whilst this won’t necessarily pick up expenditure originating outside IT it will record spend with traditional vendors, and it is these that present greatest audit risk. Which brings us on to Step 4.

4. Build a Risk Register

If you’re new to role you should create a very quick high-level risk assessment. Here’s how to do that:

1. Review the vendor list from your Inventory Tool
2. Check for the following vendors: IBM, Oracle, SAP, Microfocus (Attachmate)
3. If you have server software deployments for the above put each vendor on the risk register and categorise them as High Risk, High Probability.
4. These four vendors audit regularly and have particularly complicated license terms – a perfect storm for a new SAM Manager. If they’re not actively managed then you are almost guaranteed to be found non-compliant if you’re audited.
5. Review further vendors based on criteria such as deployment size (% of estate running the software), annual spend, and criticality to business processes. The 80/20 rule applies at this stage. Whilst the expectation is that your entitlement data is incomplete you can still baseline a draft compliance position and include it on the Risk Register.
6. Publish the Risk Register. At this stage a monetary value isn’t required, what you need is ownership of the risks and awareness. If you’re new in role you need to make your management aware that you are not the risk owner. Your job is to help the risk owners (the owners of the applications using the software) mitigate risk. Make sure you don’t get put on the hook for past misdemeanours. Once the risks are owned you can get on with prioritising and mitigating them. This simple approach means you as a new SAM Manager are seen as a trusted adviser in making risks go away, not a glorified Purchase Order processor. You can also take part of the credit for risk reductions.

These 4 Steps to SAM Immaturity will get you to the following position:

1. Management will have begun to understand what the role entails
2. You will have delivered cost savings and risk reductions sufficient to justify your salary for the year
3. You’ll have ensured that you’re not the one who gets hung when an auditor comes knocking
4. You’ll have got some stop-gap basic processes in place to stop the bleeding.

Next Steps

Now, this is where things get interesting. You need to keep going with the initial plan you laid out – your objectives for the month, quarter and year. But you also need to start thinking about where you want to be strategically. Time to build your Target Operating Model, which we’ll explore in the next article.