It’s the “IT security disconnect syndrome” all over again.
And it goes something like this: Ask business professionals and senior IT executives how important is IT security as a concern. Most will say it’s top of mind. Then ask what they’re doing about it in terms of implementing and enforcing practices and procedures or how much they’ve invested to make things secure. The answer for most is precious little. When it comes to IT security, apparent concern is usually much greater than appropriate action.
I thought about the “IT security disconnect syndrome” during a recent press conference on software asset management or SAM. Right out of the gate event host Diana Piquette, Microsoft Canada’s license compliance manager, cited Strategic Council of Canada research that claims 95 per cent of mid-market and large organizations say SAM is important to them. She quickly added how the research also shows that precious few businesses in Canada have done a self-assessment of their software assets – the very first step in implementing SAM. SAM isn’t a big priority as an IT initiative.
My hope in attending the discussion on this morning was to perhaps unearth the definitive value proposition for SAM and pass that along to the good readership. Perhaps it would help you to sell what everyone seems to be saying is essential.
IT management in any form is always a tough sell since it’s difficult to quantitatively measure its value.
I’m always willing to be convinced, however, knowing how fundamental is management to successful IT. The prospect of a compelling SAM story on this morning seemed good, considering who was in the room – Microsoft Canada, a Toronto-area reseller partner named Buchanan Associates of Canada that provides SAM consulting and implementation and has done 40-plus SAM assessments, and an actual SAM user in sports apparel retailer Lululemon Athletica.
Alas, after hearing the pitch and asking a multitude of questions, I remain sceptical. I have little hope that SAM can fare much better than IT security as a compelling IT concept for business – at least based on the story I heard.Here’s what I did learn. The clearest benefit of applying SAM is in the potential savings to be had. SAM, I’m told, lets you find unnecessary waste in the form of software licenses that may not be needed. So, if you’re willing to go to the enormous trouble of doing a software inventory discovery and implementing a comprehensive SAM system then there’s probably a good chance that you’ll discover more software licenses in your enterprise than you actually need.
An inventory assessment of software is the first stage of SAM. How much does an assessment cost? Well, as with most things in IT, it depends. It can range from $5K to $15K and an assessment typically takes about a month or more to perform.
How much does a SAM system cost to implement, own and manage?
Well, no precise answers were given. I asked that question specifically, but never did hear any amounts mentioned. I did later learn that perhaps I can recoup my SAM system investment in three years.
How much can I potentially save with SAM, or more specifically: how much excess software is my company likely to be paying for but doesn’t need? No guesses there, either.
OK, so who do I need to convince my organization to invest in SAM? It’s the CEO or perhaps the CFO, we’re told. So what should I tell my CEO/CFO about SAM and how do I convince him or her of its necessity?Mike Flood, the CIO of Lululemon Athletica didn’t seem to have the answer. He admitted that buy-in from upper management is absolutely necessary to get things going and that HR (human resources) and “legal” likewise need to help with software policy enforcement – to ensure people recognize the consequence of behaviour that doesn’t adhere to the rules expressed through SAM. How did he do it? Flood didn’t get into any specific detail, but admitted: “Businesses don’t necessarily see the benefits (of SAM) right away. It’s hard to measure.”
Perhaps he wasn’t involved in the evangelizing. Flood did say that the greatest IT challenge with SAM is not having enough time and resources. He didn’t explain how Lululemon got past that hurdle, however.
After a while I had to wonder about Microsoft’s choice of using Lululemon as a SAM case-study. The retailer was at the mere beginning of its SAM adoption and had little to say about the actual real experience of using the process. Flood, in fact, had earlier joked that he had hoped attending Microsoft partner Buchanon Associates would be on site that morning, installing his SAM system. Flood simply couldn’t speak to the big benefits for SAM or its perils and pitfalls, since it had yet to be installed.
It seems that the way to enforce software policy usage administered by SAM is with the stick rather than the carrot. We were told of an organization that fired two employees who, among other things, were discovered through the SAM system to have violated corporate software policy usage.
The ultimate success of business processes and policies depends on the willingness of employees to cooperate and adhere to them. Positive reinforcement is usually a better way to gain commitment. So I specifically asked Stephen Sweett, regional president of Buchanan Associates Canada: beyond the fear of threats and negative consequences what positive reinforcement or approaches might be used? Can he recommend incentives, contests or other programs used in conjunction with a SAM system that might convince my employees to embrace SAM and software compliance in a more positive way? Sweett didn’t have much to say about that.
Seems he hadn’t really thought about issue of software policy enforcement in that way.
Back to the topic of how to sell SAM to your CEO. I further asked Sweett: can he offer insight from his personal experience and explain how he has successfully sold SAM to CEOs? Sweett admitted most of the deals his company sees are brought to him through Microsoft.
So, sadly, much as I’d like to I’m hard pressed to understand the complete SAM story ultimately in a way that would help any IT professional sell it to their senior business management. SAM sounds intriguing, but I still have to wonder why any business would make the investment.
It’s the “IT security disconnect syndrome” all over again.