How to prioritize and mitigate SAM risks

One of the questions I’m frequently asked by Software Asset Management professionals is how to prioritize SAM efforts. Here is an approach which I have found useful in dealing with the overwhelming number of software applications discovered during a SAM implementation.

As an IT Strategy, Planning and Governance professional and having successfully leveraged principles of software asset management to deliver multifold savings on IT budget, one of the questions I get frequently from Software Asset Management professionals is:

How do we prioritize our efforts?  Our CFO wants to see quick returns, but after implementing our software asset management solution the list of unaddressed software exceeds 1000, which is overwhelming for a small team like ours.”

The above scenario is not uncommon for SAM professionals, the typical approach of picking top 10 software vendors based purely on volume fails to objectively address the risk and effort required in the cleanup. Here is a better approach.

For each software vendor discovered by your SAM solution classify them on a 2X2 matrix comprising risk on one axis and volume on other.

Image removed.

HRHV (High Risk, High Volume) – This category includes software from mega-vendors like Microsoft which are likely to be present on large volumes of desktop computers and servers. If the SAM solution has sprung up some surprises then make sure to align internal stakeholders and proactively engage the vendor’s sales team before an unpleasant audit notice arrives on your desk. Be watchful of press releases from your company which signal the number of employees as discrepancies in licenses purchased and publicly available employee count could signal non-compliance to vendor audit teams. Anything in this quadrant undoubtedly become your number one SAM priority.

HRLV (High Risk, Low Volume) – Here I would include specialized software which have low installations but carry a high non-compliance risk due to their high unit price. Specialized modules in ERP, Database and IT Server management software often make this list. One of the reasons why software in this quadrant becomes tricky is due to complicated metrics (Indirect usage, CALs, Cores) used by some vendors. As the penalties for noncompliant installation are very high, it is recommended to carry out internal cleanup before sourcing additional licenses.

LRHV (Low Risk, High Volume) – This could include software titles which are free for personal use, however, they require a license when deployed in a commercial environment. Popular file compression utilities like Winzip, Avast antivirus, and TeamViewer and pdf converters often fall into this quadrant. A low risk does not mean to remain non-compliant, it simply means that in a rare audit, exposure per computer will be less than high risk software. Management approach for applications falling this area will be to carry out remote uninstallations and make replacements with free alternatives.

LRLV (Low Risk, Low Volume) – This could be a long tail of software which is either wrongly classified by Software Recognition Service or is random software installed by users due to lack of administrative controls on PCs. In an uncontrolled environment, this quadrant could have games, entertainment, and education software. My recommended approach is to educate users and advise them to remove all non-business software from computers, whatever is left can be removed using automated tools (SCCM, PDQ, Snow Automation Platform etc.) or taken care when computers come for reimaging, break-fix.

What is being suggested here does no way mean that an organization should not pay for the software which is used. All software is the of hard work by IT professionals and should be paid for. it is in the organization’s interests to stay compliant and avoid costly fines and damages to reputation. With thousands of applications in many enterprises, SAM leaders need to take a pragmatic view and work out where to prioritize – selecting which vendors and software to tackle first. These guidelines give them a good start in their companies SAM compliant.


Published with permission from The views and opinions expressed in this article are those of the author and do not reflect the official policy or position of Snow software, any corporation or government.

Image removed.

 Are you introducing a SAM practice into your organization? Why not download Snow’s new eBook of Software Asset Management Basics.