SJ AB

WE SIDESTEPPED AUDIT FINES OF €11.5 MILLION

 

 

 

 

 

 

 

COMPANY BACKGROUND

SJ AB is the major operator of passenger trains in Sweden, and connects the Swedish capital with Oslo and Copenhagen. Its flagship X2000 train has a maximum speed of 200km/h. The state-owned company runs 1,200 daily departures from 280 stations, and sold 30 million train tickets in 2017, reaching a turnover of SEK 7.8 billion (€750 million).

SNOW’S CONTRIBUTION

The Swedish rail operator has rolled out the Snow SAM Platform across 2,500 PCs and laptops, 7,500 mobile devices and as many as 600 servers. Security is a very large part of this effort. To eliminate human error as much as possible, SJ is increasingly embedding Snow to automate its Software Asset Management practices. A government-owned body has as much incentive to be compliant as any other, and Snow is making that process much quicker and much more secure.

SJ was exposed to a potential $13.8 million in fines with one of its largest IT vendors, but data from Snow made the problem go away, with the audit resulting in a clean bill of health from the vendor – and zero penalties. Visibility into a big database supplier’s usage made it possible to downgrade the license type, saving SJ $345,000 a year. Snow is a key component of SJ’s strategy to close the so-called ‘disruption gap’ – the separation between IT and the rest of the business.

CHALLENGE

  • Lack of automation around inventory and software requests led to human error, impacting security
  • Gaps in process hurt compliance and control of IT budget
  • Audit preparation
  • SAM practices were not ready for the cloud

 

Download the full case study here

BUSINESS BENEFITS AND ROI

  • Snow data helped fend off large vendor audit with potential fines of $13.8 million
  • Downgrading versions of database saved $345,000 annually
  • GDPR compliance
  • Way is paved for automation of software request process and license re-harvesting
  • Strategic help in cloud migration

SAM HERO

Willy Stjernudde, License Manager and IT Security Officer at SJ, says: “My favorite part of Snow is visibility. That I have everything at my fingertips and that I can really drill down to a specific computer or device and get enough information to understand what’s going on.”

THE QUALITY OF INVENTORIED DATA IS ALL-IMPORTANT

Willy Stjernudde wears two hats at SJ. First of all, he is License Manager, responsible for negotiating Enterprise Agreements with the major vendors and for making sure that SJ sticks to the terms of these contracts – compliance, in other words. He is also IT Security Officer. These two roles come together in what the rail operator gets out of the Snow Platform. Willy Stjernudde: “For me, one of the cornerstones in the security area is that everything should be automated and inventoried through Snow.

To make sure we eliminate human error as much as possible we lean heavily on Snow’s Software Recognition Service. Thequality of the inventoried data is very important. If that quality is low, we have a show stopper.” Stjernudde not only uses Snow for Software Asset Management, but is also leveraging the Platform to prepare for the brave new world of the cloud.

We shall look at SAM first, and then at Snow’s strategic role within SJ.

OUR WORSE-CASE SCENARIO FOR ONE OF OUR LARGEST VENDORS WAS $13.8 MILLION. BUT WE PAID ZERO

When SJ was audited by a well-known software vendor, Stjernudde prepared his CFO for a possible hit of SEK 120 million ($13.8 million). “That was the worse-case scenario,” he explains. With such a sum at stake, C-level management demanded to be kept informed on the progress of the audit.

“I was in constant touch with our CFO,” Stjernudde says. “And with the chief of business development. And with the CIO of course. I went through the whole audit with them. Our legal department was also involved.” He continues: “But in the end, it all comes down to the details.” It was Snow that provided “granular evidence”, the details of which SJ relied on as part of its evidence which wasaccepted by the vendor. “We convinced the auditors that we were in compliance and got out of that audit with zero penalties.” From $13.8 million to zero is quite a turnaround.

“We were delighted,” Stjernudde comments.

DOWNSIZING DATABASE LICENSES SAVES US €300,000 A YEAR

Having implemented the Snow SAM Platform, SJ is now in good shape to ward off any audits from the database vendor. It also gave Stjernudde the insight and confidence to make the strategic decision to move SJ from the Enterprise Edition to the much cheaper Standard Edition.

“This is saving us over SEK 3 million ($345,000) a year.” If Stjernudde expected users to kick up a fuss over being downgraded, he need not have worried. “People were claiming they were using the Enterprise Edition but nobody complained when they didn’t have it,” he says.

ONE THIRD OF DESKTOP APPLICATION INSTALLATIONS HAVE NOT BEEN USED FOR PAST 30 DAYS

Stjernudde is responsible for desktop application contract renewals. A renegotiation in 2015 led to some tinkering with the license mix, but Stjernudde expects to see much more far-reaching change in October, when his EA is up for renewal again. There will be more license optimization. “We can see that we slowly but surely always buy more licenses – more than we should as Snow tells us. At least one-third of all installations have not been used for the past 30 days. So my best guess is that we will come out of the next true-up without needing to buy any new licenses and we probably can downscale the total number of licenses required helping us optimize our license cost.”

SJ is introducing new computers for all its employees in May 2018. Its existing self-service portal for software requests will be moved to the Snow Automation Platform to coincide with that; and those desktop application licenses unused over 45 days will be reharvested automatically.

The new hardware and the drive to automation are an integral part of SJ’s digital journey towards the cloud – with the migration for desktop applications slated for later this year. So we shall now turn to how Snow is helping SJ realise its digital transformation.

WE ARE REALLY MAKING PROGRESS IN THE SECURITY ARENA

Stjernudde regards security as the main challenge for his digital trajectory. The cloud is fostering a disconnect between Business and IT – the Disruption Gap – where Business is initiating technology spend and deploying cloud-based software (SaaS) without IT being in the loop. Unauthorized software poses huge risks to data security.

Blacklisting and whitelisting software is an important first step towards regaining control, and Stjernudde is using Snow to do that. “We use it to get a handle on Business Unit IT, because we probably have more than we know about, typically cloud services such as Slack and Dropbox.”

The new European Directive on data security – the GDPR – is also a response to the challenges posed by the pace of change in virtual technologies. Stjernudde was not made Security Officer and License Manager by accident – increasingly, the cloud is making one role imply the other.
This is how Stjernudde himself looks at it. “In the past, SJ didnot actually think primarily from a security perspective, but more from a functionality, needs and system perspective.
Now, of course, we need to comply with the GDPR together with other laws and directives that we need to be in line with, so therefore SJ right now is taking huge steps regarding security.”

With more than 30 million train tickets sold annually, the rail operator holds vast amounts of sensitive customer data. Snow’s GDPR Risk Assessment is identifying the applications that might be at risk of infringing the new directive – about 150, Stjernudde estimates. Of course, the GDPR is not a one-off exercise; over time, it has to become part of an organization’s DNA. Stjernudde is using Snow to make that happen. “Both the GDPR module and the new Vulnerability Assessment will be important tools for that purpose,” he says. “To try to avoid the establishment of even more shadow IT and to get rid of what we have. Especially as we’re moving to the cloud for our desktop applications.”

SNOW IS ABSOLUTELY A PLAYER

SJ has the ambition to be one of Sweden’s most digital companies by 2022, a tough ask for a nation that is already among the most digitalized in the world. Does Stjernudde feel that Snow is playing its part in helping SJ reach this goal? “Absolutely,” he replies. “we need to have Snow in place aspart of our approach. It’s an essential player.”

X

some content goes here