Ahead of the IAITAM Spring Conference taking place in Las Vegas, April 28 – May 1, I interviewed Shaghaghi Shahryar, Partner and Jessica Allen, Manager at Kurt Salmon about their presentation on “Understanding your Commercial Position and its Power”, internal and external audits, and ITAM trends and emerging technologies.
In just a few words, tell us what it is you do. What does an average day look like for you?
We are both part of the CIO Advisory practice at Kurt Salmon. Our practice provides strategy services to IT organizations and their CIOs across multiple industry segments and technology areas. Our typical day may include leading a large market infrastructure initiative for a global investment bank responding to Dodd Frank requirements or assisting a leading global retail company with an ITIL implementation. Our services have a wide range, although one of them is focused in Software Asset Management. In a prior role, Shahryar led a global SAM program at a global financial institution and Jessica was his lead deputy on that initiative. That effort was a tremendous success closing internal and external audit activities and reducing the overall third party software spend more than 10% in the first year.
Your session at the IAITAM conference will be focused on understanding your commercial position and its power. Can you tell us what you mean by that?
The focus here is two-fold. First, in our experience with SAM, we have developed a detailed model for calculating and understanding the company’s “commercial position”. By commercial position, we mean where does the company stand with respect to a particular vendor (or product) as it relates to software licenses. In other words, if you were to be audited today, what would your exposure be, or perhaps what over-spending might you uncover. This may seem like a simple question to answer, although through our experience and learning we’ve discovered there is much more to consider than may first seem evident.
During our session, we’ll share this with the audience and discuss some of the intricacies we uncovered. Although, as previously mentioned, this is two-fold. While it’s great to be able to identify your commercial position, the next question becomes when and how often to calculate it. The concept of diminishing returns comes into play here and companies must find a balance between being well-prepared and avoiding over investing in these efforts. We bring forward a method we believe allows the companies to achieve this balance by assessing the risk levels of vendors within their environment and developing action plans against each based on this level of risk.
In other words, knowing when and how often the effort to understand their commercial position is going to be the most powerful.
As an additional value, we are also including in our session some other key success drivers we believe effect the power you gain from these efforts such as creating an effective organizational model across a large enterprise and enabling success with effective data management.
How does using a framework help? And how did you go about creating yours?
Especially within large environments like the one we were dealing with, in the past these efforts were handled ad-hoc as triggers occurred in the environment such as external or internal audits or a large deal negotiation. Each time a commercial position was developed, the wheel was being re-invented and each time some piece was left out. Whether it was considering the effect of our virtual environments or factoring in classifications such as Disaster Recovery environments and impact it may have on your calculations.
Having a framework ensures that each time you are improving on where you left off the last time rather than re-inventing and perhaps taking two steps back. With each event you are dealing with a unique situation so the framework is always your starting point, although if the framework exists as an ever-evolving process each time you grow in efficiency and quality.
Our framework was developed partially from this same type of evolution, although also based on the large program we were part of. This program brought together all key components of SAM into a central team leveraging the skills and experience across the enterprise collectively to ensure our framework was thorough. This framework has been tested by external audit inquiries, internal audit controls, as well as large deal teams.
During our work on this team, we were audited by a third party software firm. A consulting firm was brought in to administer this. The comments received from the administrators/consultants were that our firm was more prepared and aware than any other firm that they had worked with before. This is a driver in our belief that the framework and other lessons learned can be valuable to visitors at the IAITAM conference. Our framework establishes a common vocabulary across the organization allowing them to manage to a standardized roadmap.
As we all know, one size does not fit all when it comes to frameworks. For those trying to understand what works best for them, what would your advice be to get started?
We believe that is the beauty of the framework and our model – it is scalable to environments of different sizes as well as maturity levels. The framework takes the calculation of the commercial position layer by layer so that groups can include or exclude as they dig deeper into the detail. For smaller environments or groups with less maturity, they can use the components of the framework that they have available to them today and also use the framework to help them understand where they need to go in the future.
The advice would be to use our model that assesses the risk and develops action plans against your vendors based on risk. Once you understand that you can consider the framework against those higher risks vendors you can begin to understand where you need to go and how quickly. For instance, if your higher risk vendors and products are not currently being installed in your virtual environments, you shouldn’t be investing immediate resources in that component of the framework. Although, if you have a large exposure on products installed on virtual desktops or Citrix farms, you will see that being able to track software assets and calculate this layer of your commercial position is quite important.
What tips can you share to mitigate risks when it comes to external and internal audits?
From our experience, third party software companies are strategic about who they audit. They start by sending emails to gauge if the company seems prepared or if the threat of audit seems to concern them. In many cases, firms combat this by offering to make a large purchase of software and most of the software companies are quite happy with that. Often, it seems to be their full intention from the start. Whether their intention is to follow through with an audit or just instigate a purchase, the best response you can have is to come back with a clear indication to the software companies that you are prepared.
We have found that if you immediately respond with an email that states that you have an established process around software asset management with a mature framework to consistently be aware of your commercial position they are quick to change their tune. Of course, internally you’ll probably be more prepared in some cases than in others although, either way, having this framework in place means you either know your current risk level or can get it fairly quickly. So, you go into these discussions much more prepared to mitigate than without it.
As for internal audits, the control teams will want to see that you have a consistent, repeatable, sustainable process with a cadence of risk assessment and appropriate goals against those risk levels. The best way to mitigate having internal audit findings or large efforts around responding to an internal audit is to have a framework such as the one we are proposing with a model built around it for assessing the risks and having a successful cadence for staying on top of that risk.
What advice can you share for assessing demand vs supply?
Being able to truly understand demand versus supply is really at the highest level of maturity. Many firms can understand pieces of this and mostly are doing it at an individual request level. A user in the environment needs three licenses for Product A so simply understanding whether or not you have three licenses on the shelf or if you need to go buy them is the first step. There often isn’t a greater understanding of the overall demand to answer this with a more strategic view such as knowing that there is actually a bigger demand for Product B (an equivalent to Product A) so the user needs to switch to that product.
Within our session, one of the key success factors we will discuss is data management within the SAM program and how it effects your success. This is key to getting to the needed maturity levels for assessing demand versus supply. It starts with demand data elements like a software catalog that indicates if products are recommended or restricted in the environment and leads to robust asset management tools that help you understand actual usage data across your environment.
At the risk of sounding like a broken record, this is where the framework and model we propose can be helpful. Once you understand the risk drivers in your environment and go through the exercise of calculating commercial positions for each of the vendors and products identified during that exercise, you’ll understand where your priorities need to lie and where understanding that demand versus supply is critical.
How do you see ITAM trends and emerging technologies impacting this?
Asset management trends and emerging technologies are a constant snowball growing larger and larger making the lives of asset managers more and more difficult. Software vendors are coming up with new ways to count licenses every day and emerging technologies are creating more and more options for them. Whether it’s about counting per core processor on a server or counting virtual images in a desktop farm, these aspects add layers to the framework each day.
This is why it’s important to understand our framework isn’t meant to be a final model but just a model that is used as the starting point and able to evolve over time. Each time the framework is used to calculate for a new vendor or product with a new intricacy within the license models the framework will adapt and grow. What we mentioned earlier regarding firms doing these efforts ad-hoc and only when event triggers appear, rings more true when you take this into account. The concept of re-inventing the wheel is less and less efficient as the wheel becomes more and more complex.
If you could only give one piece of advice on this topic what would it be?
Being reactive is going to get more and more dangerous in software asset management. The need for consistent processes with intelligent models and effective tools is no longer optional. Third party software companies increasingly consider the audit function in their company a revenue generator. It isn’t necessary to create the “cadillac” of SAM programs, though it is necessary to understand the risk and have strategic action plans against those risks with measureable goals to mitigate.
What is the most important lesson you have ever learned when it comes to ITAM?
Don’t trust the first set of data! One of the first large efforts we had to face was to calculate our commercial position against a single vendor, starting with a huge deficit of licenses. Initially the raw totals showed a huge amount of installs and low number of licenses. Although, as we went through the framework (and added a lot to it along the way), we peeled back the layers much like an onion and found one piece after the other. From realizing there were purchases of suites that covered many of the installs to understanding many of the Citrix instances were covered by licenses on physical desktops, we continued slowly to progress to a point where we ended up exposing that we were hugely over licensed for this product. This was so impactful to our understanding, we’ll be going over a sample to demonstrate this during our session at the IAITAM Conference this April.
Any final pieces of advice?
Software spend is one of the largest components of any organization’s IT budget, and while hardware cost is going down as it is becoming commoditized, software cost is, and will continue to be, increasing. Therefore management of your IT assets, specifically software is very important. However, while we said the key piece of advice is you can’t continue to be reactive, that should be balanced with don’t “boil the ocean”. Understanding your commercial position for a vendor you hardly use or one you have a master services agreement with that covers you from risk is a waste of precious resources. This is the idea of our risk framework and will be explained more during our session. Although, even those not attending need to keep this in mind. Understanding your commercial position and it’s power sometimes means understanding it’s lack of power and knowing not to bother.