All organisations face risks with their software licenses. Some enterprise organisations will have hundreds of thousands of different applications and thousands of different software vendors installed within their environment. It is therefore unrealistic to make the ITAM or SAM team address all of the risks associated with the vendors and software installed within the environment. Organisations must prioritise which vendors to address first. With the processes in place based on the top vendor risks, the other, less ‘risky’ vendors will follow.
To identify the risks an organisation has with their software licenses they must have some sort of discovery or SAM tools in place. This will help the organisation to identify which software vendors or applications pose the greatest risk to the organisation, from either a financial standpoint or a compliancy standpoint. Usually, the biggest risks are found in the datacentre environment, as this is where the most complicated and expensive software licenses are found.
It is important that an organisation defines what ‘risk’ is when talking about software licenses. Do they want to address compliancy, reduce software licensing spend or be ‘audit ready’. All are linked anyway, but attempting to address all three issues at the same time can lead to over complications and the possibility of the process not being done correctly, and certain pieces of information being missed.
With the help of reliable, accurate data from whatever SAM tool or discovery tool is in place, an organisation can start to look at the top five, or ten vendors that they are going to focus on making ‘audit ready’ and compliant. It is likely that these vendors will equate to the majority of their software spend; therefore they are the biggest financial risk. They may not be the biggest compliancy risk, but organisations with thousands of different vendors and applications need to focus on their top five vendors, rather than addressing the whole estate.
There also needs to be an element of common sense. Your organisation may be horribly non-compliant on WinZip or cheap PDF software for example. The license for WinZip is about $30, whereas some Oracle or Microsoft software can cost tens of thousands of dollars. By prioritising and focusing on the top five software vendors within the organisation, the organisation will not waste time focusing on $30 software, when there are bigger risks to the organisation. Addressing hundreds of WinZip installs and risks can only result in thousands of dollars, whereas addressing one or two instances of Oracle Database software, or Microsoft SQL server software the organisation can save hundreds of thousands of dollars.
As mentioned previously, you need accurate data from a SAM tool or a discovery tool to identify where risk lie. You also need to match your install based to your license entitlement to identify the non-compliancy risks. We’ve listed our top 5 tips for prioritising your software risks:
- Identify top five vendors based on annual spending
- Identify the applications within those vendors with the biggest risks
- Identify biggest risks based on recent audits faced by the organisation, or up-and-coming audits
- Identify biggest non-compliancy risks (within reason)
- Identify software vendors/licenses that are complicated and subject to change (such as Oracle).
Which option an organisation picks is down to the ITAM strategy and overall goals. It also depends on the resources within the organisation, and expertise available to address and manage the risks.
The most common top 5 vendors include:
This is obviously based on experience, cost and the threat of audits. It may be different for your organisation.
Why should we prioritise? What are the benefits?
By prioritising software-licensing risks, an organisation can really focus on the vendors that are the biggest financial risks and also the vendors that are most likely to audit the organisation. This puts the organisations ITAM standing to a more mature operation, as they have identified the tops risks and are addressing them. Processes need to be implemented to ensure that the vendors are constantly monitored (once the risks have been addressed), and these processes can then filter down to the software vendors with less risk.
It also helps the organisations to be ‘audit ready’ and prepared for a vendor audit. They will know where the risks are, and know to address those risks before any audits. Furthermore, being audit ready also helps the organisation to understand its compliancy and define an effective license position (ELP). Being ‘audit ready’ is one of the big selling points and primary goals of SAM, so by prioritising software-licensing risks you are showing the value and need for SAM within the organisation. Another benefit is the fact that organisations will save money on software licenses. These may be actual savings, or theoretical savings. By addressing the risk organisations can also address any instances of software not be utilized correctly. Licenses not being used can then be recycled and transferred to another user, thus reducing the money spent on addressing the risk and also thus reducing the non-compliancy issues.
We are not saying that it is ‘ok’ to ignore non-compliancy or risks for cheaper software. Non-compliancy for any application or software vendor needs to be addressed, but it is not realistic to address all software vendors and applications at the same time. The likes of WinZip are unlikely to ever audit an organisation, whereas audits for Oracle, IBM, SAP, Microsoft and Adobe are frequent and sometimes very disruptive and negative for an organisation.
How do you prioritise which software vendors you focus on? Is it by most users, cost or the number of instances of non-compliancy? Let us know and leave a comment below.