software asset management seminar feb2-2016 · © 2016 deloitte & touche (m.e.) –software...

Jan Corstens

SoftwareAsset Management (SAM)

Seminar

© 2016 Deloitte & Touche (M.E.) – Software Asset Management Seminar

Agenda

2

Introduction

Software Asset Management

Industry Standards

SAM Technologies

Software Asset Management: The Deloitte Offering

The Deloitte Managed Platform

Q&A

2


Who Has Been Audited? Brainstorm

3


Who has a SAM organization?Knowledge Check

4


5


OverviewSoftware Asset Management

6

While Software Asset Management (“SAM”) has been on the corporate agenda for well over 10 years, it has been difficult for organizations toboth justify and execute SAM initiatives. But this is changing and cost reduction is a key driver.

With the rise in the number of software vendor audits and increasing complexity within IT environments, risk-focused organizations areincreasingly focused on Software License Compliance and mitigation of financial, operational and reputational risks associated with thedeployment of software within large complex organizations through Software Asset Management.

ITAM Objective

The International Association of IT Asset Managers defines ITAM as “maintaining life-cycle management information for IT assets throughout theorganization.”

ITAM includes the “development and maintenance of policies, standards, processes, systems and measurements that enable the organization tomanage IT assets with respect to risk, cost, control, governance, compliance and business performance objectives as established by thebusiness.”

ITAM Focus Areas

1. Software Asset Management (SAM)IT Infrastructure Library (ITIL) describes SAM as “all of the infrastructure and processes necessary for the effective management, control andprotection of the software assets within an organization, throughout all stages of their lifecycle.” Included in SAM is Software LifecycleManagement.• The goals of SAM are to reduce IT costs and limit operational, financial and legal risks related to the ownership and use of software.

2. Hardware AssetManagement (HAM)Hardware Asset Management can be described as having a deep understanding of the tangible assets within an IT environment. This HardwareAsset Lifecycle Management includes lease and depreciation management.• The goals of HAM are to accurately anticipate business needs, reduce risk of license discrepancies,and retain business efficiency.

3. Other focus areas of ITAM include (butare not limited to):Contract Management as it relates to physical and intangible IT assets; Finance and Cost Management; IT Policies and ProceduresManagement;Service LifeCycle Management (ITIL).


Main GoalsSoftware Asset Management

The goals of SAM are to optimize IT costs and limit operational, financial, and legal risk related to the ownership and use of software.

OverLicensed

Out ofCompliance$ SOFTWARE

ASSET MANAGEMENT

CostOptimization

Risk – Legal & Regulatory

AssetManagement

Risk – SoftwareAudits

OrganizationalGovernance

Security

$

7


SAM Risks and DriversSoftware Asset Management

Most companies start to think about asset management in response to an audit. There are other elements of risk faced by companies whichallow SAM to be introduced in a proactive manner.

SOFTWARE ASSET

MANAGEMENT

Costoptimization

Risk – legal and

regulatory

Assetmanagement

Risk –software audits

Organizationalgovernance

Security

Control of software assets§ Monitoring and tracking of software in use is difficult§ No “silver bullet” technology solution§ Diverse and complex software licensing models§ Reallocation of software licenses when hardware is

moved or decommissionedRisk of a Software License Compliance Audit§ License Compliance Audits are on the rise – Gartner

continues to predict an increase in vendor audits§ Software vendors use license compliance audits to

decrease squeeze on margins§ Software industry alliance “bounties”

Organizational governance§ Getting compliant and staying that way also helps

eliminate the potential damage to reputation that couldarise from a legal dispute

§ Compliance with industry standardsLimit legal risk§ Properly implementing SAM limits legal and financial

exposure should problems with software licenses arise§ Select industries have regulatory requirements on SAM

Security§ Without the ability to inventory and control software installed and

allowed to run on their hardware, organizations make theirsystems more vulnerable to security threats

§ Inventory Open Source software to understand what is in use andwhat could potentially introduce security risks to the organization

Cost Optimization§ Organizations may be over-licensed and paying

maintenance costs for software licenses not being used§ Software is a significant component of IT spend

OverLicensed

Out ofCompliance

$Optimal

Lack of Controls = Large Recurring Expenses

$

8


Why SAM?Software Asset Management

• 88% of customers audited have unrealized cost savingsaveraging over 20% of their annual S&M spend1.

• A mature SAM program can save 3-5% of your total ITspend1.

• Organizations may be over-licensed and payingmaintenance costs for software licenses not being used1.

• By 2017, Gartner predict that enterprises will be spendingten times more on their Software Asset Managementservices then they do on their SAM tools2

• Without the ability to inventory and control software,organizations make their systems more vulnerable tosecurity threats.

• Open Source software introduce security risks to theorganization.

• Properly implementing SAM limits legal and financialexposure should problems with software licenses arise1.

• Select industries have regulatory requirements on SAM1.

• Software typically represents 8-10% of a total IT budget.• Common for an organization to have 50+ software vendors

and hundreds of contracts.• Compliance with industry standards.

• Gartner 2011 Poll: 35% (2007) to 65% (2011) chance ofgetting audited1.

• Seeking to increase revenue, software vendors will initiatetwice as many audit requests in 2014 as in 20133

• Top software vendors auditing: IBM, Adobe, Microsoft,Oracle, SAP1.

• “Organizations will increase their investments in SoftwareAsset Management by 35% over the next 18 months3”

• The interest in SAM Managed Services is being drivenprimarily by a severe shortage of individuals with hands-onlicensing, audit and SAM implementation expertise4

• Licensing rules and metrics are constantly changing.

• Emerging technologies (virtualization, cloud, BYOD) maketracking software more challenging.

Sources:1 Gartner, Inc. | G00230816 -Software Vendor Auditi ng Trends: What to Watch for and How

to Respond Published: 23 May 20122 Gartner, Inc. | GG002549753 Konary, Amy. "Worldwide Softw are Pricing and Licensing 2014 Top 10 Predicti ons." 2014.

PDF file4 Thompson, Martin. "Group Test – SAM Managed Service Providers - A competitive

comparison of specialist SAM providers." Jan. 2014. PDF file.9


Case StudiesSoftware Asset Management

USD 2.5M in average license cost savings

56% potential financial liability

identified1

23% cost savings identified in annual

software maintenance

spend2

USD 225K potential financial liability identified1

USD 2M avoided through server re-

configurations1

USD 5.4M in potential financial liability1.

7000 instances of non-essential software1.

Bottling company

Process risk assessment and licensebaseline performed. Process gaps identified.$5.9M in potential financial liability identified.

Real estate company

Process risk assessment and license baselineperformed. Process gaps identified. $225K inpotential financial liability identified

In the software license assessments that Deloitte hasperformed, clients had unrealized cost savingsaveraging 23 percent of their annual maintenancespend.

Automotive manufacturing company

Process risk assessment and licensebaseline performed. $2M in financial liabilityavoided through server reconfigurations.

Educational company

Process risk assessment, license baseline, andsecurity analysis performed. Process gapsidentified. $5.4M in potential financial liabilityidentified. Over 7,000 instances of non-essentialsoftware installed. Low (<50%) compliance withsecurity patching compliance.

Source1: Deloitte 2013 SAM for IA Brochure1

Source2: Deloitte results and analytics rel ated to cost savings /avoidance come from a dataset composed ofroughly one thousand software license assessments performed across 20 countries between 2009 and2012. Included data was normalized, removing outliers and calculating values at software list price.

10

Internal Audit and SAM

11


IA and IT's Role for SAMInternal Audit and SAM

How IA and IT can help

• SAM Process Risk Assessment – Benchmarking against leading industry practices• Software License Baselines – Comparing software deployments against license

entitlements• Software Security Risk Assessment – Analysis of non-essential software and security

patch deployment• SAM Transformation Efforts - strategy, organizational structure development, process

design, etc.• SAM Tooling - Implementation and configuration assistance

Other cost optimization opportunities

• Software Procurement Optimization• Software Vendor Audit Readiness• Software Contract Negotiation Support• Software Portfolio Rationalization• Strategic Vendor Sourcing

12


Items to cover within an Internal Audit PlanInternal Audit and SAM

13

Deloitte SAM Framework

14


Deloitte SAM Framework

Formal processes to manage the lifecycle –forecast and request; analyze and procure;installation and maintenance; monitor andtrack; decommission and reuse.

Tools and technology tostreamline processes andimprove data accuracy andtimeliness

Strategy and policies to define the SAM program vision and objectives and outline activities and initiatives necessary to achieve the vision and

goals

SAM roles, responsibilities, and reporting requirements to execute and monitor the

SAM process as well as communication and training

to educate stakeholders and promote organizational

alignment

E. Lifecycle Process


Lifecycle

1.0 Forecast &

Request

5.0 De-commission

& Reuse2.0 Analyze & Procure

4.0 Monitor & Track

3.0 Install & Maintain

B. People

SAM Organization

Governance & Performance

Metric

Communication & Awareness

D. Technology

Software Asset Repository

Software Discovery

Software Metering &

Usage

A. Strategy & Policies

Vision & Objectives

Policies & Procedures

C. Data

Data Model & Standards Data Validation

15

Data standards to meet performance metrics and reporting requirements


4.3 Maintain software license inventory

4.5 Track software compliance issue

remediation

3.3 Manage software license financial

treatments

4.1 Maintain software catalog1.1 Collect and

aggregate forecast data

1.2 Collect and aggregate software acquisition requests

4.2 Maintain software contract inventory

2.4 Review acquisition requests and procure

software licenses

3.1 Install software

3.2 Respond to and resolve software license inquiries

5.1 Review software/ hardware decomm

requests

5.2 Review personnel change impacts

2.1 Review and assess new / incremental software demand

2.3 Validate license availability for

installation requests5.3 Uninstall software

2.2 Perform a product rationalization analysis

SAM Lifecycle1.0 Forecast and

Request 3.0 Install and

Maintain4.0 Monitor and

Track5.0 Decommission

and Reuse2.0 Analyze and

Procure

4.4 Assess, analyze and report software

compliance

SAM Lifecycle ProcessesDeloitte SAM Lifecycle

16

The Lifecycle Process pillar of the Software Asset Management Framework can be broken down into various activities

Software Asset Management Technologies

17


Tool IntroductionSoftware Asset Management

18

A wide variety of tools exists in the market today, as a result multiple definitions exist:

“A tool that provides insight in the licenses owned versus licenses consumed”

“A tool that collects and/or consolidates information about software that is installed and/or executed on servers and workstations”

“A tool that helpsorganizations withtheir SAM efforts”


Most Popular ToolsSoftware Asset Management

19


Tool FunctionalitySoftware Asset Management

20

SAM tool functionalities can be placed in 4 broad categories:

ContractManagement

& procurement

IT Systems management

License reconciliation

Discovery


Tool BenefitsSoftware Asset Management

21

A dedicated SAM tool offers a wide range of benefits:

• Optimization of software spend: a SAM tool will strengthen the client’s position during contract negotiationswith the software vendor

• Cost allocation: by providing a complete view into the software estate, costs can be assigned to costcenters based on objective criteria

• Security: A SAM tool will provide insight into installed applications, system administrators have a directoverview of version levels and unwanted software

• Audit risk mitigation: the information provided by a SAM tool can be used to continuously minimize thesoftware license compliance risk. This will increase audit readiness and the effort required to provide datarequested by the auditor.


Tool DrawbacksSoftware Asset Management

22

Common drawbacks for SAM tools:

• SAM tools need a SAM framework: after all, it’s only data!

• Some specific T&C's are or cannot be covered by tools

• Manual input required

• Complexity of product bundles, OEM software is not always handled well

• Specific skillset required to interpret tool data

• Implementation risk: tool coverage & configuration

• Undiscovered software: not all tools perform equally well in software discovery

• Possible to avoid detection


Tools Assessment FactorsSoftware Asset Management

23

When considering the implementation of a SAM tool, it’s important to consider the following criteria:

• Is the tool compatible with the IT landscape (Linux, Unix, Windows, z/OS...)

• Will the tool cover your most important product vendors

• What would be the optimal technical setup (agentless, accessible via internet, Cloud based...)

• Is compatibility with existing tools necessary (e.g. ILMT required for IBM)

• What the cost of the tool compared to the software spend

• Will the tool help achieve your primary SAM goals, is it compatible with your SAM framework?

• Others?


Tool ConclusionSoftware Asset Management

24

Many different SAM tools exist, all with their own strengths and weaknesses:

• There is no ‘silver bullet’

• Any SAM tool can be fit for purpose, as long as it fits your SAM goals

• No tool can replace license expertise and SAM processes

• Manual input and user scrutiny will always be required

• SAM is just the beginning: actions need to be taken on the output of the tool

The Deloitte SAM Offering

25


Delivery modelsThe Deloitte SAM Offering

26

Type of Team Structure Pros Cons

Fully Insourced SAM Team • Highest degree of management control over discrete processes

• Clear reporting lines / authority to affect change. • Internal team may know the business landscape

and drivers better

• Difficult to identify and retain necessary SAM specific expertise in house

• Can be challenging to scale (up or down) to meet the needs of the business.

• Requirement to build vendor specific software discovery and licensing knowledge base

Fully Outsourced SAM Team • Turn-key operation• Tap into a global knowledge base of processes,

procedures, methodologies and playbooks to accelerate SAM efforts

• Ease in scaling up or down the team• Velocity - Faster set up / maturity• More expertise delivered

• Highly dependent on outsourcer to achieve business value

• Lower authority to affect change; potential resistance from BUs

Hybrid SAM Team • Focus the internal team on the core SAMbusiness while delegating time-consuming tasks externally

• Most flexibility in scaling up or down the team internally and externally

• Not as turn key as outsourced• Access to some, but not all, global knowledge

bases• Clear lines of responsibility needed


Deloitte Service OfferingThe Deloitte SAM Offering

27

SAM process risk assessments

SAM policy, procedures, and

roles development

Strategy & organizational

structure development

SAM program assessment, design and

implementation

Software License Optimization

Software Vendor Rationalization

SAM training

SAM point solutions

SAM tools installation and configuration

Contract Administration

System Implementation

SAM tools


SAM transformation

Contract Administration

SAM Managed Services

SAM Managed Services

Continuous SAM compliance


Deloitte Managed PlatformSoftware Asset Management

28

Inventorydata

• Hardwareinformation• Softwareinstallations

• SoftwareUsage• Users

• Virtualization

Businessdata

• Entitlementandpurchasehistory• Ownershipandorganisational

structure• AssetinformationandConfiguration

Item(CMDB)• Contractmanagement

• Helpdesk

Output data

• Compliancereports• Decisionsupport

• Statistics• Riskanalysis

Deployment

• ActiveDirectory• Install software

• Uninstall software

Deployment

Advancedconfiguration

PowerShell scripts

Custom compare value

Database XMLimport

3rd partysystemsIntegration via:

ERP

Document Management

System

Helpdesk/Service Desk

CMDB

API/SDK Import/export

E-mail RSS

Inventorydatasources

Collection and delivery of customer data

3rd party inventory

Cloud / Virtual

SaaS

XenApp ThinApp

Vmware ESX

App-V

Hyper-V

D.Platform

D.Platform SW Recognition

© 2016 Deloitte & Touche (M.E.) – Software Asset Management Seminar 29

Global CRC Partner Deloitte BEESL & Alliance Lead EMEA+32 2 800 24 [email protected]

Jan Corstens

Senior ManagerDeloitte ME+971 555 [email protected]

Huzaifa Hussain

CRC PartnerDeloitte [email protected]

Tariq Ajmal

Senior ManagerDeloitte [email protected]

Aditi Babla

IIA UAE Technology Subgroup– Deputy Chairman Presenter on Software AssetManagement

IIA UAE Technology Subgroup– CRC SME IIA UAE Technology Subgroup

Contacts

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL andeach of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/aboutfor a more detailed description of DTTL and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in morethan 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex businesschallenges. Deloitte’s more than 200,000 professionals are committed to becoming the standard of excellence.

About Deloitte & Touche (M.E.)

Deloitte & Touche (M.E.) is a member firm of Deloitte Touche Tohmatsu Limited (DTTL) and is the first Arab professional services firm established in the Middle East region with uninterruptedpresence since 1926.

Deloitte is among the region’s leading professional services firms, providing audit, tax, consulting, and financial advisory services through 26 offices in 15 countries with more than 3,000partners, directors and staff. It is a Tier 1 Tax advisor in the GCC region since 2010 (according to the International Tax Review World Tax Rankings). It has received numerous awards in thelast few years which include Best Employer in the Middle East, best consulting firm, and the Middle East Training & Development Excellence Award by the Institute of Chartered Accountantsin England and Wales (ICAEW).

© 2016 Deloitte & Touche (M.E.). All rights reserved.31

software asset management seminar feb2-2016 · © 2016 deloitte & touche (m.e.) –software...

Documents