What kind of assets/licenses do your programs track? Do you cover only assets and licenses paid by IT, or, do you cover all Technology Assets regardless of who pays for them? What are the pros and cons to each model?
I’m fairly new to ITAM and this is my first post, so please let me know if I can make improvements myself. Every organization varies in size, so there aren’t any one-size-fits-all solution that I’ve come across.
It would be a good idea to track assets through a variety of types of programs. Having a management agent installed on every device would report programs and licenses on devices. Having an agentless program on a server would sweep the network for activity and provide up-to-date reports on your devices on the network. Having a service-request ticketing system to track devices through their life-cycle from purchase-order to end-user would also be ideal for physical asset tracking and documentation of devices that cannot be tracked, such as monitors or miscellaneous equipment.
Personally, I’d only cover assets and licenses that have gone through IT in some regard. Devices and software licenses purchased outside of IT’s knowledge and approval are not secure, tracked, or managed.
I think it would be wise to define ownership and assignment of devices and licenses. In a previous position of mine, all equipment purchased through the IT department was owned by IT but leased out to departments. This method allowed for upgrades to newer models on a tight schedule on a specific “device refresh/upgrade” budget, without dipping into individual cost centers of other departments. This is fantastic for governance, as everything goes through IT and thus the ITAM channels for documentation and tracking purposes. Any department making requests outside of this schedule would have to pay the difference in costs compared to the standard models.
I’d also love to hear more about other models, and how they impact their respective ITAM groups.
Let me know if you would like some clarifications! This is the short-hand summary of a much longer write-up I’ve worked on.
In a perfect world, everything would be tracked and managed including Free-Open Source Software and “shadow-IT” installed by anyone. Especially from a security standpoint, there’s a lot of value in having that data available on hand. But it’s also not realistic or cost-effective to track and manage everything, especially when starting a new ITAM initiative/program (the old ‘don’t try and boil the ocean’ addage).
Your organization may not fall cleanly within these lines but performing a spend analysis can help determine what your scope should be (i.e. how much $ is being spent on a publisher, or perhaps individual software). If 80% of your spend is with 10 publishers, that is likely going to be your primary/initial concern, in addition to spend though, you should also prioritize based on the relative audit-risk of those publishers.
I also often encourage creating “tiers” of management. E.g. Tier 1, 2, 3 where Tier 1 would be actively managed or managed by a SAM managed service provider, Tier 2 would have regularly scheduled reviews, while Tier 3 publishers would be tracked from a data standpoint but any reviews be purely reactionary. When you’re managing 900+ software publishers in a large organization, a strategy like this is a necessity.
Having the scope and strategy of your program is very important to its success! Every organization is a little different though in structure, centralization, size, technology, and resources all of which impact that decision.
I think the previous responses indicate wisdom about only trying to manage what you have control over. That certainly makes things easier.
But I feel I must point out that the risks to the organization exist whether or not IT manages those assets. A software vendor bringing an audit isn’t going to care whether or not IT manages the licenses and the scope of the audit will be the entire organization. A laptop disposed without being properly sanitized still contains organizational data. These events still put the organization at risk.
I’m speaking from the perspective of existing in central IT but in a highly decentralized environment. (Central IT manages about 40% of devices in our org and central SAM manages about 8% of total org spend on software.) Not only does this mean ITAM doesn’t have much control over our risk profile, we don’t have as much opportunity for optimization.
The ramifications for us is that we can’t be as proactive as we’d like, and must be prepared to jump in from a reactive stance and perform “damage control”, and from there be prepared to offer to manage the assets or processes in question ongoing. (And be prepared for someone to say “no thanks”.) We’ve made progress with this approach but it is slow. To stretch the analogy, we aren’t boiling the ocean, we are putting a teabag into the ocean and hoping global warming heats it up enough to make the effort worthwhile. (It just so happens that this figurative ocean IS heating up - software audits, ransomware, etc on the rise - so it shows some progress.)
Thanks, everyone, for your feedback! I agree that ITAM should track all technology, not just what IT owns. In my environment, I’ve seen the pendulum swing between centralization and decentralization where now, assets and licenses can be purchased anywhere in the company. This gets very difficult when multiple cost centers have pools of the same license. If all cost centers aren’t being tracked, you could have a huge compliance issue on your hands! It requires a lot of buy in and coordination between procurement, finance, and IT to keep it all together and reminding them and the cost center owner that it doesn’t matter who is paying for the asset or license, it needs to be tracked holistically or the entire company is at risk for loss during an audit event.