Software presents a particularly vexing problem for most organisations. On one hand, enterprise applications are mission-critical, running every facet of operations, from front-office to back-office. On the other hand, software is one of the most difficult of corporate assets to manage – resulting in massive financial waste, inefficiency, and also cybersecurity risk.
The Challenges of Software Asset Management (SAM)
Most organisations spend approximately 25 percent of their IT budgets on software. But unlike physical assets like desks, chairs or machines, software is an extremely difficult asset to keep track of and inventory. Consider all the desktops, laptops, mobile devices, servers and clouds onto which software is installed. Beyond the logistical challenge of keeping track of all those devices and the software they contain, the problem gets exponentially more complicated when you consider what happens to that software when machines are purchased and retired, employees update it on their own and bring in additional applications, employees are hired and leave the organization, and when mergers and acquisitions occur.
Moreover, organisations not only have to keep track of the physical location of software, but they must also track how that software is being used – and whether that use is compliant with the software contract. For instance, each license agreement contains dense and complex terms pertaining to usage that must be tracked, managed and understood to ensure compliance. If usage exceeds those terms, the organisation would be considered out of compliance, and therefore subject to unbudgeted “true-up” penalties that can and often do run into tens of millions of dollars per application (per year). The contrary is also true: if those licenses aren’t being fully utilised then a company has purchased “shelfware’’, unused or underused software that is sitting idle.
The Cost of Unmanaged Software
According to a recent report by IDC, software license complexity will indirectly cost organisations an average of 25% of their annual software license budgets. To address this issue, leading organisations have implemented comprehensive Software License Optimisation programmes, consisting of people, processes and automation technology – that substantially eliminate the inefficiencies, waste and un-budgeted software license compliance risk associated with an unmanaged software estate.
According to Gartner, the six critical elements performed by the Software License Optimisation solution should include :
- Platform discovery
- Platform and software inventory
- Normalising inventory
- Reconciling external information
- Optimising license position
- Sharing information
The implementation of Software License Optimisation programmes are generally undertaken by the IT Asset Management (ITAM) or SAM teams within the IT Operations group.
Cybersecurity Risks of Unmanaged Software
An unmanaged Software estate also creates tremendous cybersecurity risk for organisations. Security standards and requirements frameworks have been developed by myriad organisations, including the SANS Institute, which has created a prioritised list of security controls essential to help improve organisations’ risk posture against real-world threats.
The first of the prioritised Critical Security Controls identified by SANS focuses on organisations’ ability to actively manage (inventory, track and correct) all hardware devices on the network. The second focuses on inventory of authorised and unauthorised Software. Organisations must actively manage (inventory, track and correct) all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution. The important role that Software Asset Management plays in cybersecurity was also stressed in a resent Business Software Alliance (BSA)/IDC report, which demonstrated that the more unlicensed software running on an organisation’s network, the greater the malware risk. The report concludes that lowering the incidence of unlicensed software will lower cybersecurity risk.
Indeed, software vulnerabilities are the exploitation vehicle for cyber criminals. Cybercriminals routinely use vulnerabilities in software as gateways to exploit corporate networks. 60% of attacks in recent years were performed by commercialised exploit toolkits, sold in the underground, allowing anyone to become a cybercriminal. Over 65% of the top threats used vulnerabilities to infect machines and perform malicious activities. The average cost of cybercrime is over $12.7 million per organisation in the US and the average financial loss was up over 34% in 2014 over 2013 – and high-profile breaches can run in the hundreds of millions of dollars, not to mention the brand and reputational damage they inflict.
According to a recent report by Secunia (recently acquired by Flexera Software), during 2014, 15,435 vulnerabilities were discovered in 3,870 software products, a 55% increase in vulnerabilities continuing a 5-year trend. 83% of all vulnerabilities had patches available on the day of disclosure, proving that you can patch most vulnerabilities if you know what to patch.
For this reason, Software Vulnerability Management has become an essential component of any secure organisation’s overall security framework. Software Vulnerability Management consists of two essential components, starting with vulnerability intelligence and assessment. This incorporates research and tools to identify and validate software vulnerabilities, discover corporate hardware and software assets so CSO’s can know whether known vulnerabilities exist on the corporate network (similar discovery and inventory is also needed for effective SAM, as noted above), tools and workflow to assess and prioritise those risks, and continuous reporting to provide intelligence and transparency into the process.
In addition, Software Vulnerability Management includes security patch management to apply remediation patches to known vulnerabilities, tools to test those patches and package them before handing them off to the deployment system, and reporting capabilities to verify that the patch has, indeed, been installed.
Where SAM and Cybersecurity Intersect
As noted above, both SAM and cybersecurity fundamentally require organisations to have in place the ability to effectively, comprehensively and continually discover and inventory their hardware and software assets. IDC has also connected the dots between cybersecurity and ITAM in a recent Report,[3] which found that the assurance of clean IT asset data to properly assess the vulnerability of existing software and hardware can be a significant enhancement to the effectiveness in managing cybersecurity and application performance. IDC recommends that future ITAM initiatives focus first on the demands of IT security.
For Software License Optimisation, software/hardware discovery and inventory functions are currently performed largely by ITAM or SAM teams within the IT Operations Group. Likewise, effective Cybersecurity principles and Software Vulnerability Management fundamentals also require effective, comprehensive and continual software and hardware asset discovery and inventory. Today these tasks are being unnecessarily performed by both IT Security and IT Operations teams within organisations – a significant duplication of effort.
The challenge then is for organisations to recognise that siloed SAM and security teams are, in fact, undertaking duplicative activities under the auspices of different strategic initiatives – Software License Optimisation and Software Vulnerability Management. This is not only wasteful and inefficient – but it can also result in gaps in coverage and risks, when one department isn’t aware of the other’s activities, or isn’t performing the same activity with the same processes or equal thoroughness. SAM and cybersecurity have already converged – enterprises need to reflect this reality by adapting their operations – merging overlapping SAM and security efforts quickly to reduce wasteful software spend, while simultaneously eliminating a dangerous cybersecurity gap.
- IDC, Market Analysis Perspective : Worldwide Software Licensing and Provisioning, 2015, Amy Konary
- Research Vice President, September, 2015
- Gartner, Focus Your SAM Tool RFP on Six Requirements for Best Results, Hank Marquis, September 10, 2015.
- IDC PeerScape : Practices for IT Asset Management, Bill Keyworth, July 2015.
[su_box title=”About Mark Bishof” style=”noise” box_color=”#336588″]Mark Bishof has served as President and Chief Executive Officer since 2008. Prior to Flexera Software, Mark served as General Manager and Executive Vice President of Macrovision’s (now Rovi) Software Business Unit. Prior to that, he led worldwide sales, services, channels and alliances for Macrovision.
Before joining Macrovision, Mark held executive positions at IBM, including Vice President of worldwide industry solutions sales and Vice President of worldwide sales for WebSphere Business Integration. Mark was brought into IBM as part of the company’s acquisition of CrossWorlds Software, where he was Senior Vice President of global sales and services.
Earlier in his career, Mark was a Partner at Deloitte Consulting in the Global Telecommunications & Media practice. He has also worked as an Associate with Booz-Allen Hamilton and as a consultant to Warburg Pincus in their Information Technology and Communications practice. Mark holds a Bachelor’s degree in Computer and Information Management Science from the University of Maryland.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.