Pity the poor chief information security officer (CISO). On one hand, their needs are real: emergent cybersecurity threats are increasingly sophisticated and numerous. On the other hand, the cost of defending against these threats follows the same trajectory. Organization’s resources are finite, but not investing in the right technology or tactics could place the organization in the same inauspicious gallery as Hollywood Presbyterian, Riviera Beach, or Colonial Pipeline. Then again, what other value-add IT services should be cut? There is one group inside the department who is in a position to help: IT Asset Management (ITAM). Few CISO and cybersecurity professionals realize the “hand in glove” relationship ITSec and ITAM should have.
In 2016, an article published in a technology research magazine insisted up to 30% of a corporation’s software budget could be cut by implementing a software asset management (SAM) program. The article identifies three best practice activities that must be performed to achieve this remarkable return:
- Optimize Software Configurations: make sure to use the features and tools you pay for, and avoid paying for features and tools you do not use.
- Recycle Software Licenses: remove unneeded software installations so the corresponding software license can be applied somewhere else.
- Use SAM tools: invest in specialty license management systems that can accurately calculate complex software license rules and point out cost-saving opportunities.
In many organizations, software-related expenditures make up a significant portion of the overall IT budget. Any reduction in that line item would fund a number of other projects, so IT Security needs to present a good case to justify redirecting some of those funds to them. Interdepartmental budget strategy sessions can be cutthroat, but most will respect the “Little Red Hen” rule: you only get the bread if you help with the baking. If our intrepid CISO is going to ask for a part of the savings ITAM can deliver, they need to demonstrate how their team, or tools, or data are actively helping in those three SAM practices.
Most ITSec professionals are familiar with the ISO/IEC 27000 standards, which require an “asset inventory” to be made of the corporate computing environment. The trouble is, the methodology of ISO 27000 focuses on information security management and does not provide necessary details and data attributes for effective SAM. But, dig deeper into the supporting standards and you will find ISO/IEC 19770, which specifically addresses ITAM and SAM process requirements. Last updated in 2017, it contains a maturity model constructed of three tiers:
- Tier 1: Trustworthy Data: knowing what you have so that you can manage it.
- Tier 2: Life Cycle Integration: achieving greater efficiency and cost-effectiveness throughout the asset lifecycle (i.e., purchasing, inventorying, using, recovering, and disposing).
- Tier 3: Optimization: achieving greater efficiency and cost-effectiveness across functional management areas.
In typical fashion, the ISO/IEC standards do not describe how “trustworthy data” is obtained or derived, but do describe four processes where ITAM will find “trustworthy data”:
- Change Management
- Data Management
- License Management
- Security Management
This makes sense; if IT Security is maintaining an asset inventory (as mandated by ISO 27000), why not harvest reliant parts of their data to build out an asset inventory for a SAM tool just like one prescribed in the aforementioned Gartner article!
Is that enough, though, for a typical CISO to claim a portion of the ITAM savings for their own expenditures? Maybe not, but let’s consider the second cost-savings source from the Gartner article: recycling software licenses. Typical security vulnerability tools are licensed by either the software agents deployed and installed on objects discovered within the computing environment, or by total found objects discovered in a passive sweep of IP address ranges. Unfortunately, IT Security might not catch and remove retired, duplicated, or incorrect records from its own asset inventory lists. That, in turn, risks an over-count of needed licenses and an over-charge to IT Security’s budget. However, if IT Security partners with ITAM and purges recovered and disposed asset inventory records from its vulnerability tools, the overall total cost of ownership for IT Security’s tooling can be significantly reduced. And those savings will unarguably return to IT Security.
The final factor—optimizing software configurations—might seem like a stretch, but IT Security does have a say in the matter. Consider this example: while advising a client a few years ago, the IT Security department identified a number of high-risk security vulnerabilities in the corporate-standard PDF viewer. The CISO recommended removing the standard issued software outright before the next phishing attack successfully exploited the known bugs within the tool. The IT Service Support team resisted, arguing re-platforming to the IT Security recommendation would be too costly and could be rejected by the end-user community. The ITAM team stepped in, identified a comparable tool with more features than currently offered (satisfying the end-users), with a better vulnerability score (satisfying IT Security’s concerns), and at a total-cost-of-ownership of 60% less than the current PDF standard (more than covering the cost of deploying the new tool). The moral of the story: simply by engaging ITAM, the CISO was able to improve the security position of his organization without incurring any extra cost to his department nor the rest of the organization.
Modern IT Security initiatives are necessary and expensive. Smart CISOs should always be on the lookout for cost-reduction and spend-justification opportunities. Both best business practice proponents and independent researchers identify the IT Asset Management team as a willing partner. By working together, ITAM and ITSec can improve the overall organization’s security position and simultaneously reduce the overall cost-of-ownership for IT.
- “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating”, 18Feb2016, Los Angeles Times
- “How Riviera Beach left the door wide open for hackers”, 21Jun2019, Palm Beach Post
- “Cybersecurity Attack Shuts Down a Top U.S. Gasoline Pipeline”, 8May2021, NPR
- “Cut Software Spending Safely With SAM”, 16Mar2016, Gartner ID: G00301780
- International Standard ISO/IEC 19770 — Information technology, asset management, Third edition 2017-12
About the Author:
Jeremy L. Boerger, the ITAM Coach, founded BOERGER CONSULTING with the idea of helping organizations “cut their software budget without buying less software.” He speaks professionally to pass along his 20+ years’ experience to the next generation of ITAM and SAM professionals. His book, “Rethinking Information Technology Asset Management,” is in paperback and ebooks. For more, visit www.boergerconsulting.com.
Modern Contractor Solutions, June 2023
Did you enjoy this article?
Subscribe to the FREE Digital Edition of Modern Contractor Solutions magazine.