The current climate of company mergers and downsizing is putting CIOs under pressure to keep the lid on software costs which now account for nearly a third of the average IT budget. Add to the mix software suppliers who are more determined than ever to make sure their customers pay for all the programs they use and software asset management (SAM) seems a no-brainer.
SAM, the process of recording what software licences an organisation has bought and making sure they match up with the programs that staff actually use and the way they use them, not only heads off the unwelcome attention of software suppliers and their lawyers, but can also cut costs.
“If you are on top of your game you save money,” confirms Bobbie Ttooulis of services and software firm Computacenter. “If you have proper SAM in place you are going to have your computing under control and can be pretty confident you are sweating your software assets effectively.”
However, SAM is proving problematic for many companies. Some lack the will to invest in the process, while others are bogged down in turf battles over who should gather the data. Many are just struggling to understand how their licences work.
Finance departments are usually responsible for maintaining asset registers including software, while IT departments know how that software is deployed. “All too often the priority is tracking of physical assets and software is forgotten, so the information is not getting from IT to finance on how software gets used,” says Karen Conneely of asset management software company Real Asset Management.
Despite the availability of databases to record information about licences and so-called discovery tools such as Centennial, Eracent and EasyVista, which dispatch agents to inspect systems and log the software they are using, many users still rely on spreadsheets to track their assets.
But experts agree the task has become just too complex to manage by Excel. And it is likely to become even more burdensome as users move to new computing models such as virtual systems which have the capability to create and destroy code within a matter of minutes, making logging its use very difficult.
The predicted boom in browser-based software as a service (SaaS) is likely to create further complications with cloud-based computing sitting alongside, or integrated with, software that companies already run on their own premises. In any case, SaaS subscription terms are likely to become as complex as software licences.
Neither software companies nor their customers have agreed on the best way to reconcile this new kind of usage with old-style licensing. Constant metering of software is one activity that is likely to become much more widespread, according to the experts we spoke to.
“Virtualisation allows the malicious user to pirate software. When companies head down the virtualisation path, tools built in by vendors fail to function,” says Chris Holland, vice president of software rights management at security company SafeNet.
Even without new technical developments, current tools are struggling to keep up with the licensing landscape. For example, while discovery tools may be fine at logging software subject to a single user licence, they may struggle to cope with concurrent licences which allow only a proportion of potential users to access a program at any one time.
In addition, SAM software must cater for myriad different licence terms, ranging from those related to named users to licences that apply to each CPU. The recent development of servers with multiple cores has posed problems for software suppliers accustomed to charging customers a fee for each server an application is installed on. Software companies have still not settled on a good solution, analysts say.
The industry itself has been keen to maximise revenues from licences. So-called true-ups – reports on the size of a user’s estate which are used to calculate licence fees – can account for up to 15 per cent of revenues, say industry insiders. “It’s easy pickings to go after your customers: all big suppliers have licence-management practices,” says Patrick Gunn, a vice president of SAM supplier ManageSoft.
But suppliers are taking steps to make it easier for customers to manage their licences and software companies have collaborated on creating a series of ISO standards governing several aspects of SAM.
The latest concerns tagging – the headers that identify a piece of software – and seeks to lay down a standard way of identifying software from different suppliers. In addition, the IT Infrastructure Library (Itil), a widely used methodology for managing IT, has been extended to include SAM. “The ISO 19770 standard is only just coming out, but we anticipate it will be widely used,” says Tony Baron, global vice president of IT services firm Dimension Data, and one of the authors of Itil.
In addition, industry body the Business Software Alliance (BSA) has just launched a programme designed to help businesses implement SAM programmes. The BSA SAM Advantage aims to provide its members and their partners with a set of online SAM tools and training frameworks.
However, despite all this tough talking, software industry watchdog the Federation Against Software Theft (FAST) claims that IT managers “have got their heads in the sand” when it comes to adopting effective SAM policies.
Three-quarters of UK businesses polled in a survey commissioned by the Software Industry Research Board (SIRB), set up by FAST and its partner Investors in Software (IiS), say that they have a SAM policy.
However, over a third of them were unable to convince interviewers that they have any more than a basic understanding of their software licences.
Some 60 per cent of the 600 or so companies that took part in the research, published in November, saw no risk from “the misuse of software or counterfeit supply”, says FAST, “and 43 per cent do not believe they face a threat from the lack of compliance as they claim to have a SAM policy”.
FAST revealed that more than 300 of the companies that took part in the research had been subject to a software audit by suppliers within the previous year: evidence of the determination of software companies to crack down on breaches of their software licences.
“The point to stress to business leaders is that they cannot afford to be complacent about the subject of compliance and risk to their businesses as they need to validate that they are able to demonstrate good governance and transparency in terms of compliance,” says John Lovelock, chief executive of FAST IiS .
“The research points to critical weaknesses that leave their organisations with material risk – and put bluntly that means a risk to the bottom line.”
There are over 20 pieces of legislation that affect the software that companies own, including the Computer Misuse Act, the Data Protection Act and the Copyright, Designs and Patent Act, with penalties of up to 10 years in jail for the most flagrant breaches of copyright.
In practice, the biggest risk that most users face is that they will be audited by a software supplier and charged for using software in a way that they were not entitled. Audits, which are part of the licence agreements for all software, involve a visit from an auditor to inspect the records that a company holds about its software.
Preparing for audits and maintaining records over the long term is an administrative task that involves gathering evidence that licences have been paid for and software has been installed. This may involve holding paper invoices and the original wrappings of the disks on which software was supplied.
But these SAM processes also need to dovetail with the software lifecycle. “It is important to have a process in place that begins with asking for the business case for acquiring a piece of software,” says Phil Heap of FAST Corporate Services, a subsidiary of FAST that is aimed at educating firms on SAM. “The next question is whether the organisation already has the software that is needed and whether it is tested and approved. The final question is whether you have a licence for it.”
The software industry, through FAST and the BSA, is pushing hard to raise awareness of the need for properly licensed software. Earlier this year, the BSA, which claims that 26 per cent of business software in the UK is illegal, launched a campaign in Manchester that involved contacting 5000 businesses in the city.
Persuading a cost-conscious board of directors who see SAM as merely an extra expense to take action is an essential first step to software compliance. Companies should be spending between three and five per cent of the value of software they own on managing its use, according to analyst firm Gartner.
John Brown Group, a contract publisher- that produces company magazines, is one software user that received a knock on the door from a supplier. About a year ago, Microsoft contacted IT director Richard Sacre about anomalies in the publisher’s account. “We knew we were a bit short but didn’t know by how much,” he recalls.
Sacre admits that if the £60m turn-over company had tried to reconcile its software assets on its own, John Brown Group would probably have failed to meet the deadline set by Microsoft and would have ended up buying too many licences in order to be certain it was compliant. In the event, Sacre hired an asset management consultancy called SAM Practice and avoided having to buy any more licences.
“The volume of different software applications became difficult to manage,” Sacre observes. “We did our best but we were always exposed in a sense. We have grown by acquisition and the licensing situation in the companies we acquire is often in a bad state. We usually merge the businesses and then straighten out the -licensing afterwards.”
Sacre says that software companies overcomplicate their licensing regimes, citing the more than 400 ways of licensing a Microsoft product. Hiring a consultancy helped John Brown Group understand how to interface with suppliers, according to Sacre, and shaved its software budget by 20 per cent annually. “Manufacturers are quite scary, hence the panic buying and fear factor,” he maintains.
The Student Loans Company (SLC) has been bolstering its software asset management efforts over the past four years with impressive returns on investment. Back in 2004, the company installed Software Organiser, a licence management database program, and a software audit tool called Centennial Discovery.
The organisation, which manages loans and grants to students in higher education, also subscribed to FAST. “FAST have been a tremendous help to us, advising and guiding us through the accreditation process,” says Theresa Kilpatrick, software licensing manager at SLC.
As a public body SLC has a statutory duty to comply with licensing terms. However, since investing in audit and compliance tools the organisation made a saving of £85,000 during its first year of FAST accreditation and has since benefited to the tune of about £50,000 annually.
Asset management enabled SLC to cancel unused maintenance contracts and renegotiate the rest, as well as retire software that had been bought but not installed, and eliminate software programs with duplicated functions.
The company has linked licence management with tougher controls on how employees access software so that unlicensed software does not get deployed. Internet downloads are limited and end-point security systems are in place. SLC has set up a software media library with strict procedures for booking software in and out.
“End-users don’t deliberately seek to cause a problem; mostly they make innocent mistakes,” believes Kilpatrick.
Kilpatrick says there is quite a lot of work involved in setting up a database of licences, particularly since header information from each program varies. There are many ways of spelling software vendor names and versions for example. “Asset management is not a quick process, it takes time. You have to work closely with your teams,” she adds.
Although many organisations will attempt to use a spreadsheet to manage their software estate, Kilpatrick is adamant that an electronic audit tool is an essential piece of software. “The SLC’s infrastructure changes every 15 to 20 minutes,” she points out. “So you really do need one.”