In November, 25 ITAM professionals gathered at our London office to share their experiences around a struggle faced by ITAM teams everywhere – how to create a productive and fruitful relationship with IT Security.
Facilitated by David Foxen (SAM Beast Consulting) and Craig van der Velden (Vice-President, Anglepoint), we began the discussion with introductions and what had brought us there. As each participant spoke, from big banks to tech companies, the same challenges emerged. No doubt they’ll ring a bell:
- How do we jump through all of the hoops demanded by security teams?
- How can we demonstrate the value of ITAM/SAM to our security teams?
- How is relationship building with security different from other teams like procurement?
The diversity of the crowd meant everyone had a slightly different take on these questions and their possible answers sharing anecdotes from their own work and those of their clients.
In this post, we’ll share some of the suggestions we came up with together for getting the most out of your relationship with IT Security:
Make your security team’s governance work in your favor
When it comes to ITAM and Security, we’re all doing a complicated dance between agility and governance. While ITAM teams can feel blocked and frustrated by the demands imposed by security teams, consider that robust governance measures might actually work in your favor.
Operating in an organization where people have been primed by Security to follow strict governance paves the pathway for ITAM to strengthen their own governance.
Make this a two-way relationship
A theme that continued to emerge through our discussions was the need for a two-way relationship between ITAM and Security. That is, a true relationship! One where both sides consider and value one another.
One of the main challenges for ITAM teams when working with IT Security teams is a severe lack of communication and collaboration. ITAM and IT Security teams often have different priorities so struggle understanding each other’s perspectives.
We see this especially when it comes to data sharing. Both security and ITAM teams have a tendency to assume that their tool has complete data. But the reality is that both have gaps and we can only see them when the two work together to compare. In this day and age much information is stored electronically, so having these two management systems overlapping makes sense and reduces doing the same job twice where an overlap might occur.
Use ‘security’ to get your CEO’s ear
Let’s face it. Security sells. It’s easy to understand the risks and consequences of poor security measures and CEOs are quick to respond to potential threats. ITAM can use this to its advantage. If you have a critical message you’d like to share with the C-suite, consider framing it through the lens of enhancing security.
How to sell ITAM to security
This was definitely the question of the hour and participants had a host of tips to share.
One way for ITAM teams to convince IT security of their value is by highlighting the ways in which ITAM can help improve the overall security of an organization’s IT systems and assets.
For example, ITAM teams can help ensure that all software and hardware is properly licensed and up to date, reducing the risk of security vulnerabilities. You have valuable data including the last scan date which can help security teams identify missing pieces that may be a security breach. ITAM can also help identify and manage potential security risks associated with hardware and software assets, and work with IT security teams to develop strategies for risk mitigation.
Security teams are so focused on hacking and outside threats that they’re missing a trick. ITAM teams can also provide valuable insights into an organization’s IT infrastructure and assets, which can help IT security teams identify potential security weaknesses and develop more effective security policies and procedures. By demonstrating their value in these ways, ITAM teams can help convince IT security teams of the importance of their work and the need for effective collaboration.
Laying the groundwork for ISO 19770
As you may know, ISO 19770 is a standard for software asset management (SAM) that provides guidelines and best practices for managing and optimizing an organization’s software assets. It covers all aspects of SAM, including the planning, procurement, deployment, tracking, and retirement of software assets.
But obtaining ISO 27001 certification is a crucial step in laying the groundwork for ISO 19770. ISO 27001 focuses on information security management, which is a key component of effective SAM. By implementing the principles and guidelines outlined in ISO 27001, an organization can establish a strong foundation for managing its information security risks and protecting its software assets. This, in turn, can help the organization meet the requirements of ISO 19770 and achieve certification in that standard.
Getting the ISO27001 starts laying the groundwork for ISO19770. The wrap-up
These are tough questions and the answers to how best to build a relationship with IT security will vary greatly depending on your organisation. But this roundtable provided an opportunity to share what has worked for some and bring together great minds and expertise to troubleshoot the most common issues we’re facing in this area.