ITAM Data Mastery: Driving Business Value to New Heights  

Data is unquestionably the most valuable commodity any business can own.

Trustworthy Data is a term that is often used in Software Asset Management, but what does it mean and why is it so important? It simply means the data is complete, accurate and can be relied upon to make business decisions that support the direction of both your ITAM Program and your Risk Control Approach to realize value. The accuracy of a business’s ITAM data is truly what gives the data value.

Let’s dig into a real-world example of this. You have an old GPS in your car and you put an address into it and hit GO! Ten minutes later—according to the GPS—you are driving in the middle of a field, even though you are in fact on a paved road. Now you have no idea where you are going. The GPS data hasn’t been updated and is missing key information about new road layouts. You are now lost and cannot trust the directions from the GPS to get you back on track.

Think of your ITAM data in exactly the same way to change the perspective of its importance. Your ITAM data is like the GPS that you use to steer all the decision-making within your organization. If you are measuring and recording the information about your license entitlement inventory and software deployment incorrectly or with large chunks of information missing, then the decisions your organization makes could mean you end up driving off the road into that field. When you are confronted by a software audit, can you trust that your ITAM data is correct? Are you sure there are no hidden risks or missed savings because you have missing information about your software consumption? Are budget owners informed to drive remediation management? How about if the Internal team asks if you can demonstrate compliance with a Control Framework such as NIST or CIS? Do you have enough data managed in the correct way with documented processes to make a ‘passing grade’? Has your ITAM team considered how the Management System used to operate the program aligns with the Governance, Risk and Compliance (GRC) function in your company?

Check out our webinar for a deeper dive on this topic:
Unlocking Regulatory Compliance and GRC Success: Aligning Your ITAM System with a Robust Risk Control Framework

The intelligence required to make organization-wide decisions and achieve business goals that have been clearly laid out comes from information provided by the ITAM outputs. Having a clear view of accurate data—and knowing exactly what information is required from that data and how to translate it into intelligence with actionable insights—is what delivers on the business’s stakeholder requirements. Ensuring that broad, cross-functional stakeholder requirements are captured when creating the ITAM Management System will help to ensure that ITAM data can become truly embedded across the organization, whether it will be used by IT, Information Security, Sourcing, ESG, or other functions. As previously mentioned, the Internal Audit or GRC function for your organization is essential for inclusion in this stakeholder coalition. Having a view of control requirements aligned to a Risk or Control Framework will allow the Management System for IT Asset Management to adapt and define how they will measure their internal controls. In doing so, continual improvement and tests of effectiveness in ITAM will directly drive improvement and conformance to the Risk or Control Framework. Your ITAM program will be secure and compliant by design.

How to Obtain Trustworthy and Accurate ITAM Data

The best way to begin the process of checking that the view of your data is accurate and complete is by performing an environment mapping exercise. This will involve recording what software is deployed, where it’s deployed and how that information is being pulled into your central ITAM repository. Having this view of your environment and knowing what data is not being gathered helps to configure tools correctly and close potential gaps. The data will come from multiple sources and can be collated into a consistent format and then deduplicated and normalized to deliver a complete and accurate data set. This process should be automated and performed regularly to ensure live or close to live data rather than only a point in time. It is also important to remember that there will be certain data points that cannot be gathered automatically and will require a layer of human intervention. Knowing what this data is and where it can be found—and then including that in the regular data-gathering exercise—will further close any gaps in both the ITAM Management System and Risk Control or regulatory frameworks. Any known gaps will therefore have scrutiny from both the ITAM as well as the GRC organization—this focus should speed up remediation actions. Best practice is to include known risks to the ITAM Management System on the official GRC Risk Log in your organization, as this usually implies a requirement to mitigate known risks within a prescribed timeframe.

Find out more about Anglepoint’s technology services.

Overlaying software inventory and license consumption data with your contract and entitlement data will start to build a picture of your entitlement and allow renewal dates to be added to a renewal calendar. Ideally, this will indicate your requirements for initiating further data gathering to produce an Effective License Position (ELP), helping to drive proactive and intelligent sourcing decisions.

Bringing this data together starts to drive actionable intelligence as it provides visibility of cost and risks with forecasting, tracking and potential optimization opportunities. Having normalized visibility of your inventory and consumption data in a clear format will prove a vital component in the delivery of this actionable intelligence. As a one-off exercise, this forms the basis of ELPs, when repeated regularly over a period of time it provides intelligence. Historical information about your environment can help to form the capabilities to forecast future use and related costs and risks.

Benchmarking the coverage of your IT Asset environment and understanding the limitations and gaps of Discovery tools is a critical component of ensuring you are dealing with a trustworthy basis of data. The logical environment should be mapped to understand known areas of data gaps. If a Risk or Control Framework was aligned during the design of the ITAM Management System, the potential regulatory impacts of those data gaps can be highlighted. For instance, if you have a control that stipulates you will not operate unsupported software in your environment, you will need to ensure you are discovering at least 95% of your assets, and that of those assets there are no instances of software with a lapsed End of Support date. This adds a new dimension and urgency to remediating data gaps that can support both the ITAM and the GRC functions.

Translating Information from Data into Intelligence

The thought process around being able to obtain intelligence or actionable insights from your data can be reverse engineered. Let’s take cost savings as a simple example. You need to know how to optimize software spend, so the information you need will be a combination of multiple points of ITAM data. You’ll want to know the current license usage for each publisher, who is using it, how they are using it, what you have paid for, what you’re not using, how you purchased it, when the renewal date is, pricing changes, and future growth plans and organizational changes. When the standard ELP is combined with other ITAM information the intelligence can be delivered to provide actionable insights used to optimize spend.

The same technique can be applied if an organization’s goal is mapped to satisfying a regulatory audit or requirement. For example, if your organization is anticipating an FFIEC audit/review, you will need to ensure you are capturing key data points that align with the FFIEC Control of demonstrating that you can scan a complete and correct IT Inventory. Understanding how these terms are defined and the specific data points required will be crucial when considering not only ITAM Management System goals, but how these will impact or drive value in other areas, such as GRC or ESG requirements. Controls and Tests of Effectiveness—in other words, the key aspects of the control framework and how you will measure to prove you have them well managed, will be aligned with both ITAM and GRC/ESG stakeholders. Please note that there is not a one-size-fits-all approach here. Multiple functions can include control requirements and these should be accounted for when designing the Management System for ITAM.

Bringing together all the ITAM data allows the business to make changes and forecast effectively. Through identifying and tracking the realizations of cost savings, risk avoidance and regulatory control framework compliance, both leaders and stakeholders can be provided with tangible reporting on existing risks and the value of your ITAM program as it relates to the wider organization. This will provide peace of mind across the organization and enable strategic decision making.

While this sounds simple in theory, actually accomplishing this and automating your Management System’s processes to feed centralized reports with live data requires another level of data management and program design over and above just a SAM tool.

Centralized Reporting Using Live Dashboards and Live Data Outputs

Through the use of real-time dashboards and live data outputs, Anglepoint’s experts have developed a bespoke set of dashboards that provide an overview of publisher and reseller spend, alongside the relative audit risk of the publisher.

It is easy to think of your top spend as vendors such as Microsoft, Oracle, IBM, etc. However, how much spend is being funneled through a single reseller and what terms do you have with that reseller? A clear and consolidated view of your software spend allows you to treat resellers with a greater level of management and scrutiny that allows the ITAM function to drive value for Sourcing and Vendor Management.

This is especially important as we consider data feeds into your Software Asset Management tool. Consider buying a pack of four oranges from one supermarket which includes a 20% discount, and four individual oranges from another with no discount. If one receipt shows a quantity of four and another a quantity of one, how do you know you ended up with eight oranges, with four of them having a discount? How are you able to leverage that information to shop at the first supermarket instead of the second? Depending on how your ITAM data is being captured (or not) this scenario can negatively impact your program development if you are not careful in considering how required data needs to be mapped and treated by ITAM processes.

If your procurement partner/reseller is feeding data into your SAM tool (either directly or indirectly) it is important to ensure that proper data standards are maintained, monitored and checked so that SAM resources are spending the least amount of time managing the import of data, ensuring the right number of licenses (or ‘oranges’) are listed. This becomes increasingly important if you are using multiple resellers who may be subscribing to different data standards that don’t match. Consider pushing unified requirements to your preferred reseller(s) who can then add further value (for example, if you require carbon footprint reporting or other regulatory reporting).

In addition to correct data, this consolidated data view from Anglepoint allows you to have a breakdown of what channels you are utilizing to buy your software licenses and determine if it is direct from the software publisher, through one or more resellers, or both. Knowing how you’re buying licenses can result in significant savings or larger contract agreements through a preferred reseller or directly with the publisher.

As we detailed in “Tier 2 Software Publishers: Why They Audit and What To Look Out For”, knowing and managing your software publishers in relation to audit risk is a key way to become more protected against the risks of non-compliance. With our bespoke dashboard view, Anglepoint can remove the jargon and confusing details from purchase records, and provide a Vendor Visibility view—your spend across publishers, overlayed with a market audit risk—allowing your SAM resources to spend time effectively preparing for software audits from vendors which would be considered high risk, instead of wasting time on lower spend or lower risk vendors.

In terms of Data Management, Anglepoint aims to understand a few different dimensions and drive program improvement activities. First is Vendor Visibility. This involves comparing Coverage Analysis data with Commercial Publisher Prioritization data. Analyzing those seemingly disparate reports will allow the ITAM function, via proactive Data Management, to ask more pointed questions of both upstream and downstream functions. For example, if the Coverage Analysis indicated that the organization had lots of Adobe Creative Suite components installed, but you do not see any spend data associated with Adobe in your major reseller reports, this could be an early indicator of a potential compliance issue. You could stack rank by volume or count of software installation instances in your main applications, and then analyze the Publisher Prioritization data to help understand what channel is being utilized to purchase these applications. Are you using a single value added reseller or 15 different purchasing methods?

In analyzing both deployment and purchasing data, the ITAM function will also be able to highlight potential gaps against designed controls and tests of effectiveness relating to the Risk and Control Framework(s) that have been adopted by your organization. For instance, you may be required to demonstrate coverage and management of your IT estate throughout its lifecycle in your organization, and show that no unsupported software is running. This would require two data dimensions—first, that you can measure the entirety of your IT estate versus what is being actively scanned, and second, that those software titles on actively scanned devices have not lapsed in support. Your current processes should leverage the systems and technologies in your organization to provide data to satisfy these regulatory controls. In other words, the ITAM function should be prepared and intentionally designed with these additional controls in mind to prove that the ITAM Management System is effectively managing data and asset lifecycle to demonstrate conformance with the Risk and Control Framework.

Example of bespoke dashboards showing an overall view of data and insights.