Adding Value with ITAM Alignment to Risk Control Frameworks

Chris Hayes:

Welcome. We’re going to be talking about how to add value outside of, the typical silo that ITAM sometimes sits in an organization, really how to work with other potential stakeholders, expand the sphere of influence, and hopefully really supercharge some of the capability in your organization.

So really, what we want to focus on today is aligning the ITAM management system. What’s happening in terms of people, process, technology? How you’re managing your assets and then we’re going to look at aligning that with risk and control frameworks.

So that’s what we’re talking about. When we say some of these risk control frameworks, they are in several different areas. And this is just a small slice they’re in, right? So, these are just some of the common ones that we typically see when we work with clients.

You might be an energy supplier. You might be in a financial sector. You might have some tax reporting requirements. You may have some financial implications. There might be all different types and reasons or industries where you have official requirements. You might be processing payment card information. So, you are PCI regulated, you might be in the state of New York and a financial institution. So you have to abide by NYDFS the FIEC or FBA is another financial regulation.

You may be in Europe and the BIS, so a branch of the UK government is coming up with some new regulations similar to Sarbanes Oxley. So, kind of corporate control and tax reporting schema that’s going to be published and officially effective sometime in 2024, all of these things are happening, right?

And that’s not to minimize any of this environmental sustainability and governance area such as GRI, Sustainability Accounting Standards Board, SASB. All of these control frameworks have similar structures, right? You’ve got control points and you’ve got to demonstrate the conformance with those controls.

If the Center for Internet Security comes in and says this is a formal audit or your internal audit says, how are we managing this? This is going to be a joint venture, and this is the heart of what we’d like to really impart to all of you today and how we want to discuss this. This should not just be InfoSec off playing in their silo and responding to these things.

It should not just be service management off saying, oh, we’ve had another ITIL audit, or we need to demonstrate COVID conformance, et cetera, et cetera. It needs to be a joint activity, thereby increasing the engagement and the stakeholder involvement with IT asset management and you drive that value, right?

Supercharge your IT asset management program and say, great, we are going to take this opportunity. We are going to work with these cross functional teams, and that’s that ITAM perspective. Information security, also governance risk compliance, they should be your program’s best friend.

You should have a regular cadence. You should be sharing information. You should be aligned with strategy and resourcing and process. What you’re doing, you have to align the basis on the priorities of the program, when you’re planning for your IT asset management, your management system, that should be aligned from various functions.

Next is the Deming cycle. So, in as much as IT asset management and software asset management is governed by a standards body, so ISO 19770 is the software asset management standard. These are all aligned, these international standards, to a cycle of continuous improvement, the Deming cycle. Plan, do, check, act.

The do, check, act, is that iterative loop of we’re executing what we’ve planned. And is this working? Are we measuring things that are demonstrating progress and then taking corrective action to make sure you’re still on track if you’re measuring that you’re off track? So that’s how this works.

But we really are focusing in on the plan. So, when we say things like what are you measuring? And your IT asset management program, your management system that is addressing what’s important to your organization. What are those metrics? How do we ensure that those now can also address some of these regulatory or governance compliance risk control frameworks?

How do we make sure that’s aligned? So, what that does is that expands that group of stakeholders or people that are interested or will potentially support the IT asset management program from a risk assessment and risk treatment point of view for governance, risk, and compliance.

We want to make sure that this is aligned to very top levels within the organization that governs risk and compliance team. Are aware and looped in where there is a potential risk. And also this is keeping with this theme that expands the influence and power potentially of the IT asset management function to say, oh, not only do we have a compliance topic here with Salesforce, right? It might be a license risk or a financial risk. We have a regulatory and compliance risk when that happens, that really helps kick into gear that due check act, right? The continuous improvement.

If there is a gap where you say, look, we just failed and missed compliance audit, or FBA came in and they gave us an ECRA level one finding where we are not hitting our financial and regulatory reporting requirements. That needs to live at a very high level within the organization that has to be aligned in lockstep with governance, risk, and compliance.

It has to be reported. So, we are taking on more, but we are also adding a lot of value. Let me be very clear as well. What I’m not advocating for here necessarily is IT asset management gobbles up security, right? We are not talking about doing end-to-end security, but what we are talking about is ensuring that this plan, planning the management system and aligning what’s important to the organization.

That view expands that we talked to multiple stakeholders. We talked to governance. We talked to info security, et cetera. So that’s where this Deming cycle kind of fits into this conversation, planning the management system and then addressing that as we note nonconformance or we’re doing some continuous improvement.

So the first part and what I’m talking about is, aligned to what’s important for your organization. Any of you who are familiar with some of these frameworks, especially the standards framework ISO, you’ll understand, and you’ll appreciate that this is not just paint by numbers.

At, 15 different organizations, the management system might have 15 different flavors because 15 different organizations are going to be different. You have to understand your priorities.

So just for example, this organization says what do we want this management system to do? We want to be protected from risk. We want to drive innovation and agility using cloud adoption, and we want to be a sustainable organization.

So, they’re going to have different metrics and measures and processes than a different organization that might say right, we really are zoomed in and laser focused on cost control and maybe application rationalization, et cetera. When you consider what your priorities are. That’s that second question.

What other objectives and priorities should you consider? You can go talk to InfoSecurity. You can go talk to Governance Risk Compliance, Internal Audit et cetera.

So, what we’re asking you to do is widen your view. And say, okay, understand these additional kind of regulatory drivers. There may be other priorities as well, right? Hey, we want to be sustainable. Yes, there’s a risk control framework, but there are other aspects here, right?

Consider widening your view that will enable your program and supercharge your program with more stakeholders where you can. Drive that value.

Okay, so next level down of defining a control scope. What we want to make sure is that when we’re planning and defining that control scope, so we’re designing the management system. In other words, all of the roles and people, all of the processes and policies and measurements and all of the tooling and technology that’s going to be involved.

That’s what we mean when we say management system that this is going to incorporate 2 things, a test of design and a test of effectiveness. So, against each of these safeguards, all of the supporting processes and measurements should be very clear.

De facto, you’re going to work with other functions. We’re going to talk to operations. We might talk to security. You might talk to architecture, development, et cetera, to be able to have that capability to measure. But what you’re going to want to do is align that measurement and understand exactly what you were measuring with that same goal in mind.

For example, one of the controls for CIS is making sure you have supported and authorized software. And if it’s not supported or authorized, that you want to remove that from the environment. Understanding this, you want to align and say, okay, we’re going to look at what we’re measuring and make sure what we’re measuring is governed well and where we have a gap or where we have a potential nonconformance with what we’re doing, we need to be able to address that within whatever aligned timescale.

So, I’m talking kind of generalities here, but you’re going to work with other functions, and have that common goal, right? That way they’re going to support they’re going to facilitate. Maybe, I would be amazed if info security does not have some kind of scanning and discovery capability, right?

So that’s a good opportunity to say, okay, we want to measure the environment. How are we going to do that? What’s our process? And that leads to that next best practice. Making sure that once you align and said, okay, we want to do the following things to say, number one, the test of design, that’s usually a black and white kind of pass fail from the regulatory and risk control framework point of view.

Is there a process? Did we write something down? Yes, or no? So, you can say, yes, we have something written down. We’ve aligned with security. Here’s exactly what we’re doing. We want to have that documentation. So, if you have an external audit from a body who is auditing against CIS, for example, what are you doing to scan your environment? How are you measuring? How are you demonstrating against the control point that says you will not have unauthorized software or software that hasn’t reached end of life? And you say, Oh, that’s a great question. Here are the 3 or 4 things and the policy and the processes and it’s aligned with multiple functions.

Exactly what we do. And that’s what this says. When you have your measurements, you might have some sample reports, your test of effectiveness. That documentation can start as the basis to demonstrate conformance. If you are audited externally, and they say what are you doing about this? And you say we have a CMDB and we look at it sometimes and no, but if you’re organized, this is the proactive approach and what you can endeavor to do is working with governance and working with security, et cetera, et cetera, widen your scope. You plan this by design. When you are designing your management system, you are proactive and then you can demonstrate conformance with these various risk and control frameworks.

You align that up front.

So, thinking about the puzzle pieces and then pulling this together. How this looks in practice. So, like I said, the example we were giving was from CIS, Center for Internet Security. And one of their controls is to address unauthorized software. So unauthorized. In this instance, we’re going to say we have aligned a control and test of effectiveness that we do not want any unsupported software in our environment. Maybe we’re focused in on cost control. We might be focused in on some aspects of risk, but we want to formalize this. So, we’re going to work with info security. So, all of those stakeholder requirements from the Deming cycle from the plan part of plan, do, check, act would be pre aligned.

We would say Mr. and Mrs. CISO and executives in the security organization and the operations team were all aligned that we want to measure and control for this aspect of the environment. So, what we would say is we do not want as a data point to have unsupported or end of life software in the environment.

What does that mean in practice? We’re going to have a test of design that says. We’re doing something right that passes that aspect of CIS. The next aspect would be the test of effectiveness to say what is the actual process? And what are we measuring? How do we actually demonstrate this as aligned with these other functions?

So here, the test of effectiveness that we propose and are just giving this kind of example of a data reporting a weekly report review. Showing two things. What we want to show is that we have control and visibility over a good portion of the environment. So, we’re going with a 97 percent coverage as a thumb in the air key metric that we’re going to be measuring for the asset management program anyway.

But what we also want to discover in here is that we are not showing any installed instances or consumed instances of unsupported software. So obviously we need to understand which of those pieces of software are and are not supported, right? We have to have some normalization. We have to have some discovery.

There are other data points and other sub processes behind here. But what we want from this dashboard point of view is what’s our coverage? And in that coverage, are we seeing any software instances of software where that is unsupported? And we’re discovering this. So just an example. And then best practice here is to continuously report this.

Remember, we’re thinking plan, do, check, act. This is the do, check, act. We’re executing what we planned. We’re measuring. And then we’re checking to see it. Are we in conformance? And then the act bit is, ah, if we’re not, just this example. We only have 53 percent completeness and some of these areas are red, or we need to zoom in here.

That is part of the management system, so that needs to be aligned. If you have a low visibility percentage, or if you’re discovering software, that’s end of life. That is the act portion of continuous improvement. What that also does is that loops back into IT asset management governance. But what we’re saying is and the overarching message here is you’re also expanding that set of governance vis a vis your stakeholders.

If you are not just reporting to IT asset management, senior executives, but you’re now reporting to governance, risk and compliance and info security. There will be action. You’d better believe, right? You think about those two things? We have a potential compliance risk here. We need to install software.

No, we are nonconformant with our control framework, or we have unauthorized software that’s happening here again. This isn’t necessarily IT asset management owning the whole function, but it is working together with these other functions to drive a lot more value outside of just compliance and outside of just the program, we can say you are not in alignment and you have a gap against this risk and control framework.

So go and do make sure this is visible. Make sure this is aligned. Make sure that action happens. So that’s pulling it together here. And again, the best practice is to use this is just a PowerBI type dashboard to use some kind of continuous measurement and visibility to demonstrate. Are we on track? Are we not on track?

If you’re not on track, then that precludes those actions. Some recommended best practices here. What we want to do is expand your management system to incorporate a control scope. So, what we’ve talked about today, and just this example was a little bit more in the info security area, but, put your hat on and put your kind of expanding the influence type hat on you could for instance, work with sourcing procurement vendor management and say, hey, what additional supplier data points do you need for sustainability for ESG?

What framework do we use there? What are our common, we mentioned this, security frameworks. Are we in a regulated industry where we need to be measuring some things like FBA or NYDFS? Are we overseas in the UK and this BIS new regulatory framework similar to Sarbanes Oxley.

When that comes out, what do we need to do? So, defining that control scope and not completely going back to the drawing board, but revisiting your management system for IT assets. So, for ITAM management that it also incorporates those control components. So, understanding what the implication is then together cross functionally.

This is the key. That you’re working with other functions. You continue to do that. You expand that sphere of influence, but also driving that value. You want to define the required data points and get down to those procedures and tests of effectiveness for each control item.

In the example, again, we said we do not want to have unauthorized software. That means we need to have a good coverage and visibility, but also not discover any unauthorized software. Software in the environment, and that gets that next square. They’re talking about a data-led gap analysis. You need to see the reports where you are in the Deming cycle executing that do check act loop of continuous improvement.

Are we on track or do we have to do something? Is this a green report or is it a bright red report? Or where does this information need to go? And like I mentioned in that previous slide, the risk mitigation by necessity gets elevated. It crosses these functional boundaries, not just for IT asset management, but to drive a lot more impact and value in the organization with let’s be honest.

About the same data. It’s a minor tweak. It’s measuring a couple other data points aligned to a risk control framework. This is the stuff that’s happening day to day anyway, it’s not hey, we’re not doing any discovery, or we’re not looking at cost and risk, or we’re not doing this stuff. We are anyway, as managers in IT asset management, the management system is really close.

So, what we’re advocating for here is just tweaking it slightly to incorporate and expand that framework. So really, like I mentioned, what we want to do, then, is because we’re crossing these functional boundaries internally breaking down these silos, we want this risk to be managed collectively and governed collectively.

So, it’s not just a well, we have a compliance risk here or potential cost issue here. It is we are in violation and we’re nonconformant with a regulatory or risk control framework. And necessarily those security risks, the regulatory risks, et cetera, they should be on a corporate risk register that should be managed and supported and governed by GRC-type processes.

That really hooks in and says, ah, if there is something on this corporate risk register, that means we have to take action. It is not optional. So that’s the core message. Making sure we’re adjusting, making sure we’re adding more value, and it’s double edged, right? Yes, we take on one or two more things, but really, what we want to do is destroy those silos, ensure that we have additional stakeholders, we have additional budget, we have additional support for IT asset management.

But why? Because we’re aligning to the larger priorities of the organization. We’re not just looking at cost control and not just looking at license compliance. We are really driving that further value. And this is one of the key areas where we can do it against these risk and reporting frameworks.

We are happy to have any of these conversations and happy to have, them offline. Connect with me, I’m on LinkedIn and with that, thanks everyone for the time today.