Given their organizations’ diverse software portfolios, distributed locations and on-the-go workers, how many CIOs can express complete confidence in their license compliance? They know that software is indispensable to the enterprise and naturally want to manage every software asset (from the commodity app to the big-ticket enterprise suite) so it’s optimally leveraged and fully compliant throughout its lifecycle. But that’s not easy.
Software asset management was hard enough when IT leaders presided over locked-down environments and a workforce under their control. In today’s complex IT environment, it’s an even greater challenge.
Software runs on increasingly distributed and virtualized networks, both inside and outside the organization. It’s purchased, provisioned and controlled by multiple parties. Within the enterprise, departments and users empowered by IT consumerization make software decisions without IT approval. And outside, cybercriminals are testing networks, finding vulnerabilities, injecting malware and exfiltrating data.
The good news is that an entire industry segment is dedicated to creating SAM standards, best practices and technologies. Organizations in need of IT asset management guidance can turn to service providers, professional associations and other sources.
SAM combines processes with technology for tracking software inventory and associated licensing. IT managers can use the insights from SAM repositories to inform strategic software investments, optimize usage and stay fully compliant with their licenses.
Trying to monitor the entire ecosystem of users, devices, applications and usage that correlate with license compliance may seem a futile exercise. But noncompliance is not only illegal, it also is potentially very expensive.
When the economy falters, software providers focus more attention on revenue leakage, leveraging audits to improve the bottom line. In recent years, some software vendors have watched their profit margins slip as software as a service (SaaS) continues to grab more market share.
In a 2012 IDC survey of IT executives, 64 percent said they’d been audited over the previous two years. Of these, 36 percent submitted to two audits and 10 percent to three or more.
While respondents were mostly from larger companies, smaller enterprises received their share of attention as well. In a 2012 survey conducted by BMC Software and the International Association of IT Asset Managers (IAITAM), 24 percent of respondents with fewer than 500 endpoints had been audited in the previous 18 months.
“Small and midsize businesses are the biggest targets for compliance audits. If you hit a small organization with a $250,000 fine, it’s crippling,” says IAITAM CEO and President Barbara Rembiesa.
What happens if an audit reveals noncompliance? Situations vary depending on vendor, severity and other criteria. The settlement requires the organization to delete all unlicensed software, purchase new licenses and pay a fine.
In cases where auditors determine that a customer deliberately circumvented licensing, the case can be escalated to BSA — The Software Alliance. Formed by a group of software providers, BSA has the authority to conduct formal audits and take legal action in the form of penalties or lawsuits for copyright infringement.
If BSA gets an insider tip that an enterprise is pirating software and its investigation discovers unlicensed software, it imposes a fine as a matter of course. “Copyright law does allow for damages, but we take care of piracy issues outside of litigation in the vast majority of cases,” says Peter Beruk, BSA’s senior director of compliance marketing. “Unfortunately, without fines, sanctions wouldn’t have any teeth. They’re needed to deter businesses from doing the same thing again.”
Meanwhile, some vendors charge the full price for each unlicensed instance rather than a negotiated rate, and some make organizations compensate them for the license shortfall from the time the software was installed. However, Beruk says, most vendors elect not to pursue this course of action, often referred to as a “true up.”
Enterprises that do end up being audited are obviously taking a gamble when it comes to facing a true up. Based on industry studies, they are just as likely to avoid a true up as to get hit with one (as well as fines) and end up paying up to $250,000. Some unlucky organizations have paid out even more, up to $5 million.
Organizations with recently launched or poorly maintained SAM programs will probably have to scramble for an audit. In Forrester’s Software Asset Management in 2013: State of SAM survey, 32 percent of organizations hadn’t yet implemented SAM, and 39 percent said they had a program in place for less than three years.
Still, an audit can catalyze an enterprise’s SAM program. A robust SAM program should define the objectives, people, processes and technologies needed to stay compliant, optimize use and deliver a holistic view of the software ecosystem for intelligent decision-making. This insight can identify troublesome personnel, as well as security vulnerabilities.
An organization’s IT, legal, finance and other departments should work together to conduct self-audits to identify cases of noncompliance. An enterprise that builds a reputation for compliance through sound governance might even keep auditors at bay.
Some industry studies have suggested that this could be the case. Organizations that employ IT asset management (ITAM) tools can likely expect to be audited at a lower rate than those who have not. Such a lower audit rate may be attributed to a history of compliance based on previous reviews, signaling to providers that the resources they’d expend on an audit weren’t likely to result in revenue recovery. Some organizations also may avoid an audit by providing compliance reports upon receiving the audit request.
Want to learn more? Check out CDW’s Tech Insights, “Total Software Management.”