Cybersecurity, Meet SAM

While bringing many benefits to a company’s IT infrastructure, software now presents a particularly vexing problem for most organisations. On one hand, enterprise applications are mission-critical, running every facet of operations, from front-office to back-office. On the other hand, software is one of the most difficult of corporate assets to manage – resulting in massive financial waste, inefficiency, and cybersecurity risk.

The Challenges of Software Asset Management (SAM)

Most organisations spend approximately 25 percent of their IT budgets on software. Yet, unlike physical assets such as office fit-out and hardware, software is extremely difficult to keep track of and inventory appropriately. Consider all the desktops, laptops, mobile devices, servers and clouds onto which software is installed. Consider that machines are purchased and retired, employees update devices on their own and introduce additional applications, employees are hired and leave the organisation, and merges and acquisitions occur. Adding to the logistical challenge of keeping track of these devices is the difficulty found in keeping track of the software installed onto them.

As well as the physical location of software, organisations must track how that software is being used and whether or not that usage is compliant with the software contract. Every software license agreement consists of dense and complex terms relating to usage and this must be tracked, managed and understood to ensure an organisation’s compliance with the software. If an organisation’s usage exceeds those terms, this would be considered out of compliance, and the organisation can be subject to unbudgeted “true-up” penalties. The contrary is also true: if those licenses aren’t being fully utilised then a company has purchased “shelfware’’- unused or underused software that is sitting idle and still costing the company money.

The Cost of Unmanaged Software

According to a recent report by IDC, software license complexity will indirectly cost organisations an average of 25% of their annual software license budgets.[1] To address this issue, leading organisations have implemented comprehensive Software License Optimization programs. These programs consisting of people, processes and automated technology to substantially eliminate the inefficiencies, waste and un-budgeted software license compliance risk that is linked to an unmanaged software domain.

According to a report from Gartner[2], the six critical elements performed by the Software License Optimisation solution should include:

  • Platform discovery
  • Platform and software inventory
  • Normalising inventory
  • Reconciling external information
  • Optimising license position
  • Sharing information

IT Asset Management or SAM teams within an IT Operations group will be the general lead of the implementation of Software License Optimisation programs.

Cybersecurity Risks of Unmanaged Software

Another issue associated with an unmanaged software estate is the fact that it also creates an extremely high cybersecurity risk for companies. Security standards and requirements frameworks have been developed by myriad organizations, including The SANS Institute, which has created prioritised list of security controlsthat are crucial in improving organisations’ risk stance against real-world threats.

SANS has identified a number of Critical Security Controls, the first of which focuses on an organisations’ ability to active manage – inventory, track and correct – all hardware devices that are on the network. The second focuses on inventory of authorised and unauthorised software. Organisations must actively manage all software on the network so that only authorised software is installed and can execute, and that unauthorised and unmanaged software is found and prevented from installation or execution. A report from the Business Software Alliance (BSA)/IDC has also stressed the role that Software Asset Management plays in cybersecurity. The report explains that an organisation’s network is at its greatest malware risk when multiple unlicensed software licenses are left running and unmanaged. The report concludes that lowering the incidence of unlicensed software will lower cybersecurity risk.

Read more: Ascendant CSOs becoming “guardians of big changes” as IT security shapes digital business: Gartner

Software vulnerabilities are the exploitation vehicle for cyber criminals as they habitually use them as gateways to exploit corporate networks. The average cost of cybercrime is over $12.7 million per organisation in the US and the average financial loss was up over 34% in 2014 over 2013 – and high-profile breaches can lead to brand and reputational damage as well as losses of up to hundreds of millions of dollars.

According to a recent report by Secunia (recently acquired by Flexera Software), during 2014, 15,435 vulnerabilities were discovered in 3,870 software products, a 55% increase in vulnerabilities continuing a 5-year trend. 83% of all vulnerabilities had patches available on the day of disclosure, proving that you can patch most vulnerabilities if you know what to patch.

For this reason, Software Vulnerability Management has now become an essential component of any secure organisation’s overall security framework. Software Vulnerability Management consists of two essential components, starting with vulnerability intelligence and assessment. Research and tools are used to identify and validate software vulnerabilities, discover corporate hardware and software assets so CSO’s can determine whether known vulnerabilities exist on their network (similar discovery and inventory is also needed for effective SAM, as noted above), tools and workflow to assess and prioritise risks, and a flow of reports to provide intelligence and clarity into the process.

In addition, Software Vulnerability Management has prompted solutions for organisations as it includes security patch management to apply remediation patches to known vulnerabilities, tools to test those patches and package them before handing them off to the deployment system, and reporting capabilities to verify that the patch has, indeed, been installed.

Read more: Victorian public-service executives ignoring warnings on IT security processes, end-of-life software: auditor

Where SAM and Cybersecurity Intersect

Organisations need the ability to discover and inventory their hardware and software assets effectively, comprehensively and continually if SAM and cybersecurity are to be integrated successfully. A Report[3] from the IDC has also discovered a correlation between cybersecurity and ITAM. IDC found that the effectiveness in managing cybersecurity and application performance is often reliant upon the assurance of clean IT asset data to correctly evaluate any possible vulnerabilities of existing software and hardware. IDC recommends that future ITAM initiatives focus first on the demands of IT security.

For Software License Optimisation, software/hardware discovery and inventory functions are currently performed largely by ITAM or SAM teams within the IT Operations Group. Similarly, effective, comprehensive and continual software/hardware asset discovery and inventory is required for effective Cybersecurity principles and Software Vulnerability Management fundamentals. Both IT Security and IT Operations teams within organisations are unnecessarily performing these tasks, significantly duplicating the effort, time and money.

Organisations now face the challenge of recognising that siloed SAM and security teams are performing similar activities of different strategic initiatives – Software License Optimisation and Software Vulnerability Management. This is not only wasteful and inefficient – but it can also result in gaps in coverage and risks, when one department isn’t aware of the other’s activities, or isn’t performing the same activity with the same processes or equal thoroughness. Now that SAM and cybersecurity have converged, enterprises have the opportunity to adapt new and effective. By merging overlapping SAM and security efforts, organisations can reduce wasteful software spend, while simultaneously eliminating a dangerous cybersecurity gap.

Read more: In digital economy's online pwn shops, Australian credentials command a premium



[1] IDC, Market Analysis Perspective: Worldwide Software Licensing and Provisioning, 2015, Amy Konary

Research Vice President, September, 2015

[2] Gartner, Focus Your SAM Tool RFP on Six Requirements for Best Results, Hank Marquis, September 10, 2015.

[3] IDC PeerScape: Practices for IT Asset Management, Bill Keyworth, July 2015.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT infrastructureIT budgetssoftware licensecybersecurityGartnersoftware asset management (SAM)softwareCSO Australia

More about BillBSABusiness Software AllianceCSOFlexeraGartnerindeedIT SecuritySANS InstituteSecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Beards

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place