ITAM IQ Library

2025 End of Year Newsletter

Tue, 30 Dec 2025 19:07:32 GMT

2025 End of Year Newsletter

I looked at last year's newsletter, and the main challenges predicted for 2024 are still challenges for 2026! So, does the lack of change mean we didn't improve in 2025? Yes and no. Implementing ITAM is a continuous improvement program that never ends, so it's a program, not a project. Some of ITAM's challenges have also evolved and are different.

The key areas that will remain in focus include artificial intelligence, cybersecurity, cloud, the economy, and the new edition, noise.

Let's explore these topics and why they will likely be crucial in the coming year.

Artificial Intelligence (AI)

The hype has diminished a bit, but the spending has increased. Arvind Krishna, IBM's CEO, doesn't see the ROI given the spending on building new data centers. That math doesn't add up. While some benefits of AI have been obvious, companies are still struggling to implement it, and I think the reason is simple: a lack of complete, accurate data. The reason? In the US, it's simple: most companies are process-averse. It is a process that enables tools to generate and capture data. ITAM is a perfect example of the lack of accurate and complete data, regardless of what the talking heads spew.

I think there's a 70% chance the AI bubble will burst this year. Perhaps not as big as the dot-com bubble, but still significant. The only thing that will save the data center buildout will be new technology (quantum computing) and efficient energy delivery.

ITAM should be wary of anyone claiming that AI is ITAM's great savior and that their tool or service is the answer. AI can be a game-changer for ITAM, but only when we have the quantity and quality of data. To accelerate progress on the data challenge, it's past time to consider generating synthetic data. In the meantime, work on improving processes and data capture – we need more, a lot more!

Cyber Security

Unfortunately, AI has displaced cybersecurity as the hot topic. Vendors chase the problems they can sell a solution to. But the data needed for cybersecurity is also the data that AI requires. That's what makes ITAM investments so great!

Learn more from our self-paced "ITAM and Cyber Security Workshop" at https://www.itamiq.com/store#Cyber . In early 2026, we will release a new version reflecting updates to CIS and NIST's cybersecurity platforms. This update is free to everyone who has purchased the workshop.

Cloud

Another victim of the AY hype is ironically cloud. It's ironic because AI will be delivered as cloud services. FinOps, while valuable, seems to be finding its place among well-educated users. However, vendor communities are still trying to tout the relationship between FinOps and ITAM as something more special than other ITAM relationships. The fact remains that companies are still struggling to manage cloud assets, especially PaaS and IaaS.

Learn even more from our cloud asset management courses, SaaSAM and CAM. Details can be found at https://www.itamiq.com/cloud-asset-management .

The Economy

Economic uncertainty will continue into 2026 for the same reasons as last year – the US administration's policies, including tariffs and the devaluation of the dollar. As mentioned earlier, the cloud bubble burst will affect the economy because AI spending currently accounts for a significant share of the United States' GDP.

Noise

Vendors in the ITAM space continue to misrepresent the definition of ITAM and its value. They do this to sell their solutions, which is fine, but it's not helping the maturing of the ITAM profession; in fact, it's hurting ITAM. This can be seen in posts, articles, and marketing literature where ITAM and SAM, or ITAM and HAM, are represented as equal. Other examples are SAM is CAM or SAM is ITAM. Here are the facts: CAM, SAM, and HAM are specializations of ITAM. HAM began before ITAM and is the most mature. ITAM emerged with SAM to bring together HAM and SAM and declare ITAM a core competency spanning the entire organization, focused on delivering value to the IT investment. Anything different is just vendor speak. If an industry can't agree on what ITAM is, then how can executives have confidence in ITAM?

Final Words

Unfortunately, I see 2026 as more challenging than last year for ITAM, as it tries to justify its existence. ITAM is a very young profession, maybe 30 years young. That's younger than IT! IT asset managers will be faced with managing day-to-day operations, taking on new responsibilities, and improving the program, but perhaps with less staff due to downsizing. However, the most critical goal the IT asset manager must achieve is executive sponsorship, perhaps now more than ever.

Please contact me with any questions, comments, or if you just need to vent!

Thank you for reading. Have a great holiday season and keep learning!

Keith Rupnik

2024 End of Year Newsletter

Wed, 18 Dec 2024 05:00:00 GMT

2024 End of Year Newsletter

"Another year over. And a new one just begun."

-- John Lennon

As I get older, time seems to go by faster. Einstein is right: time is relative!

I looked at last year's newsletter, and the main challenges predicted for 2023 are still challenges for 2025, with the addition of one more challenge: noise. More on that later. So, does the lack of change mean we didn't improve in 2024? Yes and no. Implementing ITAM is a series of continuous improvements that go on forever, so it's a program, not a project. Some of ITAM's challenges have also evolved and are different.

The key areas that will remain in focus include artificial intelligence, cyber security, cloud, the economy, global unrest, and the new edition, noise.

Let's explore these topics and why they will likely be crucial in the coming year.

Artificial Intelligence (AI)

Will the hype finally come to an end in 2025? To some degree, yes, but it depends on the new capabilities introduced. We saw that this year with AI agents. Organizations will continue to evaluate and deploy AI solutions. Still, the justification behind these projects will vary, similar to when everyone had to have a website. This is how I see AI adoption, which is very similar to the adoption of website technologies in the late 1990s. Organizations went on spending sprees sometimes just because their competitors had one!

For ITAM, this means getting ahead of AI purchases. You will not stop these purchases; you will get run over if you try. The objective should be to document everything you can, including why AI is being used, where it's being purchased and from whom, contracts, how the technology is tracked, the costs, and the risk exposure. You will need to see what current processes and tools can be used to manage AI IT assets. If you are not following technology, then you should be.

Regarding AI's impact on ITAM, I still don't see AI replacing ITAM any time soon. AI's value for ITAM at this time is helping to identify ITAM data, the data relationships, and IT asset usage patterns. Most ITAM programs do not have enough valid data for AI to consume. I doubt there is enough ITAM data, even in the largest organizations, to build a usable AI model without using large volumes of synthetic data. One interesting exception is ServiceNow because ServiceNow is a cloud solution and may be sitting on a large amount of ITAM data. But then again, how clean is the ServiceNow data?

Cyber Security

It is still disappointing that ITAM is not playing a significant role in IT security's efforts despite all the frameworks that require it. ITAM is the missing link to giving IT security the proactive advantage it desperately needs to succeed. In 2025, ITAM must commit to working with IT security first to learn their challenges and then to educate security on how ITAM will help.

Learn more from our self-paced "ITAM and Cyber Security Workshop" at https://www.itamiq.com/store#Cyber . In early 2025, we will release a new version reflecting updates to CIS's and NIST's cybersecurity platforms. This update is free to everyone who has purchased the workshop.

Cloud

Cloud is not losing steam, but it is getting more expensive, and organizations are still struggling to manage costs. This is not surprising given the ITAM service industry's approach to managing the cloud is SAM and FinOps. Both are needed disciplines but only manage a small part of cloud’s complexity. AI became the new service to emerge in 2024 and will significantly add to the cost of cloud services, and not just financial costs. Cloud AI is cheap right now compared to what it will be in 2025. You must apply Cloud Asset Management (CAM) to manage the cloud correctly. CAM manages significantly more than finance and SAM, making each of those disciplines better.

Learn even more from our cloud asset management courses, SaaSAM and CAM. Details can be found at https://www.itamiq.com/cloud-asset-management .

The Economy

Economic uncertainty will continue into 2025, but not for the same reasons as in 2024. 2025's uncertainty will originate in the US due to a new administration. With the promise of sanctions and cutting costs in the public sector, there is much angst over the economic impact. Executives and the stock markets do not like uncertainty, so expect the first quarter of 2025 to be volatile. The effect on ITAM will be to find ways to cut costs and, depending on sanctions, new vendors. ITAM must prepare for these scenarios.

Global Unrest

And again, global unrest will continue into 2025 and probably every year after that. A new administration in the US brings unpredictability around the globe. We also don't know the impact AI will have on poorer nations. Add to that global warming, and we may have a perfect storm brewing. The effect this has on organizations can be chaotic, with wild swings in revenue, profit, and the supply chain. ITAM needs to be prepared for anything, and the way to start is by keeping up with current events and talking with your business leaders to get their perspectives. Then, ITAM needs to prepare to react. We like to say ITAM is proactive; one of its strengths is its ability to respond to changing market conditions.

Noise

We released a free course this year to help you create a plan to secure an executive sponsor. During my research for this course, I concluded that one barrier to ITAM's adoption at the executive level is the noise created by ITAM solution providers. Solution providers constantly seek messaging that helps sell their products and services. For example, when cloud adoption started accelerating, the solution was SAM, SAM, and more SAM. Why? Because the vendors had SAM solutions to sell. Then came FinOps, and these solution providers switched to the more popular message, FinOps. FinOps was a gift! So, the cloud management solution providers switched from SAM to FinOps, FinOps, and FinOps. Now, we are seeing AI creep into the messaging, but for the reasons mentioned earlier, it's a hard sell. Now I'm seeing messages saying SAM is dead and that it's no longer about license compliance but data provided by FinOps. I still see talking heads in the ITAM space speaking only of SAM while ignoring HAM and ITAM. A lot of noise from "industry experts" creates too much confusion. If, after all, the ITAM industry's own "experts" can't agree on what ITAM is, then how can executive management be expected to support it? For ITAM, you have to understand what ITAM is and the value you, not the solution providers, bring to your organization. As I mentioned, we have created a free course to help you secure an executive sponsor for your ITAM program. You can find this free resource at https://www.itamiq.com/executive-buy-in-for-itam .

Final Words

Unfortunately, 2025 will be a challenging year for ITAM, trying to justify its existence. ITAM is a very young profession, maybe, 30 years young. That's younger than IT! IT asset managers will be faced with managing day-to-day operations, taking on new responsibilities, and improving the program. However, the most critical goal the IT asset manager must achieve is executive sponsorship, perhaps now more than ever.

Please contact me with any questions or comments or if you just need to vent!

Thank you for reading. Have a great holiday season, and keep learning!

WEBINAR: How to Secure Executive Buy-In for Your ITAM Program (Get C-Suite Support!)

Mon, 21 Oct 2024 22:44:37 GMT

WEBINAR: How to Secure Executive Buy-In for Your ITAM Program

Get C-Suite Support!

Securing Executive Buy-In for ITAM Success

Achieving executive buy-in is one of an IT Asset Manager's most critical hurdles. Without executive support, #ITAM programs struggle to gain necessary resources, visibility, and strategic alignment. ITAM IQ is excited to introduce a comprehensive 30-minute video that explores why executives often don't engage with ITAM and outlines actionable strategies to secure their support.

In the video, you will learn:

Why Executives Don't Engage : Understanding the disconnect between ITAM goals and executive priorities.
How to Build a Case for Support : Crafting a compelling business case that aligns with the broader organizational objectives.
Steps to Get an ITAM Executive Sponsor : Identify and engage a high-level sponsor who can champion your cause.
To complement the video, a free 35-page workbook will help you build a detailed plan to secure and maintain executive sponsorship for your ITAM program. You will find a link to the workbook at the end of the video.

The Importance of Continuous Executive Sponsorship

Securing executive sponsorship is not a one-time event. It requires ongoing effort from you and your team to keep the sponsor engaged and invested in the success of the ITAM program. The key to maintaining sponsorship lies in demonstrating value consistently, aligning the ITAM program's outcomes with the company's strategic objectives, and keeping communication channels open.

You can find the video on our YouTube channel at

https://www.youtube.com/@ITAMIQ or go directly to the video on YouTube at https://youtu.be/iVTBgio9eGo .

Are Boeing’s Troubles a Lesson for Cloud Customers?

Wed, 03 Apr 2024 11:00:00 GMT

Are Boeing’s Troubles a Lesson for Cloud Customers?

Most of Us Don’t Make Money

Boeing forgot they made airplanes and switched to making money, and that’s where their problems began.

It is reported [1] that Boeing outsources seventy percent (70%) of its manufacturing to fifty (50) strategic partners. This outsourcing created challenges for Boeing’s vendor management, and based on unofficial results, it looks like they failed. Perhaps the greatest lesson that should be learned is that while Boeing’s outsourcers may have introduced failures, the public and the shareholders will hold Boeing responsible.

Lesson: Only the government makes money. The rest of us create products or services for which we get paid in currency.

Lesson: You can outsource work, but you can never outsource risk.

Déjà vu (All Over Again)

Organizations moving to the cloud should learn from Boeing’s mistakes. The primary lesson is to manage your outsourcers, although I seriously doubt that many are. This observation is based on what I see from industry, where the focus is on spending and little else. And why not? It’s so easy to see some of the total costs of outsourcing. And yes, the cloud is outsourcing. It’s a straightforward message for consultants and service providers to sell to a potential customer because the customer sees the spend, and solutions like FinOps wrap up the problem and the solution neatly with a bow on top. But I’m pretty sure Boeing had a handle on spending despite initial cost overruns, which had more to do with design and less with rogue spending.

IT and ITAM Must Learn from Other Industries

First, IT must accept that a good part of what we do is manufacturing. We manufacture software and information, and there is a supply chain of software and information. We take software and information from various sources, some inside our organization and some outside, and create products for internal or external consumption. The cloud has exasperated the manufacturing concept and our need for vendor management.

ITAM and Vendor Management

Vendor management has long been a part of ITAM; however, few have practiced it unless your responsibility is hardware disposal. Hardware disposal demands vendor management because electronic waste laws demand shared liability. However, there have always been significant opportunities for vendor management for other types of assets throughout the entire asset lifecycle. However, for multiple reasons, vendor management has not been practiced. Furthermore, IT vendors are different and cannot be managed to the lowest common denominator of how all other vendors are managed. For example, the lowest common denominator for vendor invoices is the charges are correct and billed to the appropriate purchase order. This criteria is insufficient for SAM.

Cloud and Vendor Management

Cloud asset management, like hardware disposal, demands vendor management throughout the asset’s lifecycle. This is why the new ITAM discipline Cloud Asset Manager (CAM) is required.

What’s Past is Prologue

Using the cloud is part of our software and information assembly line, increasing our dependency on third parties. Boeing has allowed us to see our future. The question is, what will ITAM do about it?

Please visit our course page or our Library to learn more about Cloud Asset Management.

[1] Tang, C. S. (2024, February 8). Boeing’s organizational problems date back two decades. IndustryWeek. https://www.industryweek.com/supply-chain/supplier-relationships/article/21282352/boeings-organizational-problems-date-back-two-decades

Garbage In, Garbage Out. AI and ITAM

Tue, 30 Jan 2024 01:10:55 GMT

Garbage In, Garbage Out

The latest generation of AI tools in 2023 came with great fanfare, and for good reason, it was warranted. This generation was a massive leap in capabilities beyond what we had seen from earlier generations. But as is with all new technologies comes the hype, and there is a lot of it. This article, published in January of 2024, addresses this hype and reset expectations regarding ITAM and AI.

Question: Will AI replace IT Asset Managers?

Answer: Yes! No! Maybe?

Anyone who answers "yes" or "no" to this question is not giving you good advice. The fact is, we don't know at this time. However, given the lack of quality and quantity of ITAM data, it's hard for me to imagine that AI can be effective.

Imagine an ITAM repository complete with data from all sources – ITAM, finance, legal, HR, IT, IT service desk, cyber security, and vendor management. Do you have this? IT asset managers are data quality engineers responsible for communicating the ITAM program's requirements to the functional areas and working with them to define processes that capture the data required by ITAM. Now, an AI tool that understands a complete ITAM program may be able to assess your ITAM program.

Next is SAM, or more accurately, LAM. Software licenses are a cross between legal and art. They are as much marketing documents as they are legal documents. They are ambiguous. How can AI accurately determine if your software use complies with an incomplete definition of compliance? Will the software publishers be motivated to create license language that clearly defines compliance that can then be used by an AI tool to audit software installations? This would require a shift in software publishers' business practices. If this happens, then the LAM position may be replaced by AI.

Finally, beware of perception. I know of too many ITAM groups whose staffs were reduced because of an economic downturn. That tells me either the ITAM program wasn't in a position to save the organization's money, or executive management didn't understand the value of ITAM. Sales is 100% perception, and if executive management is sold a solution that can replace IT asset managers with an AI tool, they just may take the bait.

As an IT asset manager, make sure your leadership knows you and your ITAM program's value and keep them updated. Keep your head up and keep informed about what's changing in the industry. As an IT asset manager, you must be a self-developer – someone who is committed to learning. One final note – know how to identify hype and control your reaction.

ITAM and CTEM: Threat Exposure Program Requires ITAM

Sun, 14 Jan 2024 00:27:48 GMT

ITAM and CTEM

IT security – you don't need to reinvent the wheel!

In the article "How to Manage Cybersecurity Threats, Not Episodes," by Kasey Panetta of Gartner describes the value of implementing a Continuous Threat Exposure Management (CTEM) program. Gartner acknowledges the need for organizations to be more proactive with their IT security programs and how the security program must adapt to ever-changing IT infrastructure and business objectives. From an IT security perspective, Gartner's direction appears to be excellent advice.

"By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach. "

"3x" is a bold statement, but if their recommendations are implemented appropriately, it is difficult to imagine the organization's IT security program would not significantly improve. The question then becomes, how much would it cost to implement this program or, more to the point, what is the ROI?

How much the program will cost is a good question. Unfortunately, Gartner appears to have defined CTEM in a vacuum, omitting the most critical component, IT Asset Management.

"A continuous threat exposure management (CTEM) program … prioritizes whatever most threatens your business."

To prioritize, you need to know:

The IT asset exists.
Where the IT asset is.
Who uses the IT asset (e.g., receptionist, marketing, legal, HR, executive).

Gartner defines five steps to create a CTEM program:

"Step No. 1: Scope for cybersecurity exposure, first for external and SaaS threats"

To understand the exposure, you must first understand what can be exposed. In other words, what IT assets do you have?
You must also know where the asset is located.
The SaaS asset may not be easily discovered, and the security exposure must include the SaaS provider, thus the requirement for Cloud Asset Management.
The I/PaaS asset type was not mentioned but has similar yet more complicated issues than SaaS and is also managed by Cloud Asset Management.

"Step No. 2: Develop a discovery process for assets and their risk profiles"

ITAM lives and dies by discovery and typically not just one discovery tool. Furthermore, the discovery tool is only effective for discoverable assets.
The ITAM staff reconciles what was discovered against the current inventory.
Discovery is an ongoing effort aided by ITAM processes that capture the request, approval, procurement, receiving, configuration, deployment, in-use, recovery, and disposal of IT assets.

"Step No. 3: Prioritize the threats most likely to be exploited"

To properly prioritize threats, you must know what assets are in use, where the assets are located, for what purpose, and by whom. ITAM lifecycle processes capture all of this information.

"Step No. 4: Validate how attacks might work and how systems might react"

The data curated by ITAM provides an accurate picture of the attack surface. An accurate attack surface allows IT security to create valid attack scenarios.
An accurate attack surface makes the blue and red team's exercises efficient.

"Step No. 5: Mobilize people and processes"

An effective ITAM program establishes channels for communication and education horizontally and vertically across the organization.
The CTEM program can leverage these channels to promote its program.
ITAM can benefit from the CTEM program if the communication channels are incomplete.

Why Reinvent the Wheel?

The ITAM program serves the entire organization. ITAM serves finance with evidence on how the IT budget is used and by applying a disciplined approach to procurement. The legal function benefits from ITAM's commitment to satisfying an IT asset's compliance requirements and supporting the organization's legal obligations. The IT function gains significant efficiencies through a disciplined approach to managing the asset's lifecycle, rationalizing IT asset types, and meeting the organization's business needs. End user's requirements are well represented. Business units can enjoy using their bright, shiny new asset while relegating the asset's business administration to ITAM. Executive management has an accurate insight into the performance and return on investment of probably the only business asset that touches every dollar, pound, yen, or euro. Finally, IT security leverages the processes and data collected and curated by ITAM to protect the organization's crown jewels efficiently, effectively, and accurately.

Implement CTEM and Get a Bigger ROI with ITAM

That's right! If you implement CTEM without ITAM, you will spend more money on less accurate data. How? As stated above, ITAM delivers value to the entire organization. When you implement an ITAM process for, say, finance, you will most likely be able to leverage that process and the data for other functional areas. ITAM may be an organization's best investment of all its core business programs. But how many ways does ITAM support IT security? I'm glad you asked!

Cyber Security Frameworks

There are many cybersecurity frameworks to select from when implementing an IT security program. NIST's Cybersecurity Framework and the Center for Internet Security's (CIS) Controls are two of the most popular frameworks. ITAM IQ has mapped these two frameworks to the ITAM program, and the result was quite impressive.

ITAM IQ identifies 37 ITAM components representing the IT asset lifecycle, standards, and initiatives.

CIS has 161 controls, and when mapped to ITAM, the result is over 400 points where ITAM components enable and support the CIS framework.

NIST has 23 functions and 108 categories, and when mapped to ITAM, the result is over 300 points where ITAM components enable and support the NIST framework.

Regardless of the framework, there are over 300 ways the ITAM program can be leveraged to support your organization's IT security program. Even if you have a basic ITAM program, chances are you can leverage what is already in place to accelerate your IT security program while saving money on implementation.

ITAM / Cyber Security Workshop

ITAM IQ used the above-mentioned results to create an affordable workshop that includes an ITAM program primer along with the mapping between ITAM and NIST's and CIS's frameworks. For more information, please visit https://www.itamiq.com/ITAM-CyberSecurity-Training.

Remember, an organization's IT security is only as good as its ITAM program!

Citations

Panetta, K. (2023, August 21). How to manage cybersecurity threats, not episodes. Gartner. https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes

Pezeta, L. (2019). Black Telescope Under Blue and Blacksky. Pexels. Retrieved January 12, 2024, from https://www.pexels.com/photo/black-telescope-under-blue-and-blacksky-2034892/.

2023 End of Year Newsletter

Wed, 06 Dec 2023 23:46:09 GMT

2023 End of Year Newsletter

As we wind down another year, let's try looking into the future and predict the hot topics that will dominate the IT Asset Management arena in 2024. Based on my analysis, the key areas that will remain in focus include artificial intelligence (surprise, surprise), cyber security, cloud, the economy, and global unrest – which is nobody's favorite except for anarchists.

Let's take a closer look at these topics and explore why they're likely to be so important in the coming year.

Artificial Intelligence (AI)

The biggest story of 2023 is AI. AI has created hype like no other since Y2K and the World Wide Web. It caught almost the entire industry by surprise, and its hype may be warranted. That hype is what makes AI so dangerous. Companies will seek competitive advantage and fear what their competitors may be doing, pushing them to act quickly. You will hear more about time to market, first to market, agile everything, and the need to take risks. The standard technology diffusion curve does not apply here. ITAM must be ready, but you may struggle to manage cloud assets. If you haven't already, it's time to deploy Cloud Asset Management.

Learn more from our article " The Perfect Storm is About to Hit Organizations " on LinkedIn.

Cyber Security

I'm sorry, but cyber threats are not going away in 2024 and will probably get more sophisticated with the bad guy's use of AI. The industry still hasn't learned what it takes to maintain an accurate IT asset inventory. Until they do, insanity, doing the same thing repeatedly while expecting different results each time, will be the word that best describes the maturity level of the organization's cyber security program.

Learn more from our self-paced " ITAM and Cyber Security Workshop ."

Cloud

Do you think your organization has hit the peak of interest in cloud technologies? Think again. Guess what is dependent on the cloud? AI! As your organization looks at ways to implement AI solutions, you can assume cloud technologies are right behind it (literally and figuratively). The bad news may be that AI solutions bring in a new cloud service provider (CSP). Sure, it would be easier to use AI from an existing CSP like Amazon or Microsoft, but does that vendor offer the best solution right now? Then again, the best solution right now may not be the best solution tomorrow.

Learn even more from our cloud asset management courses, SaaSAM and CAM .

The Economy

While inflation may appear to be subsiding, let's not forget what's behind that decline – rising interest rates, which are implemented to slow down the economy's growth. We are seeing the effects of inflation and rising interest rates with layoffs. Is your ITAM staff protected if downsizing occurs within your organization? Was your ITAM staff protected in the past?

Economic uncertainty will play a role in corporate volatility. This volatility can manifest itself in multiple ways, including price changes, repackaging of services, companies closing, mergers, and acquisitions.

Learn more from our free course " IT Asset Management in a Down Economy - Surviving and Thriving ."

Global Unrest

While most people may associate global unrest with wars and coups, I also add global warming and natural disasters because these both contribute to political instability. 2023 has brought us plenty of unrest and will continue into 2024. And just for the fun of it, let's add the US presidential election into the mix. We all must keep an eye on rising prices, cyber-attacks, and disruptions to the supply chain in 2024.

�� ITAM's a Highway! ��

�� I want to ride it all night long! ��

Do you really want to ride it "all night long," as the song goes?

A few years back, I recommended IT asset managers get their ITAM program in shape because a new asset type, the cloud, would stress-test their program. Lucky for IT asset managers, FinOps has provided a great distraction. While FinOps is extremely valuable, it's just one small part of managing cloud assets and probably one of the easier tasks! The wheel above, which I call the "Wheel of Stress," will further challenge your ITAM program. I didn't mention IoT, quietly making its way into organizations and turnkey systems!

When planning your day-to-day ITAM activities, if all else fails, print the "Wheel of Stress," cut out the circle, add a spinner, and spin your way to a different stress each day. ��

Like this year, time is flying by, and with it, more new technologies. If you are not making time to improve your ITAM program, the work will continue to pile up, and new asset types will not be managed appropriately. Executive management is focused on revenue, profit, shareholders, and the market. Rarely will they tell you to take the time to make things better. This means YOU must make the time to make improvements. I've done this many times in my career. Feel free to contact me to discuss strategies and tactics.

Is FinOps Hijacking Your ITAM Program?

183:844946220 (Keith Rupnik) — Tue, 14 Nov 2023 00:33:42 GMT

Is FinOps Hijacking Your ITAM Program?

FinOps is a valuable new tool for finance, IT, and ITAM. FinOps came into being for a simple business reason: Cloud Service Providers (CSP) charge for their technology-as-a-service. ITAM has always wanted to know the total cost of ownership (TCO) for services provided by the organization's IT team; however, IT could not deliver for various reasons. This is evident by the very few organizations that implemented chargebacks. So, it should be obvious that FinOps plays a vital role in the ITAM Program, but how important and at what cost?

The hype meter was pinned when FinOps first became mainstream, promising to deliver the missing link businesses desired from their IT departments. However, FinOps is just one piece of the return on investment (ROI) that ITAM provides. So, let's take a realistic view of the limitations of FinOps.

Value

FinOps claims to deliver value through a better understanding of the cost of cloud services. While it is true that knowing the cost of cloud services is a variable in the value calculation, cost isn't the only variable. That's because FinOps measures cost in hard dollars and

Value <> the sum of all hard dollars saved

The calculation of value is much more complicated, including not only hard dollars but soft dollars as well. Let's look at one real-world example:

Executive: What is the chance that I will be audited for software?

ITAM: Well, we can provide some industry statistics, and there is a good chance we can be audited.

Executive: What is the chance we will fail the audit?

ITAM: We don't know until we assess our environment.

Executive: What is the cost of a failed audit?

ITAM: That depends on how far out of compliance we are.

Executive: If you can't show me the cost of a software non-compliance event, how can I justify implementing ITAM?

ITAM: << queue the sound of crickets >>

ITAM creates value by saving hard dollars and soft dollars. More on this later.

Quality

According to the FinOps profession, implementing FinOps allows you to make "trade-offs between speed, cost, and quality." I really thought this line of thinking had gone extinct in the 1990s. But here we are, assuming that quality can be traded! Engineering has learned that quality is a pay me now or pay me later proposition. You can trade off features, never quality.

Vendors

FinOps has been a gift to vendors who provide services and tools to the IT industry. Why? Because FinOps neatly packages up one of the requirements for managing technology – cloud spend. This gift allowed vendors to use an industry message clearly stating its value. And organizations need help implementing FinOps. This is not to fault vendors for taking advantage of an opportunity. And both vendors and organizations benefit from FinOps, so it appears to be a win-win. However, and you knew there was a "however" coming, the vendor's eagerness and success have fueled the hype, like the fear, uncertainty, and doubt of the software audit that the vendors in Europe used to sell SAM. With FinOps, only a slice of the ITAM solution is sold, and it could damage other FinOps initiatives.

Finance

Finance has not always been a friend of ITAM. In fact, of all departments, finance has probably been the most significant roadblock to ITAM's adoption. Let's look closer at areas within finance that have complicated ITAM's mission.

Procurement

Too many ITAM Programs are not permitted to be involved in purchasing and contract negotiations. Terms and conditions are critical to managing IT assets and vendors. There are ITAM Programs that are not allowed access to invoices, or ITAM's invoice retention requirements are not accepted. In many procurement departments, the focus is on getting the best price, and purchasers are rewarded based on price.

Price

The asset's price is often the only focus instead of the value. This goes back to the value equation described earlier, where the value of IT assets includes the vendor's willingness to provide soft dollar savings in the contract. Another example is the assumption that two IT assets appear similar but significantly differ from the end-user's perspective —for example, the difference between Word and a desktop publishing application.

IT Asset Cost

There are instances where a finance policy dictates if an asset should be managed based on an arbitrary cost. For example, one finance policy stated only assets over $700 could be managed. The ITAM Program was forced to bundle monitors with the desktop to push the value above the $700 threshold. Think of all the assets this policy would prevent from being managed!

Cost Avoidance

One of the more prevalent practices that hurts ITAM is the lack of acceptance finance shows for cost avoidance efforts and results. Here's a real-world example suffered by one ITAM team.

The ITAM team saved 14 million dollars over 18 months by redeploying IT assets. When finance was told of these savings, they were exuberant, well, at least until they found out how, and then finance's response was, "Oh, that's cost avoidance, we don't care about that, we assume you are doing it."

This scenario has been played across the world. Cost avoidance, both soft and hard dollars, is one of the greatest values ITAM brings to an organization. The effort of maintaining an accurate inventory and redeploying assets goes well beyond finance and delivers significant value to the entire organization. Ironically, cost avoidance is a high priority for FinOps by avoiding using only the cloud services needed!

What Should ITAM Do?

First, the IT Asset Manager should learn about FinOps and incorporate it into your Cloud Asset Management strategy. Second, determine if your organization has adopted FinOps. If your organization has already implemented FinOps, then engage with the FinOps team. This path may be more challenging if the FinOps team has not engaged ITAM. In either case, ITAM must work with FinOps and establish the ITAM Program as the central program that engages all parties with a vested interest in IT assets.

Resetting Expectations

FinOps brings great value to ITAM and should be embraced. However, FinOps should not be treated differently than if finance started using a new depreciation method or tax table – it's just data that helps ITAM create a more accurate TCO calculation. Also, remember that FinOps' primary focus is on cloud cost with less regard to capital costs that come with implementing cloud services. The cost of cloud services is just one piece of the TCO of cloud.

FinOps' intention is good. The proponents of FinOps emphasize the need for collaboration between finance and IT. However, the question that needs to be asked is – will finance change its approach to managing dollars? Perhaps more importantly, should finance change, and what will it take to change?

ITAM is a program that centralizes the efforts around IT assets to deliver information that can be used by finance, IT, IT security, legal, HR, business unit owners, and executive management to help achieve the organization's business goals while meeting corporate governance requirements.

S&P: IT Asset Management is Central to Cyber Security

Tue, 24 Oct 2023 23:46:23 GMT

S&P: IT Asset Management is Central to Cyber Security

And the rest of the organization, too!

From S&P Global Ratings, the article "Cyber Risk Insights: IT Asset Management Is Central To Cyber Security[1]" outlines how critical ITAM is to cyber security. In this paper, we look at how ITAM is vital not just to cyber security but to other departments as well, and implementing an ITAM program is more complex than it seems.

Excerpts from the article:

"For a cyber security system to be effective it must know what it is meant to protect"

"S&P Global Ratings considers robust ITAM to be vital to an entity's ability to proactively manage vulnerabilities, respond to incidents efficiently, and minimize the financial impact of cyber attacks."

"In our view, ITAM should be directed by explicit policy that provides the authority for the system to be effective and assigns clear roles and responsibilities."

"The absence of ITAM can create gaps and blind spots in organizations' cyber risk management"

"The FTC's complaint against Equifax, for example, cited an inability "to maintain an accurate inventory of public facing technology assets" that contributed to poor patching among the "basic security failures" at the company."

"U.K. government's National Cyber Security Centre. "Many organisations have significant gaps in what they understand about their environment."

The S&P article accurately identifies cyber security's need for ITAM. Yet here we are, still trying to justify an almost invisible program to executive management despite all the evidence.

NIST's cybersecurity framework states the requirement for ITAM, although weakly.
CIS's cybersecurity framework states the requirement for ITAM, although weakly.
And the famous saying "you can't secure what you don't know you have!" is ubiquitous.

And then there are the distractions:

Artificial Intelligence – offering hope for a more profitable future!
FinOps – the latest vendor-generated hype promising to deliver IT for everyone, cheaper and faster, but puts cybersecurity in the back seat.
Cloud – outsource everything for a cheaper and faster future!

Now, these statements may sound a bit cynical, and that's because ITAM has been slow to mature and become an organization's core competency. It doesn't help that a great deal of misinformation is designed to benefit the service provider more than the practitioner. Or that executive management still doesn't get what ITAM truly is. So, what's an ITAMer to do? Should we give up and seek out another profession? Should we keep our heads down and do what we are told? Or should we continue to fight this battle and be prepared for when the powers that be recognize our value? I'll choose the latter. I've heard many examples where ITAM was waiting in the wings, and when an opportunity presented itself, ITAM came to the rescue.

A successful ITAM Program has two perspectives – strategic and tactical.

The strategic approach defines a three-to-five-year roadmap for the ITAM Program and probably is the most complicated of the two perspectives. It is the most complex because developing the ITAM Program roadmap requires forming productive relationships with other departments and gaining executive management buy-in. A well-defined roadmap that includes the value of the business is mandatory to convince executive leadership.

The tactical perspective achieves two objectives. First, reliable execution of the current program, and second, working toward the objectives defined in the ITAM Program roadmap. Many ITAM Programs are only focused on the first objective due to the absence of a roadmap.

The line between strategic and tactical is fuzzy. As the situation warrants, IT Asset Managers will bounce back and forth between the two perspectives. Cybersecurity is one of those areas that requires a strategic/tactical approach.

"We thus also consider ITAM to be foundational to the effective conduct of many key cyber security activities, including vulnerability management, incident response, and cyber risk management."

Let's look at a diagram that appeared in the S&P article. The "brain icon" was added to identify ITAM IQ comments.

Security Monitoring

Any security framework of value states an accurate IT asset inventory is the foundation for the security program. The problem with this is the absence of any description of how difficult it is to achieve an accurate inventory. IT Asset Managers are well aware of the perception that all we do is "count things." Which leads to the subsequent great misunderstanding.

Lifecycle Management

While what is stated is true about lifecycle management, it is only one of the many benefits ITAM lifecycle management brings to security. The first benefit is an accurate inventory! That's right! You must manage the entire lifecycle of assets to maintain an accurate inventory. And what is the lifecycle? It starts when someone thinks they need an IT asset and goes beyond the end of the asset's life for some asset types.

Incident Response

Incident response depends on an accurate inventory and asset histories to determine the extent of any damage. Again, the reference to an "accurate inventory" is as if it were something that could be purchased at a convenience store.

Vulnerability Management

With every asset type comes vulnerabilities. Understanding those vulnerabilities is best done before a new asset type is purchased and then managing and tracking the asset through its life. Once again, an accurate asset inventory is required, and ITAM is the gatekeeper for all assets that connect to the organization's network.

Cyber Risk Management

Four words: accurate IT asset inventory.

The Bottom Line

ITAM delivers value for many functional areas, not just IT security, making it the organization's best investment in any business program. However, implementing an ITAM program is not easy. Starting with the PC era, organizations have become lazy, undisciplined, sporadic, and, let's face it, irresponsible when managing IT assets. From the PC to the laptop, the internet, then the smartphone, and to date, the cloud, we have been neglecting IT asset management for years. The expectation that an ITAM Program can be implemented within a year is, nicely put, unrealistic.

Simply put, your cyber security program is only as mature as your ITAM program.

[1] https://www.spglobal.com/ratings/en/research/articles/230815-cyber-risk-insights-it-asset-management-is-central-to-cyber-security-12819307

Hero photo credit: Leeloo Thefirst

NIST or CIS Cyber Security Frameworks... Does it Matter to ITAM?

Mon, 24 Jul 2023 20:04:33 GMT

NIST or CIS Cyber Security Frameworks... Does it Matter to ITAM?

The Perpetual Process Behind an Accurate Inventory

Regardless of which cyber security framework your organization has chosen (or will choose), an accurate IT asset inventory is a requirement. It's important to note that maintaining an accurate IT asset inventory is an ongoing process rather than a one-time event. Let’s start by briefly examining what IT asset lifecycle management entails.

Although the above description may seem simple, much more is happening behind the scenes. For instance, the IT Asset Management (ITAM) program identifies and oversees the electronic waste disposal vendor. And a lot of data is being generated by different departments. This data must be curated to create meaningful information and linked to the asset. From one perspective, the ITAM Program operates in the same way, regardless of the security framework in place. However, the specific details of the framework may require the ITAM Program to make some adjustments.

Cyber Security Frameworks and The ITAM Program

Two of the most well-known and widely adopted IT security frameworks are from NIST (National Institute of Standards and Technology) and CIS (Center for Internet Security). NIST’s framework includes 23 Functions and 108 Categories, which can be matched with ITAM Program elements in over 300 ways. Similarly, CIS’ framework has 19 Controls and 161 Safeguards that can be mapped to ITAM Program elements in over 400 ways.

Organizations choose between NIST or CIS based on their needs. The NIST framework is more abstract and has been adopted by larger organizations. Meanwhile, CIS provides greater detail and is often adopted by smaller organizations.

Many IT frameworks and IT Asset Management (ITAM) share a common trait in how they mature - starting small and gradually improving over time. There is a symbiotic relationship between these two areas, with a more mature ITAM program accelerating the maturity of frameworks. However, a key difference between the two is that IT security is a vertical function with horizontal requirements, whereas ITAM is a horizontal function with horizontal requirements. When implemented correctly, ITAM can benefit not only IT security but also other stakeholders such as finance, IT, HR, legal, etc. This means that ROI on ITAM improvements is often higher than those made within verticals.

Many organizations still struggle with IT security. The threat from malicious actors is constantly changing and seems to be never-ending. While it may not directly add value to the organization, security is crucial and cannot be ignored. We must accept this reality and focus on making the most of our IT security investment while safeguarding our data. What steps can we take moving forward?

Securing the Data

The role of the IT asset manager includes acquiring knowledge about IT security and enhancing the ITAM Program to facilitate IT security endeavors. Both roadmaps should complement each other for a cohesive approach toward achieving the common objective.

IT security professionals must work closely with ITAM and fully comprehend how it can effectively reduce their workload. ITAM is essentially the proactive arm of IT security and should be utilized accordingly.

IT professionals should collaborate with ITAM and IT security as many IT processes generate data that these departments require. The key challenge is ensuring that the data produced is high quality and deemed trustworthy.

IT security requires participation from everyone in the organization. What better discipline to support IT security in this endeavor than ITAM, which also requires everyone’s participation? The return on an organization’s investment in IT security is multiplied when ITAM is included. This increase in ROI is not only measured in euros, pounds, or dollars it is also, and perhaps most importantly, measured in the protection provided to your organization’s data.

NIST: https://www.nist.gov/cyberframework

CIS: https://www.cisecurity.org

What's Next?

Our ITAM/NIST/CIS mapping and training blaze the trail to protect what's most important, the data. Click here to learn more about the ITAM / Cyber Security Workshop

FREE MASTER CLASS: Modern ITAM - Managing Cloud Assets

Sat, 22 Jul 2023 14:28:04 GMT

Modern ITAM - Managing Cloud Assets Master Class

Free Cloud Asset Management (CAM) Course

Cloud assets are a different type of asset requiring a modern management approach. There are three main cloud architectures: SaaS, IaaS and PaaS. In this Master Class you'll discover what it truly takes to manage all forms of cloud assets throughout their entire lifecycle.

Discover:

What Cloud Asset Management really means
The three main types of cloud architecture (SaaS, PaaS, and IaaS) and how they differ
Where cloud assets fit into your current ITAM Program
How the cloud asset lifecycle differs from traditional IT assets
The challenges of managing the cloud
The pitfalls organizations face with the mindset that "current methods are good enough"
The benefits of implementing Cloud Asset Management

Yes! Please send me the free course, Modern ITAM - Managing Cloud Assets Master Class!

SaaS Asset Management Worksheet

Thu, 20 Jul 2023 21:13:00 GMT

Struggling with unexpected SaaS expenses and program integration? Master SaaS governance with our best-practice, ITAM-focused worksheet.

The Cyber Security War

Thu, 13 Jul 2023 13:12:45 GMT

The Cyber Security War

In Steve Preston's excellent article at Dark Reading, "Cyberattacks Are a War We'll Never Win, but We Can Defend Ourselves," the article identifies challenges that an ITAM Program would undoubtedly help alleviate or even eliminate. What follows are Mr. Preston's comments in quotes followed by how ITAM can help.

"The cybersecurity war will never end."

I believe most if not all, people would agree with this statement. Fortunately, ITAM is a program that never ends, so the ITAM Program will always be there to support IT security's constantly evolving initiatives.

"Built-in security is more than technology. It needs to be part of an organization's culture," and "Only by developing a culture that understands cyberattacks are inevitable can an organization hope to ensure an orchestrated team response from the get-go."

Cultural awareness is the same objective that ITAM has. Anyone who touches an IT asset is part of the program, and ITAM processes, when implemented appropriately, provide an opportunity for continuous education of the organization's employees and consultants. End-users must know all their responsibilities regarding "touching" IT assets. And these responsibilities go well beyond IT security.

"Every camera, printer, router, scanner, forklift, coffee pot, or toy — everything and anything with software or firmware in it — should be built securely"

How much money does your organization spend evaluating, testing, and applying patches? Patches do not add value; in fact, they do the opposite. Patch management consumes time and resources that could be better spent adding value to your organization. Organizations must track the quality and reliability of the products and services they use to understand the real value and true cost being realized. The cost incurred due to poor quality must be communicated to the vendor and to the group that negotiates purchases.

"Clean Backups Are Crucial"

Creating the appearance that data has been backed up is easy. The question is – do you trust the backup? Perhaps the more significant question is, what needs to be backed up? The ITAM Program needs to define roles for IT users so that IT standards can be accurately defined. An added benefit of user-defined roles is identifying the data required by the role and how to back up the data for each data-bearing asset type.

"Innovation Is Constant, on Both Sides"

Both good and bad guys are innovating to accomplish their goals. ITAM relies on continuous improvement as a strategy for maturing the ITAM Program. As IT security adapts, ITAM will be there to support IT security initiatives. ITAM is also well aware of new technologies and their adoption by the organization. ITAM's awareness is shared with several departments, including IT security.

"The only true defense is to recognize that fact and take a proactive approach to security."

I couldn’t agree more that a proactive approach is needed. I believe so much of IT security's time is spent reacting to attacks and incidents that there is little time to be proactive. But ITAM is designed to be proactive and reactive in support of multiple departments. ITAM can and should be the proactive arm of IT security by doing what ITAM must already do, which is:

Manage the design, implementation, and monitoring of the on/off-boarding for everyone who touches an IT asset, including part-time employees and consultants. The on/off-boarding process should educate people on their responsibilities to the organization when interacting with IT assets. This education should continue throughout the person's employment.
Manage the vendors that provide products and services.
Oversee the creation and maintenance of IT standards to ensure an understanding of how the IT asset will be used and managed.
Manage the entire lifecycle of all IT assets by managing the design, implementation, and monitoring of each asset. This includes establishing gates during the asset's lifecycle to collect asset data and eliminate rogue assets. Every step in the lifecycle of an IT asset is an opportunity to collect data on the asset's acquisition, receiving, configuration, deployment, recovery, and disposal.
Curate IT asset data so that IT security and other departments have a single source of truth.

Better Together

One of ITAM's greatest strengths is being proactive when managing IT assets. Our lifecycle starts when someone "thinks" they need an asset and lasts long after the asset has been disposed of. IT security should do what it does best – monitor our networks, prepare for the next attack, and stay steps ahead of the bad guys. But IT security can only accomplish these goals if they have a clear and accurate picture of all IT assets, including past, present, and future, and on or off the network.

Mr. Preston's article is available at:

https://www.darkreading.com/attacks-breaches/cyberattacks-are-a-war-we-ll-never-win-but-we-can-defend-ourselves

What's Next?

Did you know that ITAM supports cyber security in 750+ ways? Our ITAM/NIST/CIS mapping and training blaze the trail to protect what's most important, the data. Click here to learn more about the ITAM / Cyber Security Workshop

ITAM in the Cloud - Manage the Cloud with Confidence

Mon, 03 Jul 2023 19:38:03 GMT

Manage the Cloud with Confidence

Cloud Asset Management (CAM) is a new and innovative discipline within IT Asset Management (ITAM) that is dedicated to managing assets within the cloud.

While Software Asset Management (SAM) or Financial Operations (FinOps) may initially appear sufficient, CAM is uniquely equipped to handle the hidden challenges when managing cloud assets.

Part 1: Introduction to Cloud Asset Management (CAM)️✨

The cloud presents several challenges that require a tailored approach. Firstly, cloud services are notorious for obscuring the inner workings of IT operations behind the walls of the cloud service provider. Consequently, transparency becomes a major obstacle that hinders effective management.

Secondly, adopting the cloud introduces a level of complexity, with different cloud models such as SaaS, PaaS, and IaaS, each with its own unique pricing and add-ons. Successfully managing this level of complexity requires control over change, process, standards, knowledge, and contractual language.

Thirdly, while managing costs in the cloud is crucial, it is not the only challenge. The perception of cloud services as low-cost and easy to configure has led to departments using IT budgets for their own initiatives. This necessitates ITAM to broaden its services and manage assets sourced outside of IT.

Lastly, imagine CAM as inheriting an additional ITAM Program for every cloud service provider that your organization uses. It's like merging two organizations, but with limited transparency into the acquired program.

CAM to the rescue!

Cloud Asset Management provides organizations with a comprehensive approach to effectively manage their cloud assets. By leveraging CAM, organizations can overcome the unique challenges that come with cloud asset management and ensure they are managing their cloud assets efficiently.

Part 2: Benefits of Cloud Asset Management (CAM)️✨

Next, we uncover the fantastic benefits of Cloud Asset Management (CAM) and how it can revolutionize your SaaS, PaaS, and IaaS asset management strategies.

To begin with, CAM promotes operational transparency in IT operations (devops), even in the cloud. It guarantees that various stakeholders, including finance, legal, and cyber security, are represented, giving everyone the same level of transparency they need.

Moreover, CAM concentrates on complying with the terms and conditions of the cloud contract, comparable to software compliance. It aids in creating the contract and managing the vendor based on performance and user feedback, ensuring compliance and value for the organization.

Additionally, cloud assets necessitate particular expertise and knowledge to protect the organization's investment and reputation. CAM provides in-house expertise to meet corporate governance requirements, such as HIPAA and GDPR compliance, within the cloud environment.

Last, but certainly not least, various departments such as finance, IT, IT Security, vendor management, legal, HR, business units, end-users, and executive management all have their unique interests when it comes to the cloud. CAM takes a balanced approach to managing the cloud, ensuring all interests are considered, thus maximizing the organization's ROI.

By implementing CAM practices, organizations can optimize the value of their cloud services while minimizing risks. CAM enables enhanced transparency, compliance, and the full potential of cloud assets to be leveraged. It's a win-win situation for your organization and its stakeholders!

Part 3: Key Features of Cloud Asset Management (CAM)️✨

This brings us to the vital components of Cloud Asset Management (CAM) and how they contribute to effective asset management.

1️⃣ CAM prioritizes contracts as they are crucial in managing cloud assets. This involves overseeing the performance of the cloud service provider (CSP) and gaining transparency into their IT operations. Contracts represent the interests of various stakeholders such as finance, cyber security, legal, and end-users.

2️⃣ CAM acknowledges the lack of transparency into the CSP’s IT operations and relies on CSP-provided information. It then consolidates this data into meaningful insights for different stakeholders, including IT, cybersecurity, and finance. This data becomes a part of the ITAM repository, preventing data duplication and providing a comprehensive view.

3️⃣ CAM aims to maximize cloud service value while minimizing risks. This involves ensuring that the organization's investment in cloud services goes beyond cost savings and delivers best-in-class operations, freeing up IT resources to provide greater business value.

4️⃣ CAM brings together all special interests from IT security, IT, vendor management, legal, finance, HR, business units, end-users, and executives. This approach ensures that no single party dominates cloud requirements or cloud management.

Part 4: CAM and Other Asset Management Disciplines✨

Let's explore the relationship between Cloud Asset Management (CAM) and other asset management disciplines, shedding light on their similarities and differences.

We'll start with IT Asset Disposition (ITAD). Surprised? ITAD deals with the responsible disposal of electronic waste. In many countries, the disposal of e-waste is a shared responsibility model meaning both your organization and the ITAD vendor can be held liable if e-waste is not disposed of properly. Likewise, your organization and the Cloud Service Provider (CSP) have a shared responsibility model, if not by law, then by public opinion. CAM involves vetting and monitoring vendors throughout the asset’s lifecycle, just as ITAD does for electronic waste disposal.

When it comes to Software Asset Management (SAM), there are similarities with CAM in terms of managing compliance and usage. Both rely on contracts and licenses to ensure adherence to terms and conditions. However, the similarities end there as CAM's unique focus is on managing services while SAM concentrates on the products. Again, CAM must manage the vendor throughout the cloud asset's entire lifecycle.

Finally, CAM goes beyond just monitoring costs (FinOps) and involves vendor management, governance, cyber security, and engaging various stakeholders from IT to legal. CAM bridges the gap between technology and business, providing a specialized approach to managing cloud assets.

Bottom line: CAM is a crucial discipline that requires specialized attention. Understanding the distinctions between CAM and other asset management disciplines is essential in developing a comprehensive strategy for managing all your organization's IT assets effectively.

Part 5: Why Cloud Asset Management Matters

Cloud Asset Management (CAM) is an indispensable tool that will optimize the value of your cloud assets while minimizing risks. To emphasize its importance, here are three reasons why CAM is crucial for your business operations:

1. Outsourced ITAM: Adopting cloud services doesn't mean you relinquish responsibility for IT Asset Management (ITAM). Instead, you take on another ITAM program managed by the cloud service provider (CSP). CAM is essential to ensure that you effectively manage the CSP's ITAM program to protect your organization's interests.

2. Organizational Challenges: While easy access to cloud services presents many benefits, it also comes with challenges in spending, value, governance, and cybersecurity. CAM provides a professional team that bridges the gap between technology and business. This team ensures that your cloud services are in line with the organization’s objectives.

3. Value and Risk Optimization: CAM's primary focus is on maximizing the value derived from cloud services while minimizing risks. This approach guarantees that your investment in the cloud delivers best-in-class operations and allows your IT resources to provide greater business value. By embracing CAM, you can confidently navigate the complexities of the cloud, ensuring transparency, compliance, and optimized value.

Unlock the full potential of your cloud assets. Incorporate CAM into your asset management strategies and you can rest assured that your organization's cloud services are managed effectively and efficiently, enabling you to concentrate on other critical business operations.

Thank you for taking the time to read this series. We wish you all the best in your IT Asset Management endeavors.

Sincerely,

Your advocacy team at ITAM IQ.

Ps. Don't forget to subscribe to ITAM IQ and follow us on social: LinkedIn , Facebook , and YouTube

ITAM Primer Part 1: Setting the Stage

Wed, 29 Mar 2023 17:15:48 GMT

ITAM Primer - The Program Manager's Guide to IT Asset Management

Part 1: Setting the Stage

Part 2: ITAM Definitions and Structures >

“To know what you know and what you do not know, that is true knowledge.” — Confucius

EXECUTIVE SUMMARY

I had the privilege to work with over a thousand IT Asset Managers from around the world and learn from them effective practices when implementing an ITAM Program. What is presented here is the collection of practices from hundreds of programs. It’s not theory, it is practical, and it is proven.

The need for ITAM has grown over the decades from advances in technology and decreasing costs. These advances have made technology easier to use and no longer require an IT expert to administer. This evolution, however, has created a significant problem – the decentralization of the business administration of IT.

In the early days of IT, executives had to approve the purchase of the mainframe computer and software. With executives being involved, this ensured a direct connection between cost and ROI. As the adoption of desktops, laptops, and servers grew, executives began losing insight into what was being purchased and for what business purpose. The IT budget now includes tens of thousands of assets. At the same time, risks from using IT also began to grow. Legislation was passed to protect privacy and the environment, while hackers realized corporate data and the destruction of business operations was lucrative. Whether it was the growing complexity of IT or the lack of insight into how IT impacts the business, the CEO left the responsibility of IT in the hands of the CIO or CTO. What followed were questions such as “how do we align IT with the business?” and then the obligatory articles and consulting services. Still, the gap between IT and business continues to this day.

Fact: Every dollar, pound, euro, or yen is touched by IT, which means cutting a small percentage point off that income before you plan on spending it.

Fact: Every organization needs IT to run its business, and its competitors can beat them with better technology.

ITAM is designed to maximize the value of your IT investment while minimizing its risk. ITAM achieves this by representing the interests of all parties who have a stake in IT’s performance – including the executive team. To represent your interests, you must enable ITAM to define the program’s requirements. These are the requirements of all departments that feed the ITAM program with data. This data is used to create accurate, complete, and timely information needed to run the business successfully.

The ITAM Program is not meant to hinder or slow progress. It is intended to ensure your organization uses IT to its benefit. Without executive management buy-in and support, the ITAM Program is constrained, left to the heroics of a few to implement, limiting its value.

GOOD NEWS AND BAD NEWS

Adopting ITAM should not be the discussion. If an organization buys, receives, deploys, and stops using IT, by default it already has IT Asset Management, however inefficient.

The good news? You don’t have to debate whether to adopt ITAM since you already have it.

And the bad news? ITAM must be sold to executive management, IT, IT security, legal, HR, finance, business unit leaders, and users. Funding and resource allocation is also a challenge. The longer ITAM has been ignored, the longer it will take to implement a proper ITAM program. ITAM is as much a people issue as a process and tools issue, if not more.

So, what makes ITAM such an excellent investment? Investing in ITAM for the benefit of one department most likely benefits other departments. It would be difficult to identify another investment in a business’s core competency that yields such significant return. ITAM accomplishes this by realizing value from an organization’s IT investment.

THE ITAM VALUE PROPOSITION

FINANCIAL

Two IT budget metrics, ROI and TCO, are estimated before acquiring an asset. The ROI and TCO exercise vary based on the asset type. For example, acquiring an ERP is a complex process for estimating the ROI and the TCO compared to a technology refresh of laptops.

By managing and tracking IT assets, ITAM provides transparency if and how IT assets are used. No one wants to spend money on something that is never used. How the IT budget is spent is of great interest to finance and executive management. It also forms the basis for chargebacks.

Finally, taxation takes many forms, including sales tax, use tax, import tax, and depreciation. ITAM ensures the organization follows the tax laws and takes full advantage of tax credits.

RISK

Using IT assets brings risk to the organization. Cyber security depends on ITAM’s asset lifecycle management and is required by several frameworks. Security not only protects organizations from being shut down, but cyber security also protects the organization’s intellectual property. Finally, there are the liabilities an organization inherits from employees using the organization’s assets, such as vicarious liability. These risks are lessened when there is visibility into what is owned by the organization, how IT is used, and who uses the technology.

COMPLIANCE

Organizations have compliance requirements originating in the countries where they operate or international laws. Examples of statutes include GDPR, HIPAA, EPA, WEEE, and copyright laws. ITAM supports the organization's compliance efforts by adequately managing IT assets. Whether disposing of hardware according to EPA requirements, tracking systems with PII data, or enforcing software compliance, ITAM’s discipline for managing IT assets is instrumental in the organization’s compliance efforts.

EFFICIENCY

ITAM advocates defining roles for the use of IT, and these roles are assigned to end-users. From the roles, IT standards are developed. IT standards reduce the complexity of the technology portfolio and create an opportunity for volume purchases, streamlining processes, and vendor agreements. The efficiencies gained through a managed IT portfolio benefit IT, the IT Service Desk, IT Security, Finance, receiving, disposal, and end-users.

Because ITAM is a horizontal function that should be a core competency, its practices can benefit several functional areas within the organization. An investment in developing a feature for one department most likely can benefit other departments. It is quite clear ITAM brings value, but how did we get to need ITAM in the first place? If so much value exists, why isn’t everyone adopting ITAM?

What value is ITAM bringing to the organization?

What departments and executives are aware of this value?

Does the organization see ITAM as bringing value?

In review ….

An organization that has IT assets has ITAM.
The ITAM value proposition consists of four principles: financial, risk, efficiency, and compliance.
The financial principal includes ROI, TCO, budget, chargebacks, and taxation.
The risk principle includes security challenges.
The compliance principle addresses the laws that apply to the organization.
The efficiency principle includes the operating efficiencies created by the ITAM Program.

HOW DID ITAM BECOME A CORE COMPETENCY?

Technology doesn’t stand still, and the personal computer (PC) was born. Dismissed as a toy by some, the PC put the personal in computing. And with the PC came a whole host of problems. These micro mainframes had storage and the ability to run software and later become networked. But the technology innovators were not done. The PC had one issue – it wasn’t portable.

The laptop took personal computing to the next level – mobility. Now you can carry a nine-pound computer with you everywhere you go. It could be connected to the network or not. You could use the laptop on a plane; you could use it on a train. You could use it in a car; you could use it near and far! It was a game changer with even more risks because the computer could operate outside the corporate network. But the laptop still wasn’t quite mobile enough for us.

While the Blackberry smartphone was popular with businesspeople and IT loved the centralized management, the iPhone took the world by storm. When the iPhone was first launched, articles were written with a title like “IT Will Not Allow the iPhone on the Corporate Network!” Within six weeks, these articles changed to “IT Struggles with iPhone Adoption.” The reason for this about-face was simple – an executive purchased an iPhone, came into the office, handed it to an IT person, and said, “here, make this work.” Nothing like an executive to shatter your IT standards or your career if you refuse! But a more significant event was occurring that would change the entire IT management landscape.

The iPhone moved us from IT-driven technology to consumer-driven technology. The end-user was now dictating the types of devices they wanted to use, and as hard as IT pushed back, the boat had left the dock. This brings me to these two rules of technology:

Technology changes
IT and ITAM can’t change rule number one.

The iPhone and the Android devices gave the user much more control and, indeed, mobility. These smartphone users became their own administrators. Some organizations even allowed employees to bring their own devices (BYOD) to work, which some CFOs loved because they thought the company wouldn’t have to pay for IT assets! This, of course, indicated the lack of understanding of TCO. While these devices were cool, a bigger screen was still missing!

Enter the iPad. A device that had some people confused because they wanted to use it as a laptop. But it wasn’t a laptop; it was a tablet. Indeed, not the first tablet but with the success of the iPhone, the iPad experienced great success. This device had the same risks as smartphones, mainly the user’s ability to administer it, store sensitive data, and lose it. These mobile devices were great and networked well with the internet, making work or play from anywhere possible.

As access to the internet became more ubiquitous and faster due to greater bandwidth and changes to hardware, technology companies took advantage by making their products and services accessible over the internet. The result was the formation of the cloud, which took the world by storm due to the global outbreak of COVID. The “cloud” was nothing new, but this version was aided by a perfect storm of faster hardware, greater internet bandwidth, mobile devices, and remote work due to COVID. The decentralization of IT is now in full swing.

During this time, the Internet of Things (IoT) is quietly evolving into what has been coined the “fog layer.” It’s a layer of sensor-type devices communicating with controllers that then, in turn, communicate with the cloud. The sensors and controllers make up the fog layer. The impact of IoT continues to be assessed as of this writing. However, it continues with fracturing IT’s control over the landscape.

What may not be clear is the impact advances in hardware play in the overall evolution of these systems. For example, the iPhone could not have succeeded without the advances in cellular technology. Moore’s law saw an increase in computing power while a decrease in cost. But at the same time, advances in power consumption, batteries, and heat dissipation permitted smaller devices. I call these technology enablers because they enable other technologies that people see and touch. Why should you care? By monitoring technological advances, you may see the next iPhone coming and then prepare your ITAM Program for its arrival.

SO WHY ITAM?

The need for ITAM was born out of the loss of control by IT. The decentralization of IT started with the PC and has continued and accelerated ever since. The mainframe IT staff were the guardians of IT’s spend, which was significant and new to executive management. Because of the cost, investments in IT had to be tied to business objectives with a realistic ROI or competitive advantage. The risk was consolidated as well. The number of IT assets in the mainframe era was significantly less than today, and yet the lowest-cost asset was still expensive. Today’s IT assets are affordable to the end user, and many software assets are free. Risk is spread across the end-user population. The following table compares the cost, risk, controls, and management efficiencies between present-day assets and the mainframe era (SUM is read as the “sum of all”).

The business administration of IT assets includes managing the asset from a financial, risk, compliance, and efficiency perspective. Often these four principles are divided across multiple groups such as finance, IT security, legal, and IT, plus the vested interests of the end user and business units. Because of the decentralization of IT into the hands of non-IT people, the business administration of IT assets needs to span the entire organization. Yet these non-IT individuals have little interest in business administration – they just want to use IT for their perceived purposes. Thus, the reason for ITAM.

An IT Asset Manager possesses the unique skill to span the divide between IT and everyone else in the organization to administer IT assets from a business perspective. From the business perspective, value and risk reduction are realized from the organization’s investment in IT.

Just for fun, what technology enablers do you see occurring right now?

In review ….

Technology has become more personal, with computing power now in the hands of the user instead of relying on a centralized computer.
The cost of present-day technology is very affordable for the end user.
Power and affordability led to the decentralization of the management of technology.
The decentralization aligned with silos within the organization requires the need to coordinate each vertical’s interests and activities through ITAM.

Go to Part 2: ITAM Definitions and Structures >

ITAM Primer Part 2: ITAM Definitions and Structures

Wed, 29 Mar 2023 17:14:13 GMT

ITAM Primer - The Program Manager's Guide to IT Asset Management

Part 2: ITAM Definitions and Structures

< Part 1: Setting the Stage

Part 3: The ITAM Ecosystem >

“To know what you know and what you do not know, that is true knowledge.” — Confucius

ITAM DEFINITIONS

ITAM AS A DISCIPLINE

Technical administration of an IT asset is performed by IT. IT Asset Management is a discipline and a profession that individuals learn to manage IT as a business asset. This means managing the financial value of the asset, the risks associated with the asset, and the benefit the asset brings to the business throughout the asset’s entire lifecycle. The ITAM discipline requires knowledge of IT, contracts, finance, cyber security, legislation, human resources, project management, and process management. Additionally, and just as important, the ITAM discipline requires business knowledge.

Does the organization view ITAM as a profession?

Does the organization view IT assets as a business asset?

ITAM AS A PROGRAM

Because the program relies on other departments, executive management support is mandatory. Executive management support can be secured as follows:

Define the ITAM Program and its value to the organization regarding financial, risk, compliance, and efficiencies.
The executive team assigns an executive sponsor.
The executive sponsor empowers the ITAM team by making the organization aware of the team’s existence, charter, and unequivocal support of the executive team.
The executive sponsor supports the ITAM team when needed, and the team keeps the sponsor aware of the program’s progress.

The ITAM Program is defined by the following:

The scope of IT assets that are or will be part of the program.
The ITAM department structure considers such things as the geographical locations of the organization and the type of business.
The ITAM program requirements of every department that provides data and controls.
The data maintained is required by the program.
Clearly defined roles and responsibilities of the organization.
The program’s policies, procedures, processes, and tools.

Does the organization view ITAM as a program?

Does the ITAM Program span the entire organization? If not, what departments involve ITAM, and to what extent?

ITAM AS A R OLE

Are ITAM roles clearly defined in the organization?

Which ITAM roles are not assigned but need to be?

ITAM AS A TITLE

IT ASSET MANAGER (ITAM)

The IT Asset Manager is responsible for the performance and direction of the ITAM Program. Responsibilities include promoting the program, developing cooperation across functional areas, process management, reporting program status to executive leadership, and enlisting the help of the executive sponsor when needed.

SOFTWARE ASSET MANAGER (SAM)

The Software Asset Manager manages the software portfolio, including spending, compliance, risk, and usability. The software asset manager engages procurement to ensure proper software licensing language is included in all possible contracts. The SAM works closely with the Hardware Asset Manager because software installations and licensing requirements depend on the hardware’s configuration. SAM cannot function without HAM.

License Asset Manager (LAM)

The License Asset Manager is a specialization of Software Asset Management. The specialty is in a software publisher’s products and licensing models. This position can be challenging to fill and can be outsourced to one of several companies that offer this type of expertise. For example, keeping up with Microsoft licensing and product families is complex and can require a full-time employee. The organization must determine if this specialization is critical to its business strategy and should not be outsourced.

HARDWARE ASSET MANAGER (HAM)

The Hardware Asset Manager is responsible for managing the hardware portfolio. Hardware assets can be divided between managed assets and tracked assets. Managed hardware assets are tagged and, in the inventory, along with the asset’s attributes and related artifacts. Examples of managed hardware assets are servers and laptops. Non-managed hardware assets are tracked to meet electronic waste regulations. Examples of typical non-managed hardware assets are keyboards and mice. Because some software licenses depend on the hardware’s configuration, the HAM works closely with the SAM.

CLOUD ASSET MANAGER (CAM)

The Cloud Asset Manager is responsible for the strategy for managing cloud assets. Using that strategy, the cloud asset manager oversees the entire lifecycle of cloud assets. Significant effort occurs in understanding and, if possible, negotiating the cloud contracts during the Acquire phase and then managing the vendor throughout the cloud asset’s life.

SAAS ASSET MANAGER (SAASAM)

The Software as a Service Asset Manager is a specialist within CAM. This position is created if there is a significant number of SaaS assets or complexity of SaaS contracts and services. The complexity and effort may require assistance from a third party.

I/PAAS ASSET MANAGER (IPAASAM)

The Infrastructure/Platform as a Service Asset Manager is a specialist within CAM. This position is created if there is a significant number of IaaS or PaaS assets or complexity of I/PaaS contracts and services. The complexity and effort may require assistance from a third party.

The decision to bring in a third party to assist in managing SaaS or I/PaaS assets depends on staffing and the level of expertise the organization wants. Is developing in-house expertise for managing cloud service providers strategic, or is outsourcing a better use of resources? This decision is very similar to the strategy organizations use to bring in a third party to help manage software licenses. Regardless, if a third party is utilized, the organization must manage the third party.

MOBILE ASSET MANAGER (MAM)

The Mobile Asset Manager manages mobile assets such as phones and tablets. These asset types pose a serious risk to the organization because they can be used almost anywhere and are easily lost or stolen. These asset types typically depend on other allocated asset types, such as server licenses or cellular plans. Various support plans may be available. One example is a cellular carrier providing repair services directly to employees.

Are ITAM titles clearly defined, maintained by HR, and assigned to the ITAM staff?

Is the ITAM department staffed appropriately?

ITAM AS DATA GOVERNANCE

We define ITAM IQ as “IT Asset Management Information Quality,” where the quality of ITAM data is determined by accuracy, completeness, relevance, timeliness, and reliability. IT Asset Managers are stewards of all ITAM data driven by the ITAM Program requirements.

IT assets generate data starting when someone “thinks” they need it through and past the disposal process. The ITAM Program is incomplete without ITAM managing the asset’s entire lifecycle. Imagine the potential issues if a manufacturer could not monitor an assembly line. Errors introduced in the blind spots will only be identified further down the assembly line at best and during customer use at worst.

What reliable data does the ITAM Program have access to?

How would I rate the ITAM data by asset type (hardware, software, mobile, cloud)?

In review ….

ITAM is a discipline and a profession.
ITAM is a program, not a project, that spans the entire organization.
It is critical to define roles when designing processes and assigning them to people inside and outside the ITAM department.
Typical titles include IT Asset Manager, Software Asset Manager, Hardware Asset Manager, Cloud Asset Manager, and Mobile Asset Manager.
ITAM is data governance by collecting data from multiple sources and ensuring the information about an asset is complete and accurate.

THE ORGANIZATION STRUCTURE

Who should ITAM report to is a common question. The CIO? CFO? COO? CCO? CEO?

The offices of the CFO and CIO both have conflicts of interest. These are not the best functional areas to house the ITAM Program, yet most programs report to the CIO, with the remaining reporting to the CFO.

There can be one common drawback with any C-level executive, and that is longevity. C-level executives can come and go quickly, making it challenging to mature an ITAM Program. I worked at one business unit for twelve years and had five presidents! Each had its “same but different” way of running the company.

Perhaps the best place to house the ITAM Program is under the C-level office that consistently has the most influence. The next step is to find the executive with a strong, preferably long-term, vice president with strong support and a well-respected management organization.

But why does ITAM need this level of support? In a word, “people.” Any organization can implement a world-class ITAM Program in less than 12 months if they can just eliminate the people! All the tools, processes, and data will not make an ITAM Program successful without the support of people. And that’s where executives lead the organization in a direction everyone understands and follows. Let’s look at ITAM’s ecosystem to understand the ITAM Program's complexity better.

How much support does executive management give to the ITAM Program?

Who is the executive sponsor?

Several other professions can appear to compete with ITAM, but all are primarily focused within their vertical.

ITIL (Information Technology Infrastructure Library) defines how IT services should be designed, created, and delivered. One intent is to position IT to be more customer-focused. ITIL also addresses ITAM; however, the focus is managing IT assets currently in use and part of service delivery.

COBIT is a framework like ITIL which focuses on how IT delivers services.

FinOps (Financial-Operations) is a discipline that makes IT more cost-conscious when designing, creating, and delivering IT services. FinOps' rise to fame came with cloud and for excellent reasons. Cloud vendors define a price catalog based on their services, making tracking the organization’s consumption of IT easier.

Cybersecurity frameworks from CIS, NIST, ISO, and others provide a list of IT security controls that should be implemented by IT security. These frameworks reference ITAM as a way to maintain an accurate inventory. Unfortunately, and unintentionally ITAM is reduced to counting assets. An accurate inventory requires a single body, the ITAM department, to manage the entire asset lifecycle.

The PMO’s (Project Management Office) focus is on applying the project management discipline to IT projects. The PMO is critical to ITAM because it is where new IT asset types are introduced or changes to IT assets occur. The project manager cannot acquire and use IT assets as they see fit just because a project has received a budget. The ITAM processes must be followed.

Other disciplines also interact with ITAM, including best practices for accounting, legal, and HR. ITAM needs to engage these disciplines to implement an ITAM Program successfully.

Unfortunately, without an ITAM Program, each of these disciplines may develop an ITAM Program to suit their specific needs. The result is a costly, incomplete ITAM Program with duplication of effort and no coordination.

How aware is the organization of the ITAM Program?

What disciplines are integrated with the ITAM Program?

In review ….

Executive management support is critical to the success of the ITAM Program because ITAM requires cooperation across the organization.
Several disciplines within the organization need to participate in the ITAM Program.

< Part 1: Setting the Stage

Part 3: The ITAM Ecosystem >

ITAM Primer Part 3: The IT Asset Ecosystem

Wed, 29 Mar 2023 17:13:09 GMT

ITAM Primer - The Program Manager's Guide to IT Asset Management

Part 3: The ITAM Ecosystem

< Part 2: ITAM Definitions and Structures

Part 4: IT Asset Lifecycle Management >

“To know what you know and what you do not know, that is true knowledge.” — Confucius

THE IT ASSET ECOSYSTEM

The IT asset generates interest for just about everyone in the organization. Let's take a closer look at these special interest groups and how they impact the accuracy of the IT asset’s attributes.

THE END USER

How well are the IT standards working?

Are there well-defined roles, and do those roles drive IT standards?

Who benefits from well-defined roles?

IT ASSET ATTRIBUTES

How accurate are asset attributes for each asset type?

Do processes support keeping the asset’s attributes up to date?

VENDOR

Are IT vendors managed the same as non-IT vendors?

Is vendor feedback solicited from all who use the vendor’s products or services?

IT AND SECURITY

Does the inventory represent all asset types?

How accurate is the inventory based on the asset type?

FUNCTIONAL GROUPS

Is each of the functional groups represented in the ITAM Program?

Does ITAM work closely with the PMO?

FINANCE

Are ROI and TCO estimated pre-acquisition, updated during the asset's lifetime, and finalized at disposal?

How is chargeback, or showback, used?

LEGAL

Does legal fully understand the value ITAM provides?

Which services does legal provide?

In review ….

ITAM brings value across the organization, making it an excellent investment.
End-users benefit from the technology needed to accomplish their job assignments.
Asset attributes accurately reflect the asset. These attributes are required to support the needs of the organization.
Vendor management is critical to realizing the total value and meeting the organization’s compliance requirements.
IT and IT Security benefit significantly from ITAM’s commitment to maintaining a complete and accurate inventory through proper lifecycle management of IT assets.
Several functional groups benefit from ITAM. C-level and executives benefit from the transparency in the investment in IT. The PMO can be the beginning of new asset types or extending the functionality of existing assets. New employees are onboarded with the technology they need, and HR’s offboarding allows for the recovery of unused assets.
Finance gains transparency into IT spending, budget, ROI, and TCO.
Legal has its interests well supported and protected by ITAM’s management of IT assets that can be the source of non-compliance. Legal also provides contract support, defense, and interpretation for ITAM.

< Part 2: ITAM Definitions and Structures

Part 4: IT Asset Lifecycle Management >

ITAM Primer Part 4: IT Asset Lifecycle Management

Wed, 29 Mar 2023 17:11:34 GMT

ITAM Primer - The Program Manager's Guide to IT Asset Management

Part 4: IT Asset Lifecycle Management

< Part 3: The IT Asset Ecosystem

Part 5: Vendor Management >

“To know what you know and what you do not know, that is true knowledge.” — Confucius

IT ASSET LIFECYCLE MANAGEMENT

ACQUIRE

ITAM starts when someone thinks they need an IT asset. Ideally, ITAM is asked to match the user’s requirements with what is currently part of the IT portfolio.

The request process will take one of two paths depending on whether the request is for an asset that is part of the IT standards. If the request is for a standard asset, the Visio application for example, then the approval is based on the user’s entitlement which is driven by the user’s assigned role.

Suppose the request is for a non-standard IT asset. In that case, the request is evaluated for business value and assessed to determine its impact on the organization. It includes all parties with a vested interest, as described in the prior section, The IT Asset Ecosystem. Based on the recommendation of those parties, the appropriate individual denies or approves the request , and the asset is procured .

RECEIVE

All IT assets follow a well-defined receiving process that records the receipt after the asset passes the acceptance criteria. The receiving process applies to all assets, not just those owned by the organization, including vendor-provided assets and BYOD employee-owned assets. All assets entering the organization’s network must be recorded. IT assets not ready to be deployed immediately are stored securely. All information associated with an IT asset is stored in the ITAM repository.

DEPLOY

The deployment process is critical because the asset must be configured appropriately for the end-user, IT, and IT Security. The installation process records the asset’s location, end-user assignment, department, and cost center.

IN-USE

Bad things can happen to IT assets after they are deployed. The asset can be moved, lost, or stolen. The asset’s configuration can change. A perfect example is software. Software is constantly being updated, changing the system’s configuration. These updates can break functionality or introduce new security issues. The move , add , and change processes must accurately record changes made in the ITAM repository.

RECOVER

The purpose of the Recover phase is to recover IT assets that are no longer in use. There are several benefits to recovering assets that are no longer needed including:

The asset can be placed in inventory, making the asset available for redeployment. This increases the ROI of the asset.
The asset is secured and is not at risk of being lost, stolen, or misused.
Data stored on the asset is backed up if required and secured.
IT assets related to the asset being recovered are also recovered. For example, the recovery of a smartphone will also include the recovery of its related assets – the cellular plan and any allocated server licenses.
Finally, the recovered and related IT assets are securely stored in inventory for future redeployment. The assets’ status is updated in the ITAM repository.

DISPOSE

The final phase of an IT asset is the Dispose phase, and it is just as critical, if not more critical, than the previous phases. The phase is similar to the Recover phase, with identical Secure Data and Recover Related Assets processes. The Finance process “closes the books” on the asset, including final calculations for ROI and TCO. The asset is formally retired, meaning hardware assets are appropriately processed, and all other asset types (software, cloud, etc.) follow the disposal process defined for that asset type. A request is made to finance to determine if the asset is being depreciated. If the asset is being depreciated, then the asset is placed in secured storage for the appropriate term. All other parties, including users, IT, IT Security, and vendor management are notified the asset has been disposed.

The Disposal phase also supports the “disposal” of vendor and employee-owned IT assets. Of course, these assets are not being disposed of traditionally, but they are leaving the organization, so data must be secured and related assets recovered.

How involved is ITAM in each phase?

Which phase has the strongest ITAM presence?

Which phase has the least support from other departments?

ALL PHASES CONTRIBUTE TO TRUSTWORTHY DATA

IT asset data is collected from multiple data sets (databases), including finance (invoices, P.O., cost centers), legal (contracts), IT (service desk tickets, network assets), HR (end-users), and IT security (asset data). The data is organized in a flat structure (file) or database. For the IT Asset Manager, it is better to think of IT asset information as a network of data, and information is a path through multiple network nodes (data).

Each phase transition is a gate the IT asset passes through, providing an opportunity to verify the data collected about the asset is accurate and that the asset itself has passed through the earlier gates. This offers an excellent opportunity to identify rogue IT assets. IT assets can generate a lot of valuable information during their life. Information can include configuration changes, location changes, user reassignment, cost center changes, performance, reliability, running ROI and TCO totals, terms of use changes, warranty terms, taxation, and availability. This information is of interest to different functional areas, each with varying levels of purpose and importance. Retaining this information is why ITAM is sometimes referred to as the organization’s memory.

Which department’s data is the most trustworthy?

Which department’s data is the least trustworthy?

How much of the IT asset’s lifecycle is managed by ITAM?

In review ….

The lifecycle of an IT asset includes the phases of acquire, receive, deploy, in-use, recover, and dispose.
The lifecycle of an asset should begin with the need.
Other departments most likely own processes, but these processes may need to be altered to meet the ITAM Program’s requirements.
All phases contribute to trustworthy data.

< Part 3: The IT Asset Ecosystem

Part 5: Vendor Management >

ITAM Primer Part 5: Vendor Management

Wed, 29 Mar 2023 17:09:39 GMT

ITAM Primer - The Program Manager's Guide to IT Asset Management

Part 5: Vendor Management

< Part 4: IT Asset Lifecycle Management

Part 6: Engineering the ITAM Program >

“To know what you know and what you do not know, that is true knowledge.” — Confucius

VENDOR MANAGEMENT

Organizations depend on hundreds of vendors that comprise a supply chain of IT asset products and services. Types of vendors include manufacturers, resellers, ITAD vendors, cloud service providers, and tool vendors. Some vendors provide direct products and services to the organization, while others are part of a supply chain. For example, many organizations purchase their software through a reseller of the manufacturer’s software. A cloud service provider depends on products and services from other vendors. The vendor relationship is complicated, and the organization’s success is dependent on the vendor’s performance.

Who is managing the vendors?

Is vendor management part of the ITAM Program?

Are employees who use the vendor’s solutions solicited for performance feedback?

Do vendor contracts contain language that supports vendor management?

In review ….

IT vendors must be managed separately from other vendors to meet ITAM’s requirements.
IT vendors are ranked based on the organization’s spending, risk, and critical business dependency.

ITAM TOOLS

ELECTRONIC DISCOVER

How many discovery tools are used to validate ITAM data?

Which departments own these tools?

USAGE

Is a usage tool used to monitor application usage?

How could a usage tool be used to optimize license utilization?

METERING

What metering tools do you depend on?

How is the data used to manage license purchasing?

PHYSICAL ASSET TRACKING

Are hardware assets tagged with an ITAM unique identifier, or is the manufacturer’s identifier used?

Is the asset identifier used to link all the asset’s attributes together?

If bar codes are used, are processes automated using bar code readers and IT asset data collected?

If RFID is used, are processes automated using RFID scanners and IT asset data collected?

ITAM REPOSITORY

How would you grade the completeness and quality of the data collected from each database?

What is the plan to improve the completeness and quality of data from each database?

What percentage of quality data required to manage an asset is available by asset type? For software, by title?

In review ….

ITAM tools are critical to the program. ITAM and other departments can own these tools.
The essential tools include electronic discovery, usage, metering, physical asset tracking, and the repository.
The ITAM Repository is critical to the ITAM Program because it contains trustworthy data.
The ITAM Repository is the finance, HR, IT, ITSEC, and legal databases federation.

< Part 4: IT Asset Lifecycle Management

Part 6: Engineering the ITAM Program >

ITAM Primer Part 6: Engineering the ITAM Program

Wed, 29 Mar 2023 17:08:14 GMT

ITAM Primer - The Program Manager's Guide to IT Asset Management

Part 6: Engineering the ITAM Program

< Part 5: Vendor Management

Part 7: Conclusion >

“To know what you know and what you do not know, that is true knowledge.” — Confucius

ENGINEERING THE ITAM PROGRAM

THE ITAM PROGRAM ROADMAP

When creating a roadmap, chances are some of the items will require involvement with other departments. Is your roadmap used for educating people on the value of ITAM?

Is the roadmap influenced by IT asset types or office locations?

HOW TO START A ROADMAP

The first step in creating a roadmap is asking “where am I now?” That question is answered by creating an ITAM baseline. In the very beginning, the ITAM Program is undefined or poorly defined. Things are chaotic. Data about IT assets may be a best guess. There may be more unknowns than knowns at this stage, and both should be documented. As the program matures, the number of knowns surpasses the number of unknowns. But what should the knowns be? The first step in developing the roadmap also includes identifying the knowns in a nearly fully mature ITAM Program. This will be the goal of the ITAM Program and the direction the roadmap will take.

WHAT TO EXPECT IN THE BEGINNING OF AN ITAM PROGRAM

At the beginning of developing an ITAM Program, savings and value can be significant, and that is a good thing because it helps sell the ITAM Program to the organization. As improvements are made to the program, new baselines are conducted to measure and communicate progress. But as time passes and more improvements are made to the program, a potentially dangerous thing happens – your program becomes “boring.”

THE BORING ITAM PROGRAM

Do you report V _i and V _T ?

How complete are the baselines – are there more knowns than unknowns?

COST SAVINGS AND VALUE

Some might only be interested in cost savings, especially during a poor economy. But cost savings, or hard dollars, is not the only benefit an ITAM Program delivers. Value can sometimes be challenging to measure and not always in hard dollars. Instead, we see value as perceived or measured in soft dollars. There are many examples of value, and here are just a few.

These are just some examples of value the ITAM Program delivers that are difficult to express in dollars saved. Convincing people of this value may just be the most challenging task an IT Asset Manager faces.

Has the ITAM Program reported more hard dollars or soft dollars?

Is your organization interested in soft dollars?

Does the ITAM Program effectively communicate its progress?

SPEED OF PROGRAM DEVELOPMENT

The speed at which the ITAM Program can improve depends on several factors, the most important being the support given by the organization, especially executive management. Unfortunately, most of the time, the program must prove its worth before the support is provided. Making matters more challenging is the turnover rate at the executive level. Improving the ITAM Program is more evolution than revolution. Sometimes it can be two steps forward and one step back. The speed of change can be driven by negative events such as a failed software audit or a cyber-attack. One thing is sure – the organization will not stop doing business just to wait on an ITAM Program to be installed. However, typically the approach taken is incremental improvements driven by the roadmaps.

What governs the speed of improvements to the ITAM Program?

How could improvements happen faster? More support by executives? More staff? Better cooperation from other departments?

THE ITAM PROGRAM MATURITY

Placing a number on the maturity of the ITAM Program is not easy – trust me, I’ve been thinking about this for nearly two decades. My first experience with a maturity rating came when I was in software development. That maturity model was the CMM (Capability Maturity Model from Carnegie Mellon’s Software Engineering Institute). The CMM is an excellent maturity model I first applied to software engineering. It was the first model I tried for ITAM, ending in a big “thud” (failure). You cannot express something as complicated as ITAM using a single vector scale of 1 to 5.

How would you express the ITAM Program’s current maturity?

Can you quantify or qualify the maturity of the cooperation of other departments?

Can you quantify or qualify the management maturity by IT asset type?

In review ….

A roadmap tells how the ITAM Program will mature over three to five years.
Starting a roadmap begins by answering the question, “Where are we today?”
There may be more unknowns than knowns.
Significant savings can be realized at the beginning of establishing an ITAM Program.
A boring ITAM Program is one that just works well! It is essential to remind the organization of where the ITAM Program came from.
Everyone expects ITAM to save the organization money, but it also creates value. Value can be expressed in both hard and soft dollars.
Factors including organizational commitment and external events such as a failed software audit govern the speed of developing an ITAM Program.
The ITAM Program is too complex to express as a single number. It is also too complex to express using a single maturity model. Several maturity ratings are recommended for department cooperation, maturity by asset type, and organizational readiness.

< Part 5: Vendor Management

Part 7: Conclusion >

ITAM Primer Part 7: Conclusion

Tue, 28 Mar 2023 20:41:03 GMT

ITAM Primer - The Program Manager's Guide to IT Asset Management

Part 7: Conclusion

< Part 6: Engineering the ITAM Program

“To know what you know and what you do not know, that is true knowledge.” — Confucius

CONCLUSION

The sad reality is that ITAM still struggles to get the executive buy-in and support it deserves. The concept of a program is not new. For example, product companies have product managers who implement a program that spans multiple departments. Other asset types have executive management’s attention too. For example, airline executives know how their fleet performs daily. The executives can see the direct link between the planes as an asset and the company’s revenue and profit. So is all hope lost trying to implement an ITAM Program? I don’t think so.

IT is a very young profession, and ITAM is even younger, especially compared to other professions like doctors or accountants. People were performing operations before there was a governing body. Operations were performed before there was a clear understanding of sterilization! The same holds for accounting. People filled the role of an accountant before there was a certification, a governing body, or even a title! The ITAM community must understand the need for the marketing and sales of ITAM. ITAM is complicated for multiple reasons, including the speed by which technology changes, the number of people contributing to the program, and the tools needed for automation and data curation. Progress has been made, but we are still in the crawl phase of this profession.

The complexity of the ITAM Program includes executive management support, the number of IT asset types, the complexity of the assets, the size of the organization, the geographic locations of the organization, and the organization’s culture. But if asked, “what is the biggest challenge to implementing an ITAM Program?” the answer must be “people.” The mission of the ITAM Program cannot be expressed in a single statement but instead in a hierarchy of missions, with each one satisfying the needs of the functional areas. For example, a separate ITAM mission statement exists for finance, legal, and IT, with all missions rolling up to the top-level mission statement that describes what ITAM’s mission is for the organization.

THANK YOU

We sincerely appreciate your time and the energy you bring to the IT Asset Management profession. Please feel free to reach out to us with any comments, questions, and feedback at info@biztechunified.com .

< Part 6: Engineering the ITAM Program

Ops, Ops, Ops, and More Ops – Ooops?

Tue, 28 Feb 2023 16:15:45 GMT

Ops, Ops, Ops, and More Ops – Ooops?

DevOps, SecOps, DevSecOps, FinOps, NetOps, ITOps, and now RevOps?

I did a Google search (sorry, ChatGPT was busy) for "types of Ops" and found even more!

With all the emphasis on merging operations with another function, I have to wonder how all this is being coordinated, and are we on the brink of FillInTheBlankOps saturation? Perhaps we should just save a lot of time and combine all of them – RevDevSecNetITFinOps!

But seriously, when I look at Opsapalooza, I can't help but think of how ITAM is the glue that holds this all together. After all, one of ITAM's responsibilities is to represent the interests of all. Another way to think about it is ITAM as the umpire of a tennis match.

The umpire's responsibility is not to decide the outcome of the game but to ensure the match follows the game's rules. The governing body of tennis defines these rules. In ITAM, the umpire is an IT asset manager, and the game is between different departments, such as IT and sales. The match can also be between FinOps and SecOps. The governing body is the ITAM Program which is empowered by executive management.

ITAM spans the silos of the organization to unify business and technology in their adoption and management of IT.

Software Asset Management and ChatGPT

Mon, 13 Feb 2023 20:19:29 GMT

Software Asset Management and ChatGPT

An old technology with a fresh coat of paint has taken the world by storm, and the hype is justified this time! Well, maybe. And it is much more than a fresh coat of paint. We may be seeing an AI Renaissance, possibly meeting the expectations set decades ago where computers did everything, and a hard day of work is when you had to push three buttons. But this technology dropped seemingly out of nowhere, and the scramble has begun to understand its impact on AI and the entire technology industry. One thing is for sure, ITAM must monitor this technology to assess the organization's interest and how to prepare for its adoption. If some extreme opinions play out, this technology will disrupt more than just your IT standards. It could disrupt your entire ITAM program . Let's learn more about ChatGPT, what it currently does, and its potential impact on you, your organization, and your industry.

What is ChatGPT?

OpenAI's ChatGPT [1] is a bright shiny new object that has caught the attention of just about everyone. ChatGPT is yet another application of Artificial Intelligence (AI). Still, this time appears to have taken an enormous leap forward to produce well-thought-out and impressive answers to your questions as if a human being wrote the explanation.

So that's my description of ChatGPT, but what does ChatGPT say about itself? I asked, and here's the answer:

My question: What is ChatGPT?

ChatGPT's answer: ChatGPT is a pre-trained language model developed by OpenAI. It is a transformer-based neural network model that has been trained on a large corpus of text data to generate human-like text. The model uses deep learning techniques to understand the context and generate relevant and coherent responses to natural language inputs, making it a powerful tool for a variety of language-based tasks, including text generation, question answering, and conversation. In a conversational setting, ChatGPT can be used to build chatbots and virtual assistants that can understand and respond to user queries in a human-like manner.

That's a lot of techno-speak! But ChatGPT is gaining so much momentum that Microsoft has reportedly invested billions of dollars in OpenAI [2] . And others have taken notice, including Google [3] . Does this mean we are done writing mundane reports? Can ChatGPT write my status reports? Okay, let's be an adult for just a second. If I asked ChatGPT to write something, do I own the copyright on ChatGPT's work? That's a great question!

Who Owns the Copyright on ChatGPT Generated Content?

Let's start with this from the U.S. Copyright Office:

"Works are original when they are independently created by a human author [4] "

Uh-oh. It doesn't sound like you can claim ChatGPT's work as your own. Not unless there is a man behind a ChatGPT curtain that we are not supposed to pay attention [5] to, and then he is the copyright holder unless he transfers that right. Copyright may not be a concern if you use ChatGPT as an assistant. Next question, can you claim credit for ChatGPT generated content? Or do you have to cite ChatGPT's work? We’ll come back to this a little later.

While all of this is certainly interesting, I am sure you are asking yourself, "Why does this matter to Software Asset Managers and the ITAM program?". Let’s dive in.

How ChatGPT Impacts Software Asset Management (SAM)

For those organizations with a solid SAM program, adding a new application to the approved catalog requires investigations, reviews, negotiations, and approvals before it is accepted as part of your IT standards. But what if a new application could be accessed on company-issued technology without the ability to track it through standard methods? This raises more questions.

Is ChatGPT Used in your Organization?

How would you know if it were? ChatGPT is accessed from a web browser making discovery a bit more challenging and requiring URL monitoring. It can also be accessed through an API which means you will need to know if software developers are using the API. The question is, should ChatGPT be part of your IT standards? And for whom? Let's look at three of the main drivers behind the decision of choosing to manage ChatGPT as a cloud service asset :

Driver #1: Cost

It is free to use the ChatGPT client for now. Relying too much on ChatGPT may become costly and will need justification in the future for its use.

ChatGPT API is not free and must be paid for based on usage [6] as of this writing. The pay-as-you-go model may result in high costs.

Driver #2: Risk

How is the information you provide stored, where is it stored, and for how long? How are your identity and usage protected? Can the APIs be used maliciously?

Driver #3: Compliance

ChatGPT has terms and conditions for use. Users must be aware of these terms and conditions, and SAMs must monitor the terms for any changes that can be made without notice.

Until now, we have generalized ChatGPT's output as just content, but what kind of content can ChatGPT generate? Would you believe software?

ChatGPT Generated Software

The following is an example of code that ChatGPT generated.

My question: Write a function to sort an array of 20 integers in the C programming language

ChatGPT's answer: Here's an example of a bubble sort function to sort an array of 20 integers in ascending order in C:

The bubbleSort function takes an array arr and its size n as arguments and sorts the array in ascending order using the bubble sort algorithm.

The algorithm works by repeatedly comparing adjacent elements and swapping them if they are in the wrong order. This process is repeated until the array is fully sorted.

When it comes to code generation, OpenAI clearly warns you the code generated may not be correct or optimized for its intended purpose.

So What does all this Mean for Software Asset Management?

SAMs manage software according to the entitlements defined by copyright laws and licensing agreements. SAMs are also interested in where the software comes from to ensure the software is genuine and the software does not introduce any security risks. Publisher-generated software or organization IT-generated software can include software from other manufacturers.

As mentioned earlier, a work must be generated by a human to be awarded copyright protection. Does this mean the ChatGPT generated software is free to use? No, due to the terms of use by OpenAI and thus the challenge for SAMs. A SAM's organization should not use software that violates the rights as set by copyright law and the licensing agreement. The use of ChatGPT generated software can easily create a similar non-compliance risk.

Perhaps you are thinking right now, oh yay, more complexity. Thanks, Keith! Regardless, I found this exercise very impressive, even if it were for a simple algorithm. So is the hype justified, and has AI taken the next giant leap? Has Skynet [7] been made self-aware?

Is the Hype About ChatGPT Warranted?

Gartner has documented the hype cycle [8] because we have all seen the hype when a new technology is introduced. At some point, the hype subsides, and the latest technology reveals its true capabilities; the market moves on to the next biggest thing, or the market begins to adopt the technology, but this time with a clear vision of what the technology can do.

Companies are investing heavily in AI solutions for numerous markets, such as healthcare, life sciences, and cyber security. While the predictions are that ChatGPT will replace Google search, programmers, writers, and even Software Asset Managers, it is highly doubtful given what ChatGPT is – a tool to help humans work more effectively and efficiently. With that said, I asked ChatGPT the following questions.

My question: What is IT Asset Management?

ChatGPT's answer: IT asset management is the process of tracking, maintaining, updating, and disposing of an organization's hardware, software, and other technology assets. The goal of IT asset management is to optimize the value, cost, and risk of an organization's technology assets. This includes ensuring that the organization's technology assets are used in an effective and efficient manner, that they are secure, that they are compliant with legal and regulatory requirements, and that they are disposed of properly at the end of their life cycle.

IT asset management typically involves activities such as tracking the inventory of hardware and software assets, managing software licenses, monitoring the use and performance of assets, and tracking changes in technology assets over time. It also involves making decisions about the acquisition, deployment, and disposal of technology assets based on the organization's goals, budget, and resource constraints.

Not a wrong definition of ITAM, but it lacks acknowledging ITAM is a program that is a horizontal function, crossing the entire organization. Now let's look at the next question.

My question: What is Software Asset Management?

ChatGPT's answer: Software Asset Management (SAM) is the process of managing, organizing, and maintaining an organization's software assets throughout their lifecycle. This includes software licensing, deployment, usage, and retirement. The goal of SAM is to optimize the value of software assets while minimizing the risks and costs associated with their use.

SAM involves maintaining an accurate and up-to-date inventory of all software assets, including information about their licenses, usage, and expiration dates. This information is used to ensure compliance with licensing agreements and to avoid the potential consequences of using unlicensed software. SAM also includes processes for the efficient deployment and distribution of software, as well as tracking usage and retiring software that is no longer needed.

Overall, SAM helps organizations to better manage their software assets, reduce costs, minimize risks, and ensure compliance with licensing and other legal requirements. It is a critical aspect of IT management and should be integrated into the overall IT strategy and governance of an organization.

Again, this is an excellent definition but is missing some critical points. One point is the importance of acquiring software where those organizations with buying power can negotiate the terms and conditions of the software license. Another point is an accurate software inventory is required for patch management and cyber security.

These two examples demonstrate the surprising results that ChatGPT can generate but also its shortcomings. What should concern SAMs is if people use these definitions within your organization to understand what you do. That is not ChatGPT's job; it's your job.

Conclusion

The hype surrounding ChatGPT may be justified, if not for ChatGPT, but for AI in general. The immediate impact for SAMs is to monitor their organization's adoption of AI, use of rogue AI software, and any changes to IT's roadmap to include AI.

Additionally, SAMs must assess the current and ongoing risks of using ChatGPT. These risks include:

Ignoring OpenAI's terms and conditions
The organization assumes they own the intellectual property of ChatGPT generated content
Becoming dependent on a free service with no expectation of future pricing changes
Finally, what are the potential security risks of using ChatGPT, if any?

We may be witnessing a historical event in technology similar to the cloud, the iPhone, and the world wide web. The Software Asset Manager must monitor emerging AI solutions and if your organization will use them. So much of SAM may appear to be managing what is currently being used, however, being proactive before new technology is adopted pays dividends once that technology ends up on your network.

Meet with your IT department, your IT cyber security department, and your business leaders who see IT not as a necessary evil but as a competitive advantage and get ahead of the game.

Footnotes

[1] https://openai.com

[2] https://www.cnbc.com/2023/01/23/microsoft-announces-multibillion-dollar-investment-in-chatgpt-maker-openai.html

[3] https://blog.google/technology/ai/bard-google-ai-search-updates/

[4] https://www.copyright.gov/what-is-copyright/

[5] A reference to the movie “The Wizard of Oz” - https://www.youtube.com/watch?v=NZR64EF3OpA

[6] https://openai.com/api/pricing/

[7] https://en.wikipedia.org/wiki/Skynet_(Terminator)

[8] https://www.gartner.com/en/research/methodologies/gartner-hype-cycle?utm_source=google&utm_medium=cpc&utm_campaign=GTR_NA_2022_GTR_CPC_SEM1_BRANDCAMPAIGNMQ&utm_adgroup=141653137818&utm_term=hype%20cycles&ad=618363632093&matchtype=e&gclid=CjwKCAiA0JKfBhBIEiwAPhZXD2zx5k_-OEfL23dhLRw6W1yRFit4T7BREKRDiMf89ey8N8gwu3O4wBoCl7IQAvD_BwE

FREE COURSE: ITAM in a Down Economy

Tue, 31 Jan 2023 20:12:02 GMT

IT Asset Management in a Down Economy - Surviving and Thriving

Free IT Asset Management (ITAM) Course

Yes! Please send me the free course, ITAM in a Down Economoy!

An economic downturn is a stressful and hectic time for an organization. For IT Asset Management, it could be a time when you find out how well your program works. It may also be when you find out how much your ITAM program is valued by executive management.

An organization’s typical response to an economic downturn is downsizing, thus resulting in some number of IT assets no longer in use.

How should an organization process these unused assets?
Will cuts in IT’s budget follow the downsizing?
When might the organization return to pre-downsizing headcount?
Is your ITAM program and staff prepared to help?
Is your ITAM staff at risk of being downsized too?

This FREE ITAM training addresses these issues and more.

What's included:

Instructor narrated workshop presentation
IT Asset Management in a Down Economy - Surviving and Thriving White Paper
ITAM Readiness Assessment

If you have concerns about your organization’s financial health or want to validate your program’s readiness, this workshop is a must-see.

Uh, oh! Is Your ITAM Program Ready for 2023?

183:844946220 (Keith Rupnik) — Fri, 06 Jan 2023 14:28:57 GMT

Uh, oh! Is Your ITAM Program Ready for 2023?

According to the “Survey Summary, State of IT 2023 Survey | July 2022 A Survey Summary[1]” by Aberdeen Strategy & Research, some challenges may be ahead for IT Asset Managers and their program. Let’s take a look at a few of those challenges:

“Top Challenges Expected in 2023”

“Supply chain disruptions/issues”

“Increases in product costs”

“Shipping delays or logistical disruptions”

“Limited product availability”

“Chip shortages”

Vendor management has always been part of the ITAM program. If you have not implemented vendor management, now is the time to do so.

To start, you should have already ranked your vendors based on the following criteria:

Dependency – how dependent is your business operations on the vendor?
Risk – What are the consequences to your business if the vendor fails? Examples of failures include going out of business or reducing the product and service offerings.
Spend

Next, regular meetings should be held with your top vendors. The frequency and length of these meetings will depend on the value provided by the vendors identified in the vendor ranking process.

Your vendors should be able to address all of the above challenges. This is why it is so vital you negotiate value and not just price with your vendors. Your key vendors should be your partner, not a discount store.

Plan on meeting with your key vendors sooner rather than later and perhaps more often during these unpredictable times.

“Top 3 Actions Taken to Prepare for a Recession”

“Reducing non-essential spending: 43%”

Drag your ITAM program up to a mirror. It’s time to take a good look. Is your ITAM program considered essential? Non-essential? Somewhere in between? Either way, it’s time to review and refresh your program’s marketing and sales (yes, sales) efforts.

Will your tech refresh schedule be at risk? This decision could be made for you if there are supply chain issues. But many organizations may face a tech refresh disruption because of the pandemic and work from home.

“Re-evaluating vendors / contracts: 30%”

Do you know which vendors you spend the most with?

Can you break down that spending into its respective products and services?

Can you identify how dependent your organization is on each vendor?

Do you know the location of the contracts?

Do you know which contracts are coming due and what value you can get from the negotiations?

Re-evaluating vendors implies you have a baseline. You do not want to be evaluating vendors based on the vendor's value at present or based on a short term goal. Furthermore, you can not necessarily depend on a vendor management department that manages all vendors to the lowest common denominator.

“Decommissioning unnecessary infrastructure or devices: 29%

Can you identify assets that should be decommissioned? Decommissioning an asset based on cost is not the correct approach and can cause collateral damage.

These are just some of the topics addressed in this article, and it would serve you well to read it. There are still many unknowns when it comes to the global economy. The continuing issues with managing cloud assets and the ever-increasing security threats compound the economic challenges. ITAM is meant to keep its eye on all these factors because a challenge in one area often impacts another. Get prepared now because sometimes perceptions become reality.

[1] https:/ /swzd.com/resources/access-state-of-it-2023-tech-buyer-trends/

What is Cloud Asset Management?

183:844946220 (Keith Rupnik) — Wed, 30 Nov 2022 15:10:25 GMT

What is Cloud Asset Management?

Cloud Asset Management (CAM) is the latest ITAM discipline requiring a different approach to managing this new asset type.

While it may be perceived that SAM or FinOps is all that is needed to manage cloud assets, there is a hidden challenge that is only known by a sub-discipline of HAM!

The Challenges of Managing Cloud Assets

Transparency

Cloud services are the outsourcing of an organization's IT operations. Outsourcing means the transparency in IT operations has been sacrificed and is now hidden behind the cloud service provider's (CSP) walls. The organization directly depends on what information the vendor provides to manage the assets.

Complexity

Managing organization-owned IT assets was challenging, but did the cloud make it easier? Or did adopting the cloud swap one complexity for another? SaaS may be the least complex compared to PaaS and IaaS, but the CSPs now have more control over pricing and add-ons. Furthermore, the CSP can move functionality around and package functionality to suit the CSP's revenue and profit goals. The configuration cost may be assumed or unknown until the invoice arrives. The solution to managing complexity is to control change through the process, standards, knowledge, and contractual language.

Cost

Managing runaway costs is well publicized, with FinOps being touted as a viable solution. FinOps is as valuable to the ITAM program as IT and cyber security. But just like security, where we can't secure what we don't know we have, the same can be said for FinOps. IT's budget is distributed to other departments, and shadow IT continues to be challenging. While FinOps should be proactive, the lack of an IT asset acquisition gate limits FinOps to a reactionary tool.

While the costs of cloud services are a valid concern, the price point may be a more significant challenge to the organization. Cloud services can be perceived as low-cost and easy to configure and deploy. This perception has attracted departments and business units to obtain part of IT's budget to fund their own IT initiatives, possibly without the oversight that IT can provide. This shadow-like IT demands ITAM manage all IT assets, not just the assets used by IT. While ITAM should have always been involved in managing assets outside of IT, the cloud has created a tipping point.

The Cloud Asset Manager must expand the ITAM umbrella so that all IT asset owners, including budget transparency and discipline, fall under its protection.

Corporate Governance

Let's face it; corporate governance has always been a challenge. But now, with cyber-attacks being a constant threat, corporate governance is even more at risk, and the board has taken notice. The organization's governance requirements are now in the hands of a third party – the cloud service provider. Corporate governance requires transparency in IT operations, which remains for the cloud service provider. A robust vendor management program is needed, which is part of the Cloud Asset Manager's responsibilities.

The Benefits of Cloud Asset Management

Operational Transparency

IT operations that used to be executed by the organization's employees are now performed by a third party, the CSP. The CSP must directly provide the transparency provided by the IT department. The Cloud Asset Manager represents the interests of all parties that require that same level of transparency from the IT department, including finance, legal, and cyber security.

Vendor Compliance

If software compliance is adhering to the terms and conditions of the license, then vendor compliance can be defined as adhering to the terms and conditions of the cloud contract. The Cloud Asset Manager assists in creating the contract and then manages the vendor to the agreement based on the CSP's performance and user feedback.

In-house Expertise

When HIPAA and the GDPR became law, in-house expertise, knowledge, and awareness were required to meet corporate governance requirements. The cloud asset is unlike any other IT asset and requires well-trained Cloud Asset Managers to protect the investment in cloud services and the organization's reputation.

The Features of Cloud Asset Management

Contracts

The contract is essential to managing cloud assets. The contract is used to manage the CSP's service and product performance and to provide the necessary transparency into the CSP's IT operations. The agreement represents the interests of finance, cyber security, legal, and the users. This emphasis on vendor compliance is quite different from any other IT asset management sub-discipline, except for ITAD and, to a lesser degree, leasing companies.

Data curation

Because of the loss of transparency in IT operations, the organization must depend on the information the CSP can provide. Ideally, this information is detailed in the cloud contract. The information can be delivered from the CSP as raw data or reports. Regardless of how the data is provided, someone needs to curate it into meaningful information for different audiences like IT, cyber security, and finance. Furthermore, the data becomes part of the ITAM repository for retention requirements and quality purposes. ITAM's repository avoids the hoarding of information and duplicate curation of data by each department, with the added benefit of providing broader and deeper views of the data.

Maximize Value

ITAM maximizes the value while minimizing the risk of using IT assets. The Cloud Asset Management sub-discipline of ITAM ensures the organization's investment in cloud services results in greater value for the organization, its customers, and its shareholders. Cloud services and the outsourcing of IT operations should be about more than just saving money. The investment should also be about obtaining best-in-class operations and freeing up IT resources to deliver more excellent business value.

Common Questions

How is ITAD like Cloud Asset Management?

In many countries, the disposal of electronic waste is a shared responsibility between the organization and the ITAD vendor. The HAM must vet the vendor and monitor the vendor's performance throughout the contract term.

How is SAM like Cloud Asset Management?

SAM relies on the contract, the software license, to manage the compliance requirements and entitlements of the software. A poorly written license agreement makes managing compliance more difficult. The same is valid for cloud assets. SAM also monitors compliance and cost usage, similar to managing cloud assets.

How is SAM not like Cloud Asset Management?

SAM's primary focus is managing a product, whereas CAM's primary focus is managing a service and a product delivered as a service. The emphasis on managing a service means managing the service provider throughout the lifecycle of the service asset. While vendor management should be part of the SAM program, vendor management usually occurs during the acquisition of the software asset. Even when there are services that accompany the software, the effort to manage the vendor typically falls short of what is required.

Why is FinOps not enough for managing cloud assets?

FinOps represents only one particular interest in the cloud asset, just as cyber security is another special interest. And, like cyber security, how do you monitor cloud spending if you do not have an accurate IT asset inventory? CAM manages the entire lifecycle of the cloud asset and beyond, starting with the need. CAM ensures that FinOps is involved in all phases of the cloud asset's lifecycle, just as it does for IT, cyber security, legal, and the end users. In short, CAM makes FinOps better.

Why do you need Cloud Asset Management or any type of asset management for cloud assets?

First, one may think while you outsourced IT operations, you also outsourced ITAM, but the opposite is true. Your organization has inherited another ITAM program to manage – the CSP's. Second, cloud services are ubiquitous as smartphones allowing anyone to use them. Easy access and use create significant organizational challenges regarding spending, value, governance, and cyber security. ITAM has always been a horizontal function and a core competency. Cloud Asset Management requires a professional department that can fill the gap between technology and the business.

What makes ITAM IQ's Cloud Asset Management certification courses the best choice for learning how to manage cloud assets?

ITAM IQ's training covers the entire lifecycle of the cloud asset and provides practical knowledge for managing cloud assets. The courses are not theoretical; rather they address:

The key cloud management activities in every phase of the cloud asset's lifecycle
How to compare and contrast cloud asset management versus other asset types
How to communicate the value of CAM to the organization, including IT and IT cyber security
How to identify what should be expected from your cloud service providers and how to manage the vendor

Students leave the class with breadth and depth of knowledge of managing cloud assets that can be immediately applied to their organization's ITAM program.

Schedule a call with us to discuss more about this new discipline and check out our video below on Why Cloud Asset Management .

Faster isn't always better. Is it time for a cloud speed limit?

183:844946220 (Keith Rupnik) — Mon, 14 Nov 2022 17:00:42 GMT

Faster isn't always better. Is it time for a cloud speed limit?

Cloud Speed Limit = Pain Relief for Cyber Security and the Organization

Several interesting points are made in the article "Amazon, Microsoft Cloud Leaks Highlight Lingering Misconfiguration Issues." I can't help but think about how IT asset management can help alleviate some of the pain caused by cloud assets not being adequately managed.

"A string of household names lately have been responsible for misconfigured cloud storage buckets overflowing with wide-open data – once again shining a light on a cybersecurity problem for which there seemingly is no plug."

Is it reasonable to expect cybersecurity to know about every asset? No. Why? An accurate IT asset inventory is only possible when the entire asset lifecycle is managed. IT asset lifecycle management is orchestrating the collection and validation of data from the activities involved in the request, evaluation, approval, receiving, deployment, monitoring, and disposal of IT assets. There is a "plug," and the "plug" is Cloud Asset Management . Is the Cloud Asset Manager directly responsible for plugging the holes? No. That responsibility rests with the appropriate role of an IT administrator. The Cloud Asset Manager's responsibility is to ensure the proper, accurate data is captured to monitor operations.

"And indeed, the [data] leaks are caused by a variety of misconfigurations rather than any bugs …"

I believe there is a bug, and it is in the processes or the design of the software. The organization requires insight into the cloud service provider's operations. IT standards exist for many reasons, and one reason is an attempt to reduce complexity through well-defined configurations. An IT standard for a laptop defines the laptop's configuration. The same can be applied to cloud components. But cloud components are not only configured by the organization's staff; the cloud service provider also configures them. Therefore, vendor management is critical for cloud assets. Cloud Asset Management embraces vendor management and all tasks necessary to evaluate vendor compliance.

"Overall, 81% of organizations have experienced a security incident related to their cloud services over the past 12 months, with almost half (45%) suffering at least four incidents, according to Venafi."

One benefit of cloud services is the speed of deploying assets. But this benefit is a double edge sword. With speed comes the possibility of more mistakes. Isn't it time for a speed limit? Cloud Asset Management designs speed bumps with the buy-in from those driving over the speed bumps and, of course, speed monitoring. I started my career as a software engineer, and no software engineer wants to be burdened by meaningless processes. This perspective is why the Cloud Asset Manager must work closely with the cloud engineers to educate them on the purpose and value speed bumps bring to the organization. The security of cloud assets cannot rest solely with the cyber security team, nor should it.

"The increase in complexity of cloud-based and hybrid infrastructure, along with a lack of visibility into that infrastructure, has caused the increase in incidents …"

The lack of visibility is because the IT assets exist behind someone else's wall. When our assets were in our data center, we relied on our tools and processes. Cloud Asset Management establishes contractual agreements by the vendor to gain transparency into the vendor's cloud operations. Cloud complexity will only increase as technology advances, delivering more functionality and, thus, more sophistication. Complexity will only increase with the adoption of IoT and the fog layer.

"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend …"

Cloud Asset Management brings IT standards that must apply to cloud storage configurations. An IT standard for a server has a well-defined configuration, and any request outside that configuration requires approval. Cloud Asset Managers work with IT to design the most efficient approval process and to capture configuration data. Without tools, one has to rely on other methods to obtain information. These methods include acquiring information from cloud service providers.

"Shadow" data — stored in cloned databases test environments, unmanaged backups, and data analysis pipelines — is the main threat …"

Someday, "shadow IT" may just become "IT." Why? Because cloud assets are quickly and cheaply acquired. Cloud Asset Management broadens its reach beyond IT and engages with departments and business units. Just because the IT department can easily be bypassed does not mean the organization's liabilities can be. Cloud technologies further decentralize IT with executive management's permission by distributing IT's budget to other departments and business units. While one can debate the wisdom behind decentralizing IT, one cannot debate the liability risk of using technology. And that is why Cloud Asset Management must provide its services to anyone using cloud services.

"Principle of least privilege must be adopted for every aspect of the data"

Cloud Asset Management defines the end-user roles to understand what technology is required by that role and what data access that role requires. Roles will also determine the type of IT, ITAM, and cyber security training required. Defining end-user roles has always been an ITAM best practice. Roles define the technology needed to set IT standards. Cloud end-user roles cover a wide range from the casual computer user to the technology specialist. Role definitions for technical people are critical because of the complexity of cloud services and the ease of configuration.

Conclusion

Cloud Asset Management brings you accurate inventory and vendor management. An accurate inventory is not only a requirement for cyber security but also ITAM, FinOps, compliance, and the service desk. For an inventory to be accurate, it must be continuously updated as the state of assets changes. These updates require lifecycle management of cloud assets, starting with "I think I need it" through and past disposal.

Article title:

Amazon, Microsoft Cloud Leaks Highlight Lingering Misconfiguration Issues

Author:

Robert Lemos

Source:

DarkReading

URL:

https://www.darkreading.com/cloud/amazon-microsoft-cloud-leaks-highlight-lingering-misconfiguration-issues?_mc=NL_DR_EDT_DR_daily_20221111&cid=NL_DR_EDT_DR_daily_20221111&sp_aid=113666&elq_cid=5848999&sp_eh=607a148faf4b9c531b825cf5a7197561e6ea9b436b7f08895d8efb634e89d3fc&sp_eh=607a148faf4b9c531b825cf5a7197561e6ea9b436b7f08895d8efb634e89d3fc&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Daily_11.11.22&sp_cid=46713&utm_content=DR_NL_Dark%20Reading%20Daily_11.11.22

Cyber Security is Still Missing IT Asset Management

183:844946220 (Keith Rupnik) — Thu, 20 Oct 2022 16:57:17 GMT

Cyber Security is Still Missing IT Asset Management

The attack surface proves to be unmanageable without ITAM

A treasure trove of information for IT cyber security and asset managers can be found in “ Trend Micro 2022 Midyear Cybersecurity Report ”. Excerpts from this report appear in red .

The Attack Surface is Porous

According to NIST, the attack surface is defined as “The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.”

“73% of IT security decision makers are concerned about the digital attack surface”

“43% argue that the attack surface is spiraling out of control”

“37% describe the attack surface as constantly evolving and messy”

What is the attack surface, and how can we manage it? The attack surface should reflect the IT asset inventory. An inventory includes corporate-owned, employee-owned, and vendor-owned assets. The challenge is keeping that inventory accurate. The solution is monitoring the changes made to the assets in near real-time. At the foundation is IMACD, or Install, Move, Add, Change, and Dispose. But IMACD efficiency depends upon upstream processes, policies, and standards.

Critical upstream processes include acquisition, receiving, and acceptance. IT standards drive the acquisition process. Policies require all corporate-owned assets are acquired through this process.

Corporate-owned, employee-owned, and vendor-owned must also adhere to the receiving and acceptance processes. A standard for prohibitive assets is applied to employee and vendor-owned assets. The asset appears in the IT asset inventory upon acceptance. Once again, policy requires all assets to follow the receiving and acceptance process.

The acquisition, receiving, and acceptance processes should be designed based on the information captured by the processes and not require a centralization based on location. For example, you most likely do not want to demand that all assets be received in one physical location only to be shipped to another country.

Furthermore, each of these processes is backed by policy. Any asset that does not follow these policies is considered a rogue asset and is reported to executive management.

At the backend of IMACD is Disposal. Disposal is not just a hardware asset process. Any asset type can be disposed, and many organizations have effective disposal processes for corporate-owned hardware assets. Organizations fail to formally dispose of software assets, cloud services, and employee-owned and vendor-owned assets. A policy dictates that all assets that are retired or leave the organization permanently must follow the Disposal process.

Policies must be easy to understand and communicated frequently. Executive management must support these policies. Exceptions to the policy must be few and far between. However, in the real world, you have executives, doctors, scientists, and other specialized professionals that may feel they are exempt from these policies. It is best to monitor their assets frequently through automation tools and physical inventory.

“32% responded that they have the least insight into their end-user assets”

“Another 32% cited that they have limited visibility into the areas that are at risk”

“IT security decision-makers name cloud assets, networks, and end-user assets as the top

three areas where they have the least security insights into”

An accurate inventory reflects the data captured before, during, and after an IT asset’s lifetime. It is perhaps easy to identify where data about an asset can be captured. What is more difficult is determining what to capture. Is the data of value? Is the data available to be captured now, or will it be in the future as the ITAM program matures? Is the data incomplete? Can we trust the data? Is the data’s trustworthiness based on the asset type or the tool gathering the data? If we are collecting data to be provided to someone in the organization, then we want the information based on the data to be accurate. But who is that someone? This article is focused on the cyber security audience. However, ITAM brings value across the organization. A significant failure would be to collect data for just one audience. Chances are substantial the data required by one audience is produced by another. IT asset data should not be viewed with blinders on. ITAM value is delivered to the “many” at a cost distributed to that “many.”

“For example, the cloud’s ability to swiftly deploy assets and services helps organizations be more efficient; however, it can also prevent them from having full visibility over deployed assets.”

“37% of the organizations also claimed to have the least insight into cloud assets”

You may be tempted to say this about the cloud asset type – same, but different. From a thousand feet, this might be true. But as you get closer to the ground, this assumption can’t be more untrue. Assets managed by your IT department are now managed by a vendor. Cloud services can be adopted without the assistance of IT and cybersecurity. The services are cheap, easy to acquire, and easy to use. More complicated services, those used by the IT staff, are easy to acquire, install, use, and forget. Executives are distracted by the increasing cost of the cloud, and rightfully so, but at the expense of what? Cyber security, for one. Cloud Asset Management is the newest sub-discipline of ITAM and must be implemented to meet cyber security’s requirements.

“While containers can provide organizations an increase in the speed and efficiency of their development cycles, failure to implement proper security controls could result in compromise at various stages of the pipeline, from hijacked repositories to the exploitation of weaknesses in specific components of the container software.”

which has led to

“Misconfigured container software remains a significant issue for many organizations.”

“53% of the respondents detected a misconfiguration in their container and/or Kubernetes deployment.”

There was great emphasis placed on speed when I was a software engineer. The reasons were time-to-market, competitive advantage or closing the gap, and revenue. What was not clearly understood was the cost of speed. That cost could include the time to fix what was broken or re-design what was not designed well in the first place. Speed can be an illusion, which is what IT and cyber security are dealing with now.

ITAM introduces speed bumps or, in process terms, gates that require criteria to meet to proceed. These speed bumps do not have to be catastrophic to your project schedule. These speed bumps are designed to introduce controls that ITAM and cyber security will benefit from while increasing security and reducing re-work.

Cyber security initiatives will continue to struggle and fail until organizations implement a complete ITAM program. Unfortunately, an ITAM program is not a short project. After all, the ITAM program has been neglected for years, and many bad habits need to be broken and replaced with a disciplined approach. While some may be betting on tools and AI to secure their data, the bad actors are also adopting tools and AI in response. You can’t secure what you don’t know you have.

“To know what you know and what you do not know, that is true knowledge.”

— Confucius

ITAM IQ offers a self-paced workshop mapping

ITAM to cyber security controls.

ITAM IQ offers a world-class instructor-led certification course in

Cloud Asset Management.

WHITE PAPER: The ITAM Value Ecosystem

183:844946220 (Keith Rupnik) — Wed, 27 Apr 2022 20:37:51 GMT

WHITE PAPER: The ITAM Value Ecosystem

The Reality of ITAM Value Across the Organization

Yes! Please send me the free white paper, ITAM Value Ecosystem.

If you ask anyone what IT Asset Management is, you will probably get a different answer each time. Most of the definitions of benefactors, practitioners, and consultants are based on personal experiences and implementations. Are their definitions wrong? Not necessarily! It is their perspective that has value when selling the need for ITAM . In this paper, we discuss the benefits of ITAM when ITAM is viewed as an ecosystem and not just a special interest.

Learn how ITAM benefits every aspect of the organization.

How ITAM Could Have Stopped a $40M Heist at Yale University

183:844946220 (Keith Rupnik) — Tue, 12 Apr 2022 00:22:24 GMT

How ITAM Could Have Stopped a $40M Heist at Yale University

Transparency Through A Centralized ITAM Program

Beginning around 2013, the director and administrator of Yale's Department of Emergency Medicine started a scheme that lasted almost ten years at a loss of approximately 40 million US dollars (Diaz, 2022). The director had purchase approval of up to ten thousand US dollars. When needed, she would break up the purchases into multiple orders. The director would order computers (laptops, iPads, etc.) and have them shipped to a third party. The director would be paid after the third party sold the assets. The director dodged questions about the orders until an anonymous individual provided a tip after discovering large orders and witnessing the director placing assets in her car. This tip resulted in an audit that exposed operation.

University ITAM Programs

Implementing an ITAM program is a bit more challenging for universities. First, there are three divisions: the student body, professors (and their research), and business operations. On top of these divisions are multiple colleges, such as the college of arts and sciences, the college of business, the college of engineering, and more. Each college may be autonomous in its business operations. The decentralization and different end-user requirements make for a more complicated ITAM program when compared to other industries.

How ITAM Would Have Saved Yale Millions of Dollars

Within two years, a centralized ITAM program would have prevented or stopped this theft.

Monitoring IT Purchases

The ITAM program monitors purchases, and not just purchases that follow policy. A rogue purchase may look legitimate or hidden using a corporate credit card or on an expense report. A valid purchase has a request and approval associated with it. The Yale purchases would have lacked a request from a stakeholder – an end-user, department, or project.

Receiving, Acceptance, and the ITAM Repository

ITAM monitors purchases in anticipation of receiving assets. This monitoring aids in scheduling people to process the receipt of the purchased assets. Furthermore, it is best practice for vendors to upload the list of new inventories into the ITAM repository in anticipation of receiving, deploying, and warranty. The receiving and acceptance process is another gate for the ITAM program. When the asset is received, it goes through an acceptance process to verify the asset was ordered and delivered as purchased, tagged if required, placed into inventory, and the stakeholder is informed of the receipt of the asset.

A "late or missing arrival" report would have flagged these assets as not being received. This report would have led ITAM to contact the vendor to investigate why the assets haven't been received. It would have been discovered that the assets were shipped to a third party.

Invoice Reconciliation

An invoice is only approved if the charged amount is correct, the asset was received and accepted, and configured as purchased. The invoice reconciliation process uses vendor purchase reports to identify missing invoices.

Physical Inventory

Physical inventory is used to validate the assets in the ITAM repository and is also used to increase the accuracy of the fixed asset database. Physical inventory is scheduled based on asset type. For example, desktops and laptops should be inventoried at least every two years. Physical inventories are an effective tool to find off-network assets and lost or stolen assets.

Conclusion

A centralized ITAM program would have greatly limited Yale's loss as long as there was a record of purchasing the IT assets. One of the ITAM program's responsibilities is spending transparency. This transparency is accomplished by centralizing ITAM processes that generate accurate IT asset data.

The IT ecosystem consists of multiple moving parts, which are functional areas such as IT, IT service desk, IT security, finance, compliance legal, business units, project management office, and executives. The ITAM program's responsibility is to unify each part's interests into a single, cohesive approach to maximizing the value of the organization's investment and use of technology. This responsibility includes stopping an employee from theft.

Diaz, J. D. (2022, March 29). A former Yale employee admits she stole $40 million in electronics from the university. NPR. https://choice.npr.org/index.html?origin=https://www.npr.org/2022/03/29/1089525660/a-former-yale-employee-admits-she-stole-40-million-in-electronics-from-the-unive

Cloud Tagging for IT Asset Management

183:844946220 (Keith Rupnik) — Wed, 02 Mar 2022 20:04:58 GMT

Cloud Tagging for IT Asset Management

Cloud Tagging

Is it an IT Asset Management Function?

Cloud tags are a highly effective tool for managing cloud assets in AWS, Azure, and other cloud services. The cloud tag is metadata (data about data), user-defined, and a key/value pair. Examples of a cloud tag are Environment / Production or Department / Finance.

What can you do with cloud tags? Anything you want! And therein lies the problem. Most companies and articles describe using cloud tags to track usage and chargebacks. But there is significantly more value that can be realized if you develop an ITAM cloud tagging strategy.

An ITAM cloud tagging strategy represents the interests of multiple departments. Interested parties go beyond finance and include IT, IT security, project management, compliance, and the departments who are charged for their use of cloud resources. For this reason, the cloud tagging strategy, not necessarily the implementation, should be owned by ITAM.

Creating a cloud tagging strategy is very similar to creating IT standards:

Create a cloud asset tagging standards committee that includes a representative from each department
Develop naming standards
Identify the needs of each party and define the tags. For example, IT security may wish to tag resources that access confidential data.
Identify the tools that need to support cloud tags and any gaps in that support
Design the reports that are generated from the tag data
Identify who applies the tags, when the tags are applied, and how the tags are applied
Determine how tagging is monitored to ensure all cloud assets are tagged
Develop a training program for those who are assigned the tagging role
Define a process for reviewing and normalizing tag names
Schedule reoccurring reviews of the tag names, the value and accuracy of the reports, and tagging compliance

Cloud tags require a successful ITAM program like any other IT asset tags.

But keep in mind the cloud tag is just one of many capabilities in an ITAM program. The entire cloud asset’s lifecycle must be managed to have a successful cloud asset management program. A cloud tagging strategy is a great place to start.

Would you like to learn more about managing cloud assets? Then please check out our Cloud Asset Management courses below!

Why SaaS Asset Management for Software Asset Managers?

183:844946220 (Keith Rupnik) — Tue, 11 Jan 2022 17:06:08 GMT

Why SaaS Asset Management for Software Asset Managers?

Managing SaaS Assets as a Software Asset Manager

Historically, the software asset manager, or SAM, focused on managing software for compliance and cost control. In a perfect world, the SAM would negotiate the software license to clarify the compliance requirements making it easier to manage and avoid a non-compliance event. Cost controls are accomplished by managing the software inventory.

The skills of a software asset manager align well with managing SaaS assets; however, these skills are just a subset of what is required. Here are just three of the top challenges SAMs face when managing SaaS assets:

Access

SaaS assets are easy to access by anyone, can be low cost, and can run on multiple platforms. On the other hand, software usually requires admin privileges to install and is easier to discover electronically.

Contract

Like the software license, the contract determines how easy it is to manage SaaS assets. But more importantly, the SaaS contract provides the necessary insight into the vendor’s operations that replaced the on-premises operations so that the SAM can manage performance, compliance, risk, and cost.

Vendor

The SAM’s organization directly manages performance, compliance, risk, and cost within the IT department. Now, these four business drivers are in the hands of the vendor. This is perhaps the most significant difference between SAM and SaaS Asset Management (SaaSAM). Furthermore, most of the time a SAM spends with the vendor is during the license negotiation, unlike the SaaS Asset Manager, which needs to manage the vendor throughout the lifecycle of the SaaS asset.

The Definitive Guide to SaaS Asset Management

This specialized ITAM certification course addresses these differences (and more) and provides practical solutions to managing this “same, but different” IT asset. With the adoption of the cloud, organizations can ill afford to ignore the opportunity to maximize the value of their investment in SaaS while simultaneously managing cost, risk, productivity, and compliance.

For more information on our specialized SaaS IT asset management certification course, please visit SaaS Asset Management Training and Certification .

SaaS Asset Management Worksheet

Stimulate ideas on managing your SaaS assets with the help of our free worksheet. You'll not only learn what you need to manage SaaS better using proven industry best practices, but you'll also learn which assets currently in your portfolio are in use (or not) and which are necessary (or not), leading to maximum cost savings.

Click here to get your free SaaS Asset Management Worksheet

A Conversation With Myself About Cloud Service Providers

183:844946220 (Keith Rupnik) — Mon, 12 Jul 2021 00:39:52 GMT

A Conversation With Myself About Cloud Service Providers

By Keith Rupnik

Based on CRN article: AWS Vs. Microsoft Vs. Google: How Partners Rank The Big 3 Cloud Companies by #KyleAlspach

Article quotes start with “--“

Who should I choose as my cloud service provider?

-- CRN’s Cloud Barometer survey asked solution providers to rate their satisfaction with the three leading cloud platforms … Survey respondents awarded Microsoft Azure with the highest overall satisfaction rating—giving it first-place finishes in product capabilities, profitability and maturity of pricing.”

So, to be safe, pick Microsoft! The executives know them! But wait!

-- Meanwhile, AWS ranked No. 2 overall, winning the highest ratings in ease of integration and support for demand generation.

That sure would make IT happy and get IT service faster, so let’s go with AWS! But wait!

-- There’s a good reason that Microsoft edged out its rivals in the survey results, according to #ReedWiedower … Their partner programs are much more mature …

Ok then, back to Microsoft. We can get more help from their partners! But wait!

-- All three vendors are investing heavily in their cloud platforms, from product updates to channel program enhancements.

Hmmm. It sounds like things may be changing. Maybe we should wait.

-- As of the first quarter of the year, AWS maintained its lead with a 32 percent share of enterprise spending in the cloud infrastructure services market, according to Synergy. By contrast, Microsoft Azure has leapt from an 11 percent share of the market four years ago to 20 percent market share today, the research firm said. And Google Cloud now has a 9 percent share of the market, up from 6 percent four years ago, according to Synergy.

So AWS is still the most popular, and with popularity comes more IT people familiar with the inner workings of AWS. So AWS it is! But wait!

-- While it’s possible to extend Active Directory into AWS, “you don’t get Azure AD,” said @ZachSaltzman, senior director for the Microsoft platform at FMT Consultants, a Microsoft Gold partner based in Carlsbad, Calif. “And Azure AD is this whole separate beast that brings a lot of productivity features and a lot of security features that no other cloud has.”

Security would LOVE this! And let’s face it, cyber security is hot now! But wait!

-- AWS’ greater scale also offers an advantage over competing clouds in numerous ways, AWS-focused solution providers told CRN. “With scale comes experience, knowledge, perfection of product and services,” said @EranGil, CEO of San Francisco-based AllCloud, an AWS Premier Consulting partner. “At scale, you get to a much better product.”

It sounds like we could grow and scale faster, and that would make marketing and sales happy! But wait!

-- And while those [open source] technologies are designed to be deployed on any infrastructure —including competing clouds—Google Cloud offers the best-engineered and most cost-effective solution for running them, the solution providers said. Google Cloud, @TonySafoian said, “invented the standards in which multi-cloud and hybrid cloud exist. I think AWS didn’t say the word ‘multi-cloud’ until last year.”

Did I hear cheap? Finance would LOVE that! But wait!

IT, security, market, sales, finance, and executive – how do we make them ALL happy, and how do we know which cloud provider is the best for us today and in the future? We need to plan for this, but how?

But wait!

There is a solution! Cloud Asset Management. The Cloud Asset Manager brings together all parties with a vested interest in coming to the right decision for the organization. No surprises. No “I didn’t know!” Just a boring technology acquisition and adoption so you can focus on the exciting part – making the customer happy!

Cloud Asset Management is a core competency. Click here to learn more.

Top 4 Objectives of a Cloud Asset Management Program

183:844946220 (Keith Rupnik) — Thu, 13 May 2021 16:16:38 GMT

Top 4 Objectives of a Cloud Asset Management Program

1. Manage Spend

Cloud makes it very easy to acquire cloud services that sometimes appear to be of little to no cost. The ease of obtaining coupled with the low price can also mean many more people can acquire cloud services. It is not just the cost per cloud service but the total cost of all services.

2. Manage Risk

The risk of putting the organization’s data outside of the corporate firewall was one of the first concerns preventing cloud adoption. While that concern has diminished, the risk has not and, in fact, probably increased. The increased risk is the increased adoption of cloud services and by many people within the organization.

3. Manage User Expectations

End users, IT, security, business units, departments, and finance are all consumers of cloud services or have a vested interest in the use of cloud services. A function of ITAM is to represent and manage the expectations of each group to ensure maximum value. Some users may view the cloud as freedom from the organization’s IT department. While that may be true, it is not freedom from the responsibility to the organization and its customers.

4. Meet Business Objectives

Last but certainly not least is understanding leadership’s business objectives and how the cloud helps meet those objectives. This understanding includes making sure that moving to the cloud is not just a particular reason, such as outsourcing to save money. Instead, it contributes to the success of the organization.

Consider starting with these four objectives If you want to justify the resources needed to manage your cloud assets. Develop a list of questions for each objective to identify the reason for managing cloud assets and then align these reasons to the executive roles within your organization. A comprehensive plan plus targeted messaging will significantly increase your chances for support for your cloud asset management initiatives.

Top 5 Skills of a Cloud Asset Manager

183:844946220 (Keith Rupnik) — Wed, 28 Apr 2021 21:04:19 GMT

Top 5 Skills of a Cloud Asset Manager

Many skills are required when it comes to managing IT assets. Here are the top 5 skills needed for a powerful Cloud Asset Management program.

1. Vendor Management

The management of the cloud service provider is more critical than any other asset management role because now the infrastructure is being managed by a third party and not your organization’s own IT department.

2. Contract Management

The cloud contract is your road map to governance — the fewer details in the agreement, the more work for you.

3. Portfolio Management

Cloud vendors can offer a plethora of products easily consumed by your organization. Understanding the value and function of those products helps your organization only use what is needed.

4. Department Management

The cloud makes access to IT as easy as turning on the lights. The cloud asset manager must be in constant contact with current and future consumers of cloud products within their organization.

5. Data Integration

Reports provided by the cloud vendor may replace the tools that asset managers rely on for reliable data. The cloud asset manager will need to identify the gaps created by moving to the cloud and integrate vendor-provided reports into the ITAM repository.

The Cloud Asset Manager is the newest role to be added to the ITAM family. At the same time, it shares many of the same skills as the other family members; the emphasis on specific skills shifts and becomes more critical. Identify, acknowledge and take the time to develop the necessary skills to be a Cloud Asset Manager – your organization will thank you!

Learn more about BTU's globally recognized Cloud Asset Management training .

Top 5 Things to Think About Before Managing Cloud Assets

183:844946220 (Keith Rupnik) — Wed, 21 Apr 2021 16:28:08 GMT

Top 5 Things to Think About Before Managing Cloud Assets

1. How effective is your current ITAM program for corporate-owned, on-premise assets?

Assessing your ITAM program’s strengths and weaknesses will help you understand the effort it will take to manage cloud assets and the improvements you need to make.

2. Can your current tools be used to manage cloud assets?

What will your discovery tool discover? How effective will your usage tool be in monitoring usage?

3. Are you involved in the negotiations with the cloud vendor?

Like software assets, the terms and conditions are critical for managing vendor performance, costs, and risks.

4. What information will you need from the cloud vendor to monitor usage and cost?

If your tools do not provide the information you need to manage cloud assets, what reports can the vendor provide to help?

5. How will you assess the cloud vendor’s performance?

You will need access to the cloud contracts, including the service level agreement and access to the people using the cloud assets to manage the cloud vendor effectively.

The cloud asset is a new type of IT asset that comes with its own unique challenges. And while you can leverage knowledge and experience from managing other asset types, you will need to expand your skill set to become a successful cloud asset manager.

Learn more about The Definitive Guide to Cloud Asset Management , BTU's specialized IT asset management training course, and become a Certified Cloud Asset Manager today!

WEBINAR: SAM Does Not Equal CAM - Realize the True Potential of Cloud Asset Management

183:844946220 (Keith Rupnik) — Mon, 05 Apr 2021 23:17:17 GMT

WEBINAR: SAM Does Not Equal CAM - Realize the True Potential of Cloud Asset Management

Yes! Please send me the free Webinar Playback.

Cloud Asset Manager: The missing link in today's ITAM Program

As cloud adoption accelerates, so does the need to manage the cloud as a business asset. Currently, this responsibility falls on the Software Asset Manager. But is SAM the appropriate role?

SAM does not equal CAM

In this webinar, we will explore the Cloud Asset Manager's role and the responsibilities that fall under Cloud Asset Management. By the end of this webinar, you will see that while the SAM is well-positioned to handle the additional duties of a CAM, the ITAM program will be best served by formally defining the CAM role allowing your organization to realize the true potential of Cloud Asset Management .

COVID and Tech Refreshes

183:844946220 (Keith Rupnik) — Wed, 31 Mar 2021 14:50:38 GMT

COVID and Tech Refreshes

March marks the first anniversary of the mass exodus from the workplace to the home office due to COVID 19. Some employees took their computers home; others were given laptops and tablets and left their workstations in the office. Additional assets such as VPN software, collaboration software, conferencing software, and security software were purchased to support the remote office. IT plans were turned upside down, including technology refreshes.

The tech refresh is a critical strategy for multiple reasons, including:

Keeping up to date with technology means the hardware is ready for new software releases and happier employees, contributing to employee retention.
A predictable year-over-year budget allocation. Organizations that do not have a tech refresh policy often find themselves refreshing technology only when budgets permit, resulting in an aging tech portfolio.
A predictable disposal cycle can maximize the organization’s assets’ resale value and optimize its ITAD vendor relationship.
Reduced TCO
Taking advantage of the latest built-in hardware security features

COVID impacted even the best tech refresh plans for one or more of the following reasons:

Budgets are frozen due to economic uncertainty
Impact on standards – who will return to the office can impact the current standard. Will the laptop replace the desktop standard?
Supply chain disruption
And finally, executing a refresh during the pandemic didn’t happen

What’s next?

Organizations with a refresh standard will be forced to play catch up and not just purchase new technology. Changes to IT standards and employee office locations will need to be addressed. This may include assessing the following:

How changes to IT standards affect the purchasing obligations with the vendor
Changes to on-boarding and off-boarding for remote workers
Impact on disposal processes and ITAD vendor services in support of remote workforce

Organizations without a refresh standard may find temporary shortages of hardware assets due to the economic recovery. It may be a good time to re-assess your position on a tech refresh policy.

Conclusion

Now may be an excellent opportunity to re-vitalize the ITAM program by conducting a tech refresh policy review. The review needs to include IT, IT service desk, IT security, procurement, finance, IT vendor management, end-users, and the ITAM executive sponsor. The review should include:

Review and consolidate IT standards
Update internal supply chain logistics to support remote users
Re-assess if end-point devices should be managed internally or by a third party (Device-as-a-Service)
Update disaster recovery plan based on lessons learned from COVID
Implement cloud asset management if cloud services were adopted because of COVID
And finally, remind the organization as to why ITAM is a core competency!

Can ITAM help with ESG?

183:844946220 (Keith Rupnik) — Sun, 17 Jan 2021 22:12:13 GMT

Photo by Lukas from Pexels

Can ITAM help with ESG?

A publicly-traded company's value can be partially evaluated using ESG (Environmental, Social, and Governance). An updated ESG requirements is starting to be tied to an executive's compensation. ITAM is always looking for a way to get executive management's attention regarding the value of the ITAM program, and ESG may be another value statement. But can ITAM help?

Environmental

This is perhaps the easiest to see. The hardware disposal component of the ITAM program is tasked with identifying disposal vendors that dispose of electronic waste according to applicable laws.

But the vendor management component of the ITAM is another opportunity. A strong ITAM vendor management program provides insight into the supply chain and how IT assets are manufactured, and their impact on the environment.

Social

Once again, vendor management comes into play. Are the organization's vendors manufacturing IT assets using slave labor? What is the vendor's position on labor? Should IT be looking at the vendor's ESG?

Do IT standards meet the needs of a diverse labor force? I believe working from home due to COVID may have shined some light on what an employee's workstation requires.

Employee and customer data security can be part of social responsibility. ITAM provides the processes, policies, and tools required to maintain an accurate inventory of assets. This inventory is then used by IT security to secure personal identifiable information.

Governance

ITAM has always supported corporate governance goals such as software compliance, privacy laws (HIPAA, GDPR), and e-waste laws (EPA, WEEE). Additionally, ITAM can provide insight into the spending of the budget for IT.

Conclusion

ESG is seen as a tool for investors to evaluate an organization. ESG is also used for executive compensation. ESG is evolving, and while the adoption rate is low, there is speculation ESG will grow in use. There are many articles on ESG, and I strongly recommend the IT asset manager research ESG in their quest to enlighten their executive management on the value of ITAM.

You’ve Just Recovered from a Cyber-Attack, What’s Next?

183:844946220 (Keith Rupnik) — Mon, 07 Dec 2020 18:11:36 GMT

Image by Gerd Altmann from Pixabay

You’ve Just Recovered from a Cyber-Attack, What’s Next?

Your organization has just recovered from a cyber-attack, what will you do next?

A. Lick your wounds and get back to work

B. Pray another attack doesn’t happen

C. Assess your readiness and prepare

If you answered A or B, you could stop reading right now; the remainder of this article will be dull. I’m not guaranteeing it won’t be boring for those who choose to continue reading, but it hopefully will be informative!

Security frameworks such as NIST’s “Framework for Improving Critical Infrastructure Cybersecurity” and Center for Internet Security’s (CIS) “CIS CONTROLS V7.1” all state the need to know what IT assets are in your organization’s environment. When a cyber-attack is first detected, the work begins to identify the attack vector and the attack surface. The attack surface is the IT assets and the networks that connect them, but we also need to consider those off-network assets that may be added to the network at any time.

If your organization has recently recovered from a cyber-attack, were you surprised by the number of IT assets found during the resolution? Many organizations underestimate the number of assets they have. There is a common saying for IT security – you can’t secure what you don’t know you have.

So, your organization recovered from this attack, but have you plugged the holes that allowed rogue and unmanaged assets to connect to your network?

What You Should Do After a Cyber-Attack is Resolved

1. How bad was it?

Not the attack, but how many assets of all types were found that you were unaware of?

2. How many problem areas are there?

Were the majority of rogue assets from one or two departments? If yes, then you have the first areas to focus on fixing.

3. Can you determine where they came from?

Were they leftovers from a refresh? Were they abandoned after a project or when an employee left the organization? Were they purchased by avoiding policies or standard procedures? Were they purchased using a budget redistributed from IT’s budget?

4. Why did it happen?

Did the purchaser not understand policies or procedures?
Are there missing or incomplete processes?
Are the tools insufficient?

5. What needs fixed?

Are policies and/or procedures not understood or known?

a. Review policies for accuracy, completeness, and perhaps most important, clarity.

b. Review training practices. Are new employees and contractors educated on the policies and procedures? Do employees and contractors receive continuous training?

c. Is the culture supportive of a disciplined approach to managing IT assets?

Are there missing or incomplete processes?

a. How are asset purchases approved and paid? Is there a formal request/approval process?

b. Are off-boarded employee’s and contractor’s assets collected?

c. Are project related assets collected after the project is complete?

d. Does the tech refresh cycle retrieve replaced assets?

e. Is a physical inventory performed on a regular basis?

f. Is there a formal disposal process for asset types?

g. Are unused assets properly secured and made available for re-use?

h. Are IT’s installs, moves, adds, and changes accurately reflected in the IT asset repository?

Are the tools sufficient?

a. Is there a database containing a single source of truth of IT asset data?

Okay, okay, I know. A single source is like expecting a letter from the government saying you never have to pay taxes again. The single source of truth represents the culmination of a significant effort to combine people, process, and tools and it doesn’t happen overnight. Therefore, you have to develop a strategy that allows incremental improvements to your IT asset repository.

b. Are the electronic discovery tools working and is the data they generate being used appropriately?

c. Are the assets tagged with either barcodes or RFID tags?

d. Is barcode or RFID technology used to track physical assets in support of that single source of truth IT asset management repository?

After a cyber-attack, there should be a review of what was found during the remediation period regarding how well the organization’s IT assets were managed. Is there an IT asset management program with complete autonomy when it comes to managing the ITAM program? Is the environment overly complicated due to the lack of IT standards?

Suppose your organization can commit to significantly improving the management of the organization’s IT assets. In that case, if, or when, the next cyber-attack occurs, IT security can spend precious time finding and stopping the attack and then repairing the damage instead of trying to define the attack surface.

Additionally, improving your IT asset management operations will pay dividends in other areas like cost savings, compliance, and operational efficiencies.

Is it Time to Go All-In on DaaS?

Wed, 16 Sep 2020 16:34:05 GMT

Photo by fauxels from Pexels

Is it Time to Go All-In on DaaS?

How do you know if your organization is ready for DaaS?

The Business Value of DaaS

The concept of Device-as-a-Service or DaaS is nothing new. On the surface, what is new is how much easier it is to manage end-user devices, their cost, and to some degree, their commoditization. But what is the business value of DaaS?

For ITAM, detailed and up to date information provided by the DaaS vendor on all assets that are deployed

For IT, allowing greater focus on the systems that provide greater value to the business

For IT and finance, a chargeback or showback program with all the benefits that come from such a program

For IT service desk, reduced workload through a transition to level 1.5 support (more on 1.5 support later)

For IT security, vendor-provided security allowing IT security to focus on increasing the organization’s security position within their chosen security framework

For end-users, more focused support, especially for the new work from home population

For the environment, an industry compliant, evidence based ITAD program

Of course, all of this value depends on two critical factors – vendor performance and your organization’s ability to monitor that performance.

What does “all-in” mean for DaaS? All-in encompasses the following:

Applies minimally to all users whose IT assets can be standardized

All end-user devices – laptops, desktops, tablets, phones, and software

The organization specifies the IT standards for its users

Services:

Procurement of organization specified hardware

Software installation and configuration

Shipping

Installing

Level 1 service desk support for installation, break/fix, office software

Business systems issues are escalated to the organization’s level “1.5” support

Level 2 support provided by the organization

Hardware refresh

Hardware disposal

Data backup

Software/firmware patch management

Security management and monitoring

Location tracking

User assignment

This all-in approach can seem daunting causing an organization to take a piecemeal approach to DaaS. But a piecemeal approach may significantly hinder the value an organization can realize from DaaS not to mention the complexities introduced due to poorly scoped and defined separation of responsibilities between the organization and the vendor.

DaaS can bring significant value to an organization, freeing up resources to focus on IT initiatives that bring more business value to its customers and shareholders. But this value can only be realized if the DaaS vendor is managed appropriately and managed to a well written SLA.

How do you know if your organization is ready for DaaS? Perhaps it is as simple as asking one question:

Is deploying and managing the end user’s computing devices a core competency of my business?

Disaster Recovery Planning Next Generation – This Time with ITAM

Thu, 03 Sep 2020 16:34:06 GMT

Photo by GEORGE DESIPRIS from Pexels

Disaster Recovery Planning Next Generation – This Time with ITAM

One of my questions I would ask asset managers is about their involvement in their organization’s disaster recovery planning. Unfortunately, out of the hundreds of asset managers I asked, almost no one was involved. My follow-on research revealed that most DRP was focused on restoring the key business systems as soon as possible. Anything outside of key business systems would be addressed when ‘it’ happened.

There was one asset management group that did do it right and to this day is by far the best example of ITAM’s participation in DRP. An office building caught fire and before the fire was extinguished, all of the IT assets necessary to continue that site’s normal business operations the next day had been shipped. The ITAM team was “matter-of-fact” when they told this story, but it was anything but standard operating procedure for the majority of organizations. This is quintessential ITAM!

ITAM’s charter is to maximize the value of IT while minimizing the risk. One responsibility is to know where all assets are and who is using them. The lack of this information was evident in many organizations that suddenly found themselves scrambling to support the stay-at-home workforce. Organizations did not know what excess inventory they had or what the at-home worker needed to do their job. And I wonder how well organizations did tracking what was shipped and how well prepared they are for future off-boarding and technology refreshes of this new work-from-home paradigm.

COVID-19 has provided us with several opportunities to learn from past mistakes. Will ITAM now be a critical component of DRP for the organization’s entire IT ecosystem?

What’s Next for ITAM?

Sat, 16 May 2020 16:34:06 GMT

Photo by Aslıhan Aslan from Pexels

What’s Next for ITAM? ITAM After COVID

COVID-19 continues to disrupt lives and businesses, but ITAM must start looking beyond the immediate impact of COVID-19 on your organization and start looking at the impact COVID-19 is having on the economy. How much the world economy will decline is unknown and how long the decline will last is unknown, at least to this author. However, what is known are the plans that need to be made and put into immediate action.

The ITAM Value Proposition

Now is not the time to sit around waiting for someone to ask for help. Now is the time to take a proactive approach and find out what your ITAM program can do for your organization in the coming months. Do not get caught in the position of having to justify your ITAM program or ITAM staff. Too many ITAM programs were cut in the “Great Recession of 2008” because they were not ready to help, had not communicated their value, and did not have a plan to bring immediate value to their organization.

Saving Money

The strategy to cut costs needs to be developed by taking a holistic approach.

Hardware – what is the state of your technology refresh? Do you need to continue as planned or can it be delayed? Should it be delayed? Is your company’s head count going to be the same in the near future?

Software – what does your calendar look like regarding renewals and true-ups? Do the entitlements still align with the business needs? Are support levels still valid?

Cloud subscriptions – are the current subscription levels and counts still valid? Similar to hardware, what does the company’s head count look like in the near future? Are near term commitments and plans still valid?

Outsourcing – is it time to seriously consider or commit to moving internally provided IT services to the cloud? Outsourcing for the sole purpose of saving money can be a very risky move. However, the IT asset manager can help evaluate the options of moving insourced services to a vendor. Evaluation should include understanding the details of the internally provided services, the needs for those services, and the cost of providing the needed services by a cloud service provider.

Software Audits

Unfortunately, software audits are probably back. Not that they left. But history has shown when the economy declines software audits go up. The “Great Recession of 2008” did cause some challenges to the auditors because they were auditing companies that downsized significantly. If that downsizing occurs with this recession, the auditors, like the last recession, will adjust their strategies. ITAM should prepare for upcoming audits by:

Define the roles and responsibilities of the software audit response team. Include the executive sponsor, legal, finance, IT, IT security, vendor manager, and the software asset manager roles. Use the audit response team definition to educate the heads of the departments that will have to assign someone to the audit response roles.

Identify the top software titles based on spend and based on audit risk.

Conduct internal audits to test any assumptions and your organization’s readiness. Review your entitlements and your consumption to determine your licensing position.

Cyber Security

Cyber security was a high priority in most organizations prior to the Covid-19 pandemic and will have to remain a high priority during and after. Cyber attacks have continued to increase at alarming rates during the crisis with the cyber criminals taking advantage of the crisis and the at-home work force. The last great recession did not have the cyber threats that organizations face today, allowing organizations to focus on cost cutting. But this time organizations will have to cut spending while still fund, and perhaps increase, cyber security budgets.

ITAM can support their organization’s cyber security initiatives in at least two ways: 1) identify opportunities to reduce spend on non-essential IT to help fund cyber security initiatives and 2) support cyber security controls as they relate to IT asset management. Practically every cyber security framework has at least two controls – accurate hardware inventory and accurate software inventory.

The Value of the ITAM Program

Lastly, continue to communicate to executive management and departments the value your ITAM program brings to the organization. Review your communication efforts and look for ways to improve. Educate other departments and leadership on how you can help. Be proactive!

In addition to the business benefits described above, review the following benefits that an ITAM program can bring:

IT asset re-use – report the money you have saved through redeployment of assets and demonstrate how this may be a critical time to leverage redeployment of unused assets. Consider conducting an electronic and physical inventory to achieve an accurate inventory of assets that can be redeployed.

IT budget review – look for where the spend is greatest and then assemble a team of experts to brainstorm how the budget can be reduced.

IT budget review, part two – cutting budgets should not be the only strategy during a down economy. Sometimes you have to spend money to save money. For example, is it more cost effective and accurate to conduct an inventory in-house or through a vendor with inventory expertise? Does your organization possess the talent inhouse to optimize your software license spend? Is now the best time to delay disposal of hardware assets or should you re-engage your disposal vendor?

IT budget review, part three – is there budget allocated to refresh IT assets? Does the refresh need to be delayed? What is the cost of delaying? What other IT asset related projects are on the near horizon that need to be re-examined for cost and benefit?

Conclusion

COVID-19 has impacted the way most businesses operate. This is an opportunity for ITAM to bring more value to the organization by applying the management skills that are characteristic of IT asset managers. The pandemic hasn’t ended, yet the repercussions are just starting.

If layoffs occur, then the offboarding process will be critical not only to ITAM but also to human resources, IT, and cyber security. If employees are coming back to the office from their home, then the reboarding process will be critical. Duplicate assets assigned to home users need to be retrieved, stipends terminated, disposal of software installed specifically to support the at home worker. For furloughed employees, then the onboarding process will need to address what happened to the assigned IT assets when they were furloughed and what needs to happen to the assets to prepare for the employee’s first day back to work.

The ITAM program is a core competency of any organization, of any size, and in any industry. Executive management just may not know it and it is the responsibility of you, the IT asset manager, to continuously promote the successes of your ITAM program.

Best regards,

Keith Rupnik

Ohio, USA

ITAM IQ Library

2025 End of Year Newsletter

2025 End of Year Newsletter

Artificial Intelligence (AI)

Cyber Security

Cloud

The Economy

Noise

Final Words

2024 End of Year Newsletter

2024 End of Year Newsletter

Artificial Intelligence (AI)

Cyber Security

Cloud

The Economy

Global Unrest

Noise

Final Words

WEBINAR: How to Secure Executive Buy-In for Your ITAM Program (Get C-Suite Support!)

WEBINAR: How to Secure Executive Buy-In for Your ITAM Program

Get C-Suite Support!

Securing Executive Buy-In for ITAM Success

The Importance of Continuous Executive Sponsorship

Are Boeing’s Troubles a Lesson for Cloud Customers?

Are Boeing’s Troubles a Lesson for Cloud Customers?

Most of Us Don’t Make Money

Déjà vu (All Over Again)

IT and ITAM Must Learn from Other Industries

ITAM and Vendor Management

Cloud and Vendor Management

What’s Past is Prologue

Garbage In, Garbage Out. AI and ITAM

Garbage In, Garbage Out

Question: Will AI replace IT Asset Managers?

Answer: Yes! No! Maybe?

ITAM and CTEM: Threat Exposure Program Requires ITAM

ITAM and CTEM ﻿

IT security – you don't need to reinvent the wheel!

"Step No. 1: Scope for cybersecurity exposure, first for external and SaaS threats"

"Step No. 2: Develop a discovery process for assets and their risk profiles"

"Step No. 3: Prioritize the threats most likely to be exploited"

"Step No. 4: Validate how attacks might work and how systems might react"

"Step No. 5: Mobilize people and processes"

Why Reinvent the Wheel?

Implement CTEM and Get a Bigger ROI with ITAM

Cyber Security Frameworks

ITAM IQ identifies 37 ITAM components representing the IT asset lifecycle, standards, and initiatives.

CIS has 161 controls, and when mapped to ITAM, the result is over 400 points where ITAM components enable and support the CIS framework.

NIST has 23 functions and 108 categories, and when mapped to ITAM, the result is over 300 points where ITAM components enable and support the NIST framework.

ITAM / Cyber Security Workshop

Remember, an organization's IT security is only as good as its ITAM program!

Citations

2023 End of Year Newsletter

2023 End of Year Newsletter

Artificial Intelligence (AI)

Cyber Security

Cloud

The Economy

Global Unrest

�� ITAM's a Highway! ��

�� I want to ride it all night long! ��

Is FinOps Hijacking Your ITAM Program?

Is FinOps Hijacking Your ITAM Program?

Value

Quality

Vendors

Finance

Procurement

Price

IT Asset Cost

Cost Avoidance

What Should ITAM Do?

Resetting Expectations

S&P: IT Asset Management is Central to Cyber Security

S&P: IT Asset Management is Central to Cyber Security

And the rest of the organization, too!

Security Monitoring

Lifecycle Management

Incident Response

Vulnerability Management

ITAM and CTEM