IT Asset Management in the 2020s
IT Asset Management continues to increase in importance to all types of organizations, and is increasingly seen as essential in corporate management. According to ITAM Review research in 2018, 37% of ITAM departments are now reporting directly to board level, up from 17% in 2011. ITAM has increased visibility not only because of the strategic significance of IT, but because the buyers of IT are increasingly outside the IT department. Gartner refers to ITAM as a C-Level imperative.
This paper aims to help organizations further drive this evolution by giving a brief overview of the business benefits of good ITAM, and the business benefits of organizational certification against the ISO ITAM standard. References are also given to sources of further information and guidance.
Section 1: The business benefits of good ITAM
Cost savings are typically the main justification for a strong ITAM function, with good reason. Roughly a third of software is wasted or unused, regardless of whether it is desktop software, SaaS subscriptions or cloud infrastructure.
% Unused / Wasted
Cost savings are typically achieved by cost recovery (e.g. receiving money or credit back for costs already incurred); cost reduction (e.g. eliminating future obligations for costs currently being incurred and likely to continue to be incurred – notably those cited above); and cost avoidance (e.g. avoiding the costs associated with software publisher audits). It is important to monitor savings over time, and to recognize their expected rates of achievement, to avoid disappointment after the initial ‘low-hanging fruit’ has been taken.
ITAM and information security (InfoSec) are closely related, but historically their roles have had limited cooperation and integration. This is starting to change, and will become one of the most important areas for ITAM developments in the 2020s. This is demonstrated by the fact that two major sources of cybersecurity guidance put IT asset inventories or IT asset management as their top priority. These are (1) the Center for Internet Security’s controls, and (2) the US Government’s Cybersecurity Framework.
The cost of security failures is well known, because they often hit the press. For example, the Equifax breach has cost already upwards of $1.4bn and resulted in wholesale C-Suite changes. In the UK, the Information Commissioner’s Office is coming down increasingly hard on such situations, with proposed fines of £183 million for British Airways, and £99 million for Marriott hotels, for breaches of customer data. ITAM can help bring visibility and control to such exposures.
ITAM’s role in security enhancement is typically achieved by focus on the following areas:
- Shared inventory & discovery (See for example the recent Special Publication on IT Asset Management by NIST).
- Application lifecycle management shared with InfoSec
- Identity and access management
- Hardware asset management
- Managing ephemeral assets (e.g., containers, serverless computing, and FaaS)
- Addressing code hygiene (especially with open source)
Software license compliance
Software license non-compliance is the reason that many ITAM projects are started, because of a costly and disruptive software publisher audit. Software license compliance is therefore an obvious benefit of good ITAM, although its value as perceived by management often decreases after two or three years of successful avoidance of bad audit results.
The other types of continuing benefits need to be achieved and demonstrated to ensure management’s continuing support.
A significant business benefit for ITAM in the 2020s will be business agility. The better the visibility of what you have, where it’s located, how it’s configured, and how it’s being used, the faster you can change, and the more quickly a business can transform. The common-sense approach to IT Operational & Business Management is ITAM. It’s not the sexy and exciting part of IT innovation, it’s the sharp and pointy business end that facilitates shrewd business decisions.
Agility enabled through visibility means Procurement buys the right things to empower innovation and business transformation. Visibility of the adoption of new technology through ITAM-generated usage data ensures that the investment made delivers on its ROI forecast.
Risk management is the flip side of the coin for most of the benefits which good ITAM brings, but the categories used are typically different. Typical risk categories are:
- Financial risk: e.g., overspending on software and hardware assets, the financial impact of a software publisher audit, or the increasingly likely major fines associated with breaches of security exposing personal data
- Operational risk: e.g., an interruption in operations caused by poor software upgrade procedures, or through malware-breaking systems. For example, in 2019 the Board of TSB bank in the UK was censured for poor oversight of IT projects which led to nearly 1.9 million customers being locked out of their accounts. The CEO was also ousted as a result of this meltdown.
- Regulatory compliance risk: e.g., for specific sectors such as health care and banking
- Reputational risk: e.g., the public impact of a major operational breakdown, or a major data breach
There are many other benefits which can result from good ITAM. These include
- Facilitating mergers/acquisitions/demergers
- Improved interoperability (e.g., between legacy systems and cloud systems; and between different parts of the organization)
- Improved management due to trustworthy data
Section 2: The business benefits of ISO organizational certification
Good ITAM delivers valuable benefits as demonstrated in the previous section. However, much more can be achieved by using the ISO ITAM standard (ISO/IEC 19770-1:2017) as the foundation for good ITAM. This can be just for guidance and alignment, but the best and ultimate objective is to obtain organization certification against the ISO ITAM standard.
Demonstrating good governance
Ultimately, organizational certification against the ISO ITAM standard is about demonstrating good governance over an extremely complex area, which is hard for non-experts to judge themselves. Good governance can be demonstrated to both internal and external stakeholders. Internal stakeholders include top management, and the management and users in other areas of the organization with which ITAM deals – almost everyone. External stakeholders include vendors such as software publishers and regulatory authorities. For example, in the event of a data breach, strong evidence of appropriate controls demonstrated by organizational certifications may help to mitigate a potentially huge corporate fine.
Enforcing trustworthy data
The essential basis for good management decision-making is having trustworthy data. This is obvious in principle, but often not observed in practice. A fundamental requirement with the ISO ITAM standard is to have trustworthy data regarding IT assets, and with certification management can have confidence in this.
Enforced linking into corporate objectives
A common problem for many supporting areas of an organization is to ensure that they align with corporate objectives, and often this is difficult to demonstrate. The ISO ITAM standard – in common with all other ISO Management System Standards – requires that the objectives for an ISO ITAM system be clearly linked into corporate objectives. Organizational certification against the ISO ITAM standards will ensure that this happens, and that management can have confidence in it.
Coordination with other ISO systems
Many organizations will have implemented other ISO Management System Standards, such as for Information Security Management (ISO/IEC 27001), Service Management (ISO/IEC 20000-1), or Quality Management (ISO 9001). All such Management System Standards are similarly designed, which should therefore make it comparatively easy for them to interrelate and integrate. However, the ISO ITAM Management System Standard has several additional requirements to ensure that such coordination and integration is addressed, and management can have confidence in this.
- https://itamstandards.org/: the website of WG21, the international volunteer group that writes ISO ITAM standards
- ITIL Guide to Software and IT Asset Management, Bicket and Rudd, The Stationery Office, 2018. ISBN 9780113315482
- Practical ITAM – The essential guide for IT Asset Managers, Martin Thompson, The ITAM Review, 2017. ISBN 978-1547011216