Alf’s Zoo – The Erosion of IT Trust

“Alf’s Zoo – This week, Jon Hall explains how Uber has changed our view of IT and the world. We no longer trust authorities as much as we trust our peers when it comes to selecting tools and services for work and life. Instead of prescriptive measures issued by so-called experts, we now rely heavily on peer-assisted selections, where we rate the vendor – and the vendor rates us. Imagine what customer reviews have done to online shopping, and ask yourself what IT can do to earn back some of the trust from its stakeholders. Jon provides one of the few concrete examples of how the consumerization of IT impact the business”

Are enterprise Software License Audits costing businesses over $4bn per year?

KMPG survey responses about revenue derived from software audits

I blogged yesterday about the recently released KPMG survey of the software compliance industry.

One very interesting graph breaks down the percentage revenue derived by software vendors from their compliance programs:

KMPG survey responses about revenue derived from software audits

The overall survey is framed as follows:

(KPMG) surveyed 31 software companies representing more than 50 percent of the revenue in the software industry, where enterprise software revenue is expected to total $301 billion in 2013 (Gartner). 

If we take just 50% of that total US $301 billion enterprise software market (to represent – conservatively – the market share of the 31 companies that responded), and extrapolate from the mid-points of the buckets in the diagram (e.g. take “2% to less than 4%” as 3%), then we get an estimated figure for the total revenue derived from compliance programs of $3.99 billion.

That, of course, assumes an even distribution of software company sizes across each of the response levels.  That’s not a sound assumption, but it could push the figure higher as well as lower.   This also discounts the remainder of the enterprise market that did not respond to the survey, or were not surveyed, which could add an unknown amount to the figure.  Additionally, the figure above uses a value of 10% for the “10% or more” bucket – in reality this is likely to sit somewhere over 10%, but we have no data to indicate by how much.

What seems safe to say is that response to compliance enforcement is costing enterprise software consumers billions of dollars, and there is a good chance that the overall figure will be in excess of US $4 billion.

It has been difficult, to date, to estimate a reliable market size for the Software Asset Management market (not least because it is difficult to define: how much of the market is already accounted for in estimates for technologies such as discovery and the IT Asset respository?).  However, if the damage caused by a lack of control is already counted in the billions, this suggests a significant addressable market.

Even a modest 5% estimate for the market value of saved compliance penalties would suggest an overall market of $200 million for preventative SAM alone, and this is before we consider the value of optimization rather than threat reduction.

This fascinating KPMG survey reveals the software license auditor’s viewpoint

KPMG survey front cover - "Is unlicensed software hurting your bottom line"

Software licensing audits are a big challenge for IT departments.  65% of respondents to a 2012 Gartner survey reported that they had been audited by at least one software vendor in the past 12 months, a figure which has been on a steady upward trajectory for a number of years.

Often, companies being audited for software compliance will actually deal, at the front-line, with a 3rd party audit provider. One of the big names in this niche is KPMG, whose freely-downloadable November 2013 report, “Is unlicensed software hurting your bottom line?”, provides a very interesting window into the software compliance business.

The report details the results of a survey conducted between February and April 2013, with respondents made up “31 software companies representing more than 50 percent of the revenue in the software industry”.

Revenue is driving software audits

The survey results show, rather conclusively, a belief in the business value of tackling non-compliance:

  • 52% of companies felt that their losses through unlicensed use of software amounted to more than 10% of their revenue.
  • Almost 90% reported that their compliance program is a source of revenue. For about a tenth, it makes up more than 10% of their overall software revenue.  For roughly half, it is at least 4%.

Compliance audits are increasingly seen as a sales process

  • In more than half of responding organisations, the software compliance function is part of Sales. This is reported as being up from 1 in 3, in an equivalent 2007 survey.
  • In 2007, 47% of compliance teams were part of the Finance department. This figure has plummeted to just 13%.

This shift is not universal, and some companies seem committed to a non-Sales model for their compliance team.  A compliance team member from one major software vendor talked to me about the benefit of this to his role: He can tell the customer he is completely independent of the sales function, and is paid no commission or bonus based on audit findings.  Many other vendors, however, structure audits as a fully-commissioned role.  As the survey points out:

  • Only 20% of companies pay no commission to any individuals involved in the compliance process.
  • In 59% of cases, the commission structure used is the same as the normal sales commission program.

There is further indication of the role of sales in the audit process, in the answers to the question on “settlement philosophy”.  More than half of the respondents reported a preference for using audit findings as leverage in a “forward-looking sales approach”, rather than wanting to seek an immediate financial settlement.

Almost half of vendors select audit targets based on profiling

The biggest single selection reason for a compliance review was nomination by the sales account team (53%), with previous account history in close second place (50%).

Interestingly, however, 47% reported selecting customers for review based on “Data analytics suggesting higher risk of non-compliance”, with 7% stating that random selection is used.  It seems that audits are still a strong likelihood regardless of an organisation’s actual compliance management.

Auditors prefer their own proprietary tools to customers’ SAM tools

There seems to be a distinct lack of regard for Software Asset Management tools. 42% of respondents seek to use their own discovery scripts in the audit process. Only 26% of the vendors stated that they use customers’ SAM tools, and remarkably this is down from 29% in 2007, when one might expect few SAM tools would have been found on customer sites anyway.

This echoes the experience of a number of customers with whom I have previously spoken, and it can be a real source of annoyance. How, some argue, is it fair that license models are so complex that it takes a secretive proprietary script, only available to the auditor, to perform a definitive deployment count?

Other observations

  • Software tagging has not been widely adopted: Less than half of respondents do it, or have plans to do so.
  • SaaS reduces the role of the software auditor. Only 15% reported any compliance issues, and more than half don’t even look for them.
  • Few companies seek to build protection against overdeployment into their software. From conversations I have had, most seem to want to encourage wide distribution. Some desktop software was deliberately released in a manner that has encouraged wide, almost viral distribution. In at least one case, an acquisition by a larger company has been the trigger for a significant and aggressive audit program, targeting almost every large company on the assumption that the software is likely to be found there.

Conclusions?

It is very clear from the survey results that many large software vendors have established their compliance program as a significant revenue generator, and with a significant shift of these functions into the sales department, we can probably assume that there is a broad intent to maintain or even grow this role.

Whether this is even compatible with a more collaborate model of software compliance management is highly questionable: the business case for the status quo seems very sound, from the vendor’s point of view.  With so many vendors only trusting the discovery scripts used by their auditors, the situation for customers is nearly impossible: how can they verify compliance if the only counting tool is in the hand of the vendor?

The light at the end of the tunnel for many customer may be SaaS:  SaaS software tends to be more self-policing, and consumption models are often simpler. However, it brings its own challenges: zombie accounts, decentralised purchasing, and a new set of inconsistent consumption models. Meanwhile, hosted software does not go away.

The Zombie Apocalypse: an IT Asset Manager’s Survival Guide

Zombie Response Van

Zombie Response Van

IT Asset Management is not a profession commonly associated with the undead peril.  Little do their colleagues know, that the beleaguered ITAM specialist faces an ever-increasing horde of mysterious, shambling, moaning zombies.

Here, we detail some of the most common zombie types, and tell you how to spot them…

 

1) The Iron Zombie

Physical zombie server. Trip hazard, vermin house, dust collector...

This increasingly rare zombie species is nevertheless still found in forgotten corners of IT offices, blinking its faded LEDs in sinister fashion, and blowing dust out of its 3.5″ disk drive.

In its laptop variant, this is where your Visio licenses go to die.

Typical Habitats:

  • The footwell under sysadmins’ desks.
  • Corners of network switch rooms.
  • Third drawer down in the filing cabinet (laptop subspecies)

Hazards:

  • Ancient support contracts.
  • Last resting place for expensive developer tool licenses.
  • Heat output overwhelming air conditioning.
  • Incoming malware easily able to overcome unpatched 8 year old Operating System
  • Support or lease payments for an expensive paperweight
  • Broken toes.
  • Mice.

Ways to find them:

  • Trip over them.
  • Follow the sound of dust-clogged fan bearings.
  • Invite a software license auditor into the building.
  • Physical audit of technical office locations.

2) Virtual Zombies

Zombie virtual machiene. You can't photograph these, so here's a diagram.

This modern zombie species is increasingly prevalent, both on-site and off.  As well as simply being untidy, they can have all manner of impacts on the business: one forgotten major-vendor database instance, for example, can suddenly make every processor core on the entire physical backend entirely licenseable (including backdated support. At full list price. Scared yet?).

Gartner analyst Philip Dawson, at the Gartner Datacenter Summit in London, in November 2013, stated that 40% of VMs are over 3 years old, with 20% at least 5 years old.

Typical Habitats:

  • The company virtual farm.
  • Amazon Web Services.

Hazards:

  • Invisibility (or frustratingly visible opacity).
  • Tendency to be service critical without anyone realising. If you turn it off, who is going to scream?
  • You know all that careful capacity optimization you did on the server farm?
  • You can’t patch what you can’t see.

Ways to find them:

  • Invite a software license auditor onto the company network with their own discovery scripts.  This may be expensive.
  • Trawl credit card records for Amazon spend.
  • Agentless discovery, preferably with good quality application and dependency mapping.

3) Bring-Your-Own-Zombie

Bring your own zombie will eat your MDM licenses.

A recently discovered zombie species, the Bring Your Own Zombie is typically created when a user acquires a shiny new device, and either forgets or declines to deregister the old one.  It’s early days for BYOD, of course, so stats are hard to come by, but Amtel estimate a 10% rate of zombification for mobile devices. Okay, they’re an MDM vendor, but even at half that rate, a company with 10,000 BYOD refreshing hardware on a two year cycle will build up up a zombie army of a thousand devices over the next four years. That’s a lot of risky data, and a five- or six- figure excess MDM spend.

With many Mobile Device Management applications being paid for on a per-device subscription basis, the gradual buildup of BYODZ’s can steadily increase your bills, to no actual benefit.  And what of the device itself?  With no clean deregistration, and cleansing of corporate data, your data can become very viral, very quickly.

Typical Habitats:

  • Odd drawers in employees’ houses.
  • Ebay.

Hazards:

  • Will eat your MDM licenses.
  • Software Auditor: “So you’re licensing this software by device? Excellent, can I just take a look at your list of registered tablets and smartphones?”.
  • Never underestimate the corporate-data bandwidth of a padded envelope.

Ways to find them:

  • Amnesty.
  • Ask Joe in Accounting if he’s really still using a Nokia N85.

4) Zombie.bat

Zombie script file

This broad category of zombie includes all scripts, undocumented file imports, complex spreadsheets, mysterious VBA code, and the like, that get created in a productive afternoon by a sysadmin, intern or helpful hobbyist, and which embed themselves into nondescript but rather important tasks like starting up the directory server, or producing billable timesheet reports.
Gartner, at their 2013 Datacenter Summit, expressed a concern in one keynote that undocumented code is on the rise even as IT departments look increasingly to industrialise infrastructure.

Typical Habitats:

  • The finance department. In fact, any department.
  • Microsoft Access.
  • Arcane startup scripts on important servers.

Hazards:

  • Easy to create, difficult to support.
  • Undocumented, unattributed, unseen.

Ways to find them:

  • Have a major outage, trace it back to a six year old Perl script.
  • Wait for a call to the Helpdesk about the important and complicated Excel sales spreadsheet that was written by an intern several years ago, and which has broken.
  • Work with sysadmins to catalog critical code, and preferably built it into a solid CMDB with critical service dependencies

The serious points

Zombie assets are a genuine and growing issue. At best, the problem means that the return on investment in IT infrastructure is not what it should be. With IT budgets squeezed and the increasing demand on CIOs to run their functions as an effective business unit, this is an unnecessary impact on the bottom line, arising directly from IT Assets.  IT Asset Managers should never ignore that.

Additionally, there are plenty of additional circumstances where a lack of control over assets at the end of their lifecycle can lead to unforseen and even dramatic negative consequences:

  • Zombie hardware may still be under support contract.  Leased hardware, if not returned, can incur significant penalties and additional costs.
  • Uncontrolled end-of-life can mean uncontrolled disposal, with the associated risks of data loss, environmental damage and penalty, and negative publicity events arising from either.
  • The relative ease of deploying VMs in the datacenter inevitably risks sprawl.  Datacenters end up “fragmented” in the same way that a PC’s hard drive can, with pockets of unused capacity walled off around badly optimised server images.  “Lost” VMs in particular are a big threat: even if you can’t find them, a hacker or a software auditor might be able to.

What can be done?

At the 2013 Garter IT Financial, Procurement and Asset Management summit, research VP Patricia Adams recommended an “Action Plan for IT Asset Managers”.

  • From “next Monday”, Adams advised, IT Asset Managers should ensure their team is part of the process for staging a VM, focusing on collection of data prior to deployment (as this is easier than doing it reactively.
  • In the “next 90 days”, define an end of life process for virtual applications, and ensure that data on assets and software is accurate.

A recent CIO Asia guest article recommends adopting the ecological principle of “Reduce, Re-use, Recycle” in managing VMs.  Reduction, in this case, by controlling the VM request process and ensuring that each request receives appropriate review and authorisation. Re-use, through control of unused VMs, e.g. by archiving permanently or temporarily, to allow their underpinning architecture to be repurposed. Recycling, by identifying and releasing stranded capacity, where other bottlenecks in the system mean that resources sit unused.

Emerging challenges like BYOD sprawl need new initiatives to reduce risk. Last week I attended a seminar held by members of the software compliance industry (in other words, auditors), and BYOD was a headline presentation topic. Compliance teams are establishing ways to audit these devices, so software consumers need to develop processes to keep them in check.

If Asset Management is accountable for the optimised use of IT assets, then the IT Asset Manager needs to consider their own accountability, even where these functions are directly controlled by other teams.  Get involved, work cross functionally, and ensure that the risks are communicated clearly and vigorously.

Photo credits:
Zombie Response Van: Author’s own photo. The van belongs to Zed Events who hold “Zombie Apocalypse” events in a disused shopping centre in my home town of Reading, UK. I’ve not been, but it looks awesome, and I imagine it’s actually very good practice for the IT Asset Manager faced with a particularly gnarly, uncontrolled Amazon account.
Iron Zombie: From Flickr, used/modified under Creative Commons license, thanks to Vinny Malek.
Virtual Zombie: Author’s own diagram.
Bring-Your-Own-Zombie: From Flickr, used/modified under Creative Commons license, thanks to magic_quote
Zombie.bat: From Flickr, used/modified under Creative Commons license, thanks to *n3wjack’s world in pixels.

Some initial thoughts on the Service Management Congress

Having gone away on paternity leave for a few weeks (I’m writing this with a sleeping four-week-old stretched along my lap), I initially missed the fuss that came out of the Service Management Fusion13 conference. On returning, an acquaintance in the UK ITSM sector emailed me and suggested I take a look at the Service Management Congress website, and its bold rallying call:

SMCallAction

That’s quite a lot to take in between sleep-deprived nappy changes, so I’m grateful that he also pointed me to some useful and interesting context from prominent ITSM consultant, podcaster and blogger Barclay Rae:

What I didn’t expect was to be involved in a ‘revolution’, but that happened too…
Over the week – and with the support of the organisers – a number of meetings were held with a cross-section of ITSM people who wanted to see change happen and to do something about it – now. A few people were initially invited and others like me simply joined as part of the conversation . The sessions were originally set up with the intention of discussing how to improve or develop the role of the itSMF (especially in the US) – which (with the exception of some great chapters in northern Europe and elsewhere) is perceived to be flagging. The discussion moved on from that to a bigger and more fundamental view of how to fix the industry – perhaps idealistic but certainly with positive intent.

A post on the SM Congress website itself, entitled  “Background on the Group Formerly Known as RevNet“, detailed the terms of referene that had been given to the core, invited group who had drawn up this fledgeling manifesto:

* To challenge our community of service management professionals to look at things differently and to embrace the future
* To challenge us (itSMF USA, and to a lesser degree, the entire itSMF international community) to improve and stay relevant
* To challenge themselves and explore what should come out of this group – what should come next

This is interesting – a brief to look at things with “a fresh set of eyes”, equivalent in part to the spin-out group described in Clayton M. Chrisiansen’s “The Innovator’s Dilemma”, assembled as an independent, fresh entity to avoid the challenge of responding to disruptive influences from an established, mature and successful market position.

Companies that have tried to develop new capabilities within established organizational units also have a spotty track record, unfortunately. Assembling a beefed-up set of resources as a means of challenging what an organization can do is relatively straightforward… Too often, however, resources such as these are then plugged into fundamentally unchanged processes, and little change results…

A separate organization is required when the mainstream organization’s values would render it incapable of focusing resources on the innovation project.

I’ve signed the pledge. I think the intentions seem very honourable, and the problems identified by the group are real, if somewhat loosely stated. Many of the principles seem spot-on: it’s certainly my view that too much of the information that should help us to drive our industry is hidden behind paywalls and accreditation schemes when it should really be a public resource.  My views aren’t fully formed, but nor by its own acknowledgement are those of the Service Management Congress itself.   It doesn’t seem self-evident to me that this structure will work, but it seems a good thing to explore and develop.  At this stage, I have a few key hopes:

I hope that a broad set of ITSM people are able to feel “ownership”: The initial signers and many of the follow-up pledgers are pretty familiar names within the industry: high-profile bloggers, tweeters, and presenters. It’s an impressive set of names, but we do need to bear in mind Rob England’s astute observation that “there are over two million people with an ITIL certificate. I guess quite a few of them are ITSM practitioners in one form or another – even if they wouldn’t call themselves that – let’s say a million. So a few thousand have read the SMcongress stuff and a few hundred have put their names on it“.  If this is perceived, even if very unfairly, as a talking shop for some “usual suspects”, it won’t get near any critical mass.

I hope we remember that ITSM doesn’t suck!:  There is plenty of room for improvement, but we have great people in this sector, and we’ve build something effective and successful. It needs to grow, and adapt, but that doesn’t mean everything thus far is a mistake.

I hope the approach is outside-in: This is not an “iPad” moment, where (to paraphrase Steve Jobs) we are creating something our customers didn’t even know they wanted. Great practice will come from real life, and there’s plenty of it out there. We can’t design it from scratch in a meeting room. Anyway, I’m a Product Manager, so I have to say this.

I hope that its ideas are genuinely transformative, but I don’t think it needs to create a revolution: ITSM is a mature framework in a rapidly shifting environment. Is ITIL adapting quickly enough to remain a dependent and definitive standard? There’s obviously doubts and concerns about that.

My own view is that our customers have become comfortable and familiar with a set of tools and practices and interactions provided by their consumer technology that has set the bar much higher in terms of their expectations for the workplace. Upstart providers like Uber, who I have written about previously, have taken century-old customer interactions and transformed them to the extent that traditional providers face disruption out of their markets.  Internet-enabled cloud services have taken aspects of technology that were completely within IT’s domain, and offered them to anyone with a credit card.  This presents both a danger of irrelevance, and a gulf in governance, and ITSM needs to address those issues urgently.

If our established frameworks can’t do that quickly enough, we need a rapid innovation.  But is it realistic to change everything? It feels more pragmatic, initially, to find some great ideas that can fold back into the broader ITSM discipline, bringing genuine improvements without trying to eat the whole elephant in one go.  Our stakeholders, to whom this transformation ultimately has to be sold, won’t accept a message that says “everything changes right now”

I hope that we don’t just do this:
XKCD cartoon -
(see also: camel/horse/committee)

I’m looking forward to engaging, and I’m looking forward to watching things develop. It’ll be interesting to revist this subject in a month or so.

itSMF UK and the mysterious case of the missing Asset Managers

logo of the ITSM13 conference

Something is bothering me.

When I first looked at the agenda for the 2013 itSMF UK conference in November, what stood out for me was a glaring omission: where is the IT Asset Management content?

First, let me state: It’s a really good agenda, full of really interesting speakers, and I will certainly aim to be there. I’ve been privileged to work in the the UK ITSM sector for the thick end of two decades, and many of the names on the agenda are people i feel lucky to have worked and interacted with.

If you can, you should definitely go.

However, the lack of any ITAM focus, across more than 40 presentation sessions, is strange. If we want to understand our business services, we have to have a grasp on the assets underpinning them. The nearest this agenda appears to get to that is an interesting looking session on Supplier Management – important, but only part of the picture, and again, something that doesn’t really work without a good knowledge of what we are actually buying.

It took ITIL a while to come to the realisation that an asset is relevant in more ways than being just a depreciating item on a balance sheet, but version 3 finally got there, and then some:

“Service Asset”, according to ITIL v3: Any Capability or Resource of a Service Provider. Resource (ITILv3): [Service Strategy] A generic term that includes IT Infrastructure, people, money or anything else that might help to deliver an IT Service. Resources are considered to be Assets of an Organization Capability (ITIL v3): [Service Strategy] The ability of an Organization, person, Process, Application, Configuration Item or IT Service to carry out an Activity. Capabilities are intangible Assets of an Organization.”

So… we consider our service-underpinning capabilities and resources to be our assets, but we don’t discuss managing those assets at the premier conference about managing the services? More importantly, we offer nothing to its increasingly important practitioners?

As long as ITAM is only discussed at ITAM conferences, and ITSM keeps up the habit of excluding it (this isn’t universal, mind: this presentation by Scott Shaw at Fusion 13 seems to hit the perfect message), then we risk looking disjointed and ineffective to CIOs who depend on the complete picture. To me, that’s pretty worrying.

(Footnote: I did submit a speaker proposal, but this isn’t about my proposal specifically – I’m sure lots of proposals couldn’t make the list)

Gartner’s London summit message: Make ITAM important!

Gartner’s IT Financial, Procurement and Asset Management rolled into London last week (11th and 12th September 2013), and promptly kicked off on an ominous note: Stewart Buchanan’s opening keynote warning that certain roles in IT, including that of the IT Asset Manager, risk becoming obsolete.

As the two day event progressed, however, it became increasingly clear that Gartner’s analysts don’t see ITAM as a complete anachronism. It is important, however, that it evolves with the technology and practices around it. Asset Management needs to become a key strategic tool to the business. For those of us who have been blogging on this theme for some time, and who have witnessed the best ITAM professionals in the industry delivering huge results from this approach, it is great to hear Gartner emphasising it so strongly.

Research Director Victoria Barber stressed the power of a strong “symbiotic relationship” between the Asset Management function, and IT’s financial controllers. “Finance needs to understand how it can leverage the data from Asset; Asset Management needs to understand how to support it”.

Barber’s fellow Research Director Patricia Adams described the evolving role of the IT Asset Management team in an increasingly virtualised environment. By Monday morning, she advised, the ITAM team should ensure that it is part of the process for spinning up a virtual machine.

Moving forward, Adams continued, they need to be aware of emerging technologies and preparing for potential adoption. This needs good awareness of what is going on in the business: “You want to make sure the asset team has the skills to work with the config team, to work with the virtualisation team, to understand what those teams are doing”.

As Buchanan concluded in a later session, companies should “use ITAM to continually improve and optimise both IT operations and the business use of IT”.

To this audience, at least, Gartner’s message is an encouraging one.