Manage software assets to manage cyber threats

Font Size
Mark Aurelius V. Bantay

Taxwise Or Otherwise

Software licenses comprise a huge chunk of the annual IT costs of an organization. However, in most cases, they are also investments that are improperly managed and tracked. As a consequence, a majority of organizations fails to realize the optimum benefits from these software licenses. In fact, due to their intangible nature, software licenses are often neglected or utilized only for their basic purpose.

With the huge pressure on IT management to cut down costs and rationalize IT expenditures, there is a growing trend to institutionalize a process that aims to manage software licenses. This process, known as Software Asset Management (SAM), has been established as part of the broader scope of IT Asset Management (ITAM) to integrate the policies, processes, technology, and people for managing software assets.

Aside from the more obvious reason of minimizing legal and contractual risks that may arise from the use of unlicensed software, companies who have implemented SAM across their organization have reaped huge benefits particularly in the areas of cost control and IT security.

With an effective SAM in place, an organization gains better understanding and visibility of its software environment, thereby minimizing redundant license purchases. For example, it is in better position to identify excess entitlements, which enable it to reallocate resources more efficiently to address future requirements almost on a real-time basis.

Furthermore, companies can obtain valuable insights to work towards standardization and identify if their existing software portfolio aligns with their business needs and direction. Better budget predictability is also established while unplanned significant license purchases are minimized. Another subtle benefit of SAM is gaining more negotiating power with software vendors by taking advantage of volume discounts.

With respect to IT security, SAM supports the logic that you can’t protect what you do not know. Hence, organizations must make it an imperative to have visibility over the assets they want to secure. A 2013 study by a global software company noted that 63% of unlicensed or pirated software contains malware programs. The proliferation of pirated software in the Internet coupled with poor SAM practices (e.g. indiscriminate download and installation of software) expose organizations to various security risks.

SAM is a critical aspect of an organization’s security program particularly because software is a primary target of cyber criminals. Often, the intrusion goes unnoticed for a long period and it is very difficult to trace the infection back to its source. With the growing threats to IT security, various regulations have been issued to ensure that an effective SAM is in place to mitigate the risks. One good example would be Circular No. 833 issued by the Bangko Sentral ng Pilipinas (the central bank of the Philippines that functions as the country’s central monetary authority) which provides additional guidelines on software acquisition for BSP Supervised Financial Institutions (BSFIs). The specific regulation mandates BSFIs to establish formal guidelines and procedures on the installation, use, maintenance, and retirement of acquired software.

Implementation of SAM depends on the size and complexity of the IT software environment of the organization. It can vary from adopting manual spreadsheet monitoring to sophisticated tools capable of doing license management, inventory and discovery, and data center management. Other SAM tools can even expand the scope to include mobile device management (MDM).

However, SAM is not only about selecting the appropriate technology. More importantly, it involves defining and establishing the right policies, procedures, and organizational structure to support the organization’s SAM operating model. Organizations who have yet to adopt SAM or even those that have SAM process in place can benchmark their SAM program against industry standards such as ISO 19770-1, CMMI, etc. The primary objective is not to gain certification or become the best in class but to be able to establish and sustain an optimal SAM program relative to the company’s assessment of the associated risks and rewards.

While SAM is a relatively new practice in the Philippines, the rise of various cloud technologies has changed the entire SAM landscape, making it even more complex yet essential. There are even IT vendors that offer programs with focus on software discovery and inventory, and high-level SAM maturity assessment.

SAM, as part of ITAM, must integrate policies, processes, technologies and people to effectively manage software assets. Hence, management must take the initiative in fully operationalizing governance for SAM. Chief Technology Officers must include SAM in their annual list of priorities. Ideally, companies must also have IT personnel who are well-versed in software license rights and limitations, as this would allow them to maximize the benefits from their software assets.

The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd. The content is for general information purposes only, and should not be used as a substitute for specific advice.


Mark Aurelius V. Bantay is a manager with the Forensics Consulting practice of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd., a Philippine member firm of the PwC network.

+63 (2) 845-2728 local 3236