Following on from our previous blogs in our ITAM 101 series, we’re at a point where – now we understand the IT asset management (ITAM) basics and have our business case in order – we can get started with our ITAM project (notwithstanding the ITAM quick wins covered in my first blog).
Progressing Your Business Case Following Approval
No matter how comprehensive your ITAM business case, there’ll always be questions and challenges – so it’s useful to be prepared for them in advance. Here are five of the most common challenges to ITAM project proposals and suggestion on how to respond:
- We don’t have money. Talk about the money wasted on fines from being under-licensed, money wasted on over-licensing, not getting the best deal at contract renewal time, or not being able to keep track of all the assets on your estate. That ITAM can help save money by putting you in a stronger negotiating position come renewal time (as you’ll actually know what you have) and will also enable you to re-harvest licenses and equipment where appropriate. ITAM done right will save your business money.
- We don’t have the time. Talk about the time wasted on manual processes, duplication and rework, physical stock taking, or panic preparations for an audit. Then there’s the time wasted going through multiple processes for requesting new IT hardware and software, as well as the time taken to find license and support information because nothing is standardized or centralized. ITAM saves you time too.
- We can’t afford an expensive tool. Doing nothing is not an option. Not ethically, financially, or legally. So, what can you do? Well, firstly not all ITAM tools are expensive. But, appreciating that ITAM might need to prove itself before an investment is made in a tool, you can start with what you have – service desk data and network monitoring/discovery tool data. It’s not ideal but at least it gives you a way of tracking the hardware and software assets on your estate, and a starting point you can build on to justify a fit-for-purpose ITAM tool investment.
- We can’t afford expensive consultancy. Effective ITAM isn’t the easiest thing in the world to implement but this doesn’t mean you need to spend a fortune on consultancy. If funds are limited reach out to your localitSMF or ISACA chapter as both organizations can provide real-life best practice material and put you in touch with other members from whom you can learn.
- We have other priorities. ITAM isn’t seen as the most high-profile of IT processes but it’s critical in your efforts to manage, control, and protect your IT environment. The argument to be made here is how can meeting our financial, legal, and ethical obligations not be a priority? And why would we want to sell out business stakeholders short by operating suboptimally?
Once you’ve got pan-business buy in (as described in my earlier blog), gather and confirm your ITAM requirements by setting up workshops with your key stakeholders. Engage with both IT and the rest of the business so that nothing is missed or left out. If you have an internal risk or audit department, now is the time to befriend them as they’ll have the most up to date regulatory requirements you need to adhere to such as SOX, IL4, or Basel 3. As well as any industry standards, such as ISO 19770, ISO 20000, or ISO 27001.
Plan what you want to cover carefully. Do you want to cover all production assets? What about test, development, and disaster recovery (DR) environments? Whatever scope you agree, make sure it’s included in any service level agreements (SLAs), operational level agreements (OLAs) or underpinning contracts so that you’ve documented what you’re working to and can hold the right people accountable.
Look at your DML (definitive media library) and HS (hardware store) so that you have a central point for all hardware and software. This ensures nothing can be misplaced and all support information is stored centrally and backed up. Having dedicated ITAM repositories in place also means that end users know what hardware and software is approved and available to them.
The policy stage of your ITAM project is a key step in ensuring that it’s effective – so it needs to be clearly defined, communicated, enforced, and managed. The ITAM policy needs to be tightly aligned to business goals and the right balance between flexibility and risk needs to be found.
Every organization is different – so a financial institution or government agency will have very different requirements to say, a small tech start up. So tailor your approach accordingly.
When writing your ITAM policy, use the standard format used by your business for a consistent look and feel so that it’s easy for people to find the right information. Standard things to include in an ITAM policy will include guidelines on asset management, dos and don’ts, where to go for further information, and will take into account the organization’s size, user requirements, staff mobility, use of mobile devices, and organizational structure. Your policy should be made available to all staff and be reviewed annually to ensure it stays fit for purpose.
Training and Communication
The right levels of training and communication will help to ensure that your ITAM processes are followed effectively. In terms of communication, attend every team meeting, management huddle, and all hands call you can get invited to. Get people onside at these forums so that they know how beneficial ITAM can be – to them and the business – and reassure them that they won’t have to go through lots of red tape just for the sake of it. If you have an internal communications team then use them – ask for messages on the company intranet or even a leaflet drop on desks.
There’ll be multiple types of training to consider for example:
- End user training
- Service desk training
- Support team training
- Procurement training
- Subject matter expert training
For your ITAM team there’s lots of practical courses out there that can help too such as ITIL SAM essentials.
So hopefully you’re good to go – you’ve gathered your requirements, confirmed your scope, got buy in, and have written up your policy, process, and procedures. If you’re really lucky you might even have a dedicated ITAM tool so that automation is possible. You’ve socialized your ITAM process with support teams, ensured everyone has been trained, and you’ve communicated the go-live date.
So deep breathe time, go for it! Trust yourself, this is just the beginning, something you can use as a springboard to make real improvements to operational stability over time.
You need to have some form of ITAM mission statement. It doesn’t have to be fancy but it does need to be a statement of intent for your team and your processes. An example of an ITAM statement could be “To manage, control, and protect all IT production assets in our estate to deliver better business outcomes.”
Next comes the critical success factors (CSFs) – these look at how you achieve your mission. Examples CSFs for ITAM include:
- To ensure all IT asset spend and use is optimized, with waste minimized
- To ensure all production IT assets are under the appropriate change control and that no unauthorized change take place
- To ensure that all production IT assets are protected by ensuring only authorized hardware and software are used
- To ensure that all software audits are passed
Finally, we have key performance indicators (KPIs). These give you the detail of how you’re ITAM is performing at the day-to-day level and act as an early warning system such that, if things are going wrong, you can act on them quickly. Example KPIs for ITAM include:
- Increase in the production IT assets accounted for via your ITAM process
- Reduction in audit findings
- Reduction in unlicensed software
- Increase in inventory accuracy (be careful with this one though – you might have an accurate inventory but do little to benefit from it)
- Reduced service total cost of ownership (TCO) due to savings made
Getting started with ITAM is just the beginning. It allows you to get the basics in place, ensures that the business requests and uses IT assets in the right way, and ensures that the right controls are applied to your live environment. Come back for future blogs on best practices around the day-to-day running of your ITAM processes.