CIOs grapple with new complexity

Here is a ComputerWeekly

As enterprise software markets mature, many suppliers are generating more of their revenue from existing customers than from new sales.

“To maintain their growth, suppliers need to maximise revenues from existing business rather than chase new contracts. It is up to IT directors to ensure that they select and manage the most appropriate licence model for their business, rather than adopt an unsuitable and costly alternative.”

pointing out that vendor audits are on the rise…

Bill Monk, director at compliance consultancy LOCS, said, “Recently there has been lot more pressure from suppliers to conduct software audits or ensure that the customer is paying what they are supposed to be paying.”

pointing out that the “software police” are out there…

As part of this supplier push to make firms meet their obligations, anti-piracy software industry groups such as the Federation Against Software Theft and the Business Software Alliance have been promoting the use of software asset management tools.

I don’t agree with the next statement though…

But Monk said this was not necessarily the answer. “In my experience, there are not that many tools out there that will do the job,” he said. “The output generated by asset management software generally needs a lot of filtering and massaging before it can be put to use.”

Ah… then how are you supposed to figured out what you own? You need to have an asset management tool to get an inventory, collect software usage information and to help with the software reconciliation process.

If you choose the wrong inventory tool, then yes you do have to do a lot of post-processing to the data to clean it up and make sense of it. That is why you need to a tool that does some thing more than grab all of the file header information about the executables on a machine.

But even if I did have a tool that took a lot of work to get useful information out of it, that is still better than NOT having the information to begin with.

They briefly mention the new ISO 19970-1 standard for software asset management…

Monk said a potentially more useful development was the release of the first part of the ISO 19970-1 standard for software asset management. “It has its shortcomings, mainly because so few software suppliers have signed up for it, but once it goes through several iterations it should plug a gap,” he said.

I think this is a good step forward, but I would ask Mr. Monk a quick question… you think this is potentially useful for people, but the spec says you need to have an inventory – so you must need an inventory tool in order to do it?

I do agree totally with the last piece…

“For small and medium-sized enterprises in particular, what is really good is that it sets out the processes and procedures firms need in place to do things properly. In other words, it tells you how to buy, approve, install and manage software – and a lot of firms need that kind of guidance.”

There is no tool out there for fixing broken processes and that is the biggest issue I see, most companies don’t have a firm set of policies and procedures in place. Or if they do have these defined, not many of them actually enforce them.

My Space Spyware

Since My Space is one of the most popular sites on the ‘net, I would have to assume at least one or two people in your organization might visit the site on occasion. If they did so recently and your machines are not patched, you might have a problem…

An online banner advertisement that ran on MySpace.com and other sites
over the past week used a Windows security flaw to infect more than a
million users with spyware when people merely browsed the sites with
unpatched versions of Windows

From The Register…

The attack exploited a Windows Metafile (WMF) exploit, fixed by
Microsoft in January, to infect vulnerable Windows machines with
malware from PurityScan/ClickSpring family of adware. The malware
surreptitiously tracks internet usage while bombarding infected users
with pop-up ads.

Exodus of Windows 98

Here is a PRWeb story about the end of life for Windows98 highlighting the need for an asset management program. I’m always a little stunned by how many corporate customes I visit are still running Windows 98 in their environment, some times because an application relies on it, but a fair number of times it is just because they haven’t bothered to upgrade their machines.

If Microsoft can’t get people off of Windows 98 in the corporate environment, how easy do they think it is going to be to get them to move to Vista? This is going to be a huge change for them. Odds are they have a large block of machines running 2000 or XP, but still it makes you think.

I do agree with a this statement…

“This situation highlights the importance of really understanding what your corporate assets are and how they are used,” explained Szablowski. “Without a clear picture of the downstream impact of an operating system, including the software and the business functions that will be impacted, you cannot prepare appropriately for the change.” To upgrade Windows 98 to Windows XP, an analysis of RAM was required to determine the number of machines that required an accompanying hardware upgrade. “Unless you can hone in on the systems affected, you are stuck upgrading everything. The money wasted on even one botched upgrade project cost-justifies IT asset management.”

Leave Your Thumb Drives at Home

A short story from Canada about companies telling their employees to leave any USB thumb drives at home, because they are worried about data theft. Plus 30% of the companies have banned MP3 players altogether from the office.

I hadn’t heard this before, but they said the are also banning personal laptops from the office too. I really didn’t think about people bringing their own computers to work before, but now that laptop’s are outselling desktop’s, I guess it makes since that people would start bringing these machines to work with them.

Data Security and a $2 Billion dollar business

While this is good news for security vendors .

…outbound content compliance” and predicts sales will grow from $50 million this year to almost $2 billion by 2009.

That isn’t the real reason I linked to this story, but money always grabs people’s attention. This story is basically talking about securing your data and that this isn’t done at the firewall only anymore, you need to protect yourself from the inside.

Its all about the outbound content, a nice word for information:

• companies are moving from firewalls that keep external intruders out to systems that keep proprietary data in
• security technology needs to prevent insiders from exporting inappropriate data
• In the past, outbound content was mostly in the
  form of e-mail messages. Now many employees to carry sensitive
  information on mobile devices.

I don’t like this fact to much…

In a recent study by Deloitte Touche Tohmatsu, more than half the technology companies surveyed said they had had security breaches in the past 12 months, and most of them admitted they had not taken aggressive action to prevent future incidents.

Unsecured instant Messaging

Symantec has a released some information how how corporations are securing, or more importantly not securing, their instant messenger tools.

Symantec Corp. surveyed 400 CIOs on their organizations’ IM security policy, and found that 57% of them had no security or availability policies for their IM systems. The survey also found that only 22% of organizations archive their employees’ IM messages, a serious oversight that can lead to the leakage of confidential data or other sensitive information.

I’m surprised by the 57% percent number, I actually thought it would be much higher. Almost no one that I talk to has secured their IM tools, since a lot of places give their employees administrative rights they can install what ever they want – Yahoo, MSN, AOL, etc…

This was an interesting, or alarming, number depending on how you look at this…

The results of the survey are especially surprising considering that the number of IM threats increased by more than 1,600% from 2004 to 2005, according to statistics gathered by Symantec. Last year the vendor recorded a total of 2,400 unique IM threats.

Powerpoint Flaw

There has been some news lately about several Excel issues, while now it is PowerPoints turn in the spotlight. I hadn’t really sat back and thought about the Office exploits very much, I just sort of assumed it was business as usual (which is a sad statement in itself), but then I saw this short news story…

As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows
operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack.

While that makes total sense, before the OS was the easiest place for people to attack the system, but now that Microsoft is starting to pay attention to the OS holes – the people looking to attack your machines are just moving on to another MS product.

Of course I like the small mention at the end of the story about OpenOffice.

Microsoft is going to offer a SAM toolkit

In another effort to help people realize software asset management is critical for a business, Microsoft is going to be offering a toolkit…

The Software Asset Management (SAM) Customer Toolkit will begin customer testing in the next two weeks and is due for a full release at the end of July or early August. It will comprise a set of templates to help buyers measure their usage, understand licensing terms and choose appropriate tariffs.

“A company might have taken on 50 new employees over the course of a year and then panic kicks in [over understanding licensing requirements],” said Ram Dhaliwal, Microsoft licensing marketing manager. “With SAM, you can get simple view of what you’ve got and what you need to do.”

Another Microsoft SAM Story

Here is another story about Microsft and software asset management. In this story Microsoft is saying that a SAM program isn’t an audit, which is some thing I totally agree with. But they way in which Microsoft is going about this really seems like an audit.

What I am taking away from the story is basically this… Microsoft mines a lot of the software purchase history to see what people own, if they notice some irregularities in the information they find, they will contact you, offer to have a third-party come in and help you figure out what you really have installed and what you really own.

So Microsoft is trying to talk people into a Software Asset Management program, because Microsoft is our fiends, via a sort of intimidation process. That is where I don’t agree with what they are doing.

There is so much you can say about this, read the whole story.

Microsoft Exec Downplays Compiance

Maybe some one at Microsoft is listening to me For months I have been talking to people about software license compliance and the value of software asset management, telling that that an effective SAM program will result in being software compliant. But software compliance is not the only reason to implement a SAM project.

Now it looks like one of the Microsoft executives is saying the same thing…

Rivera is now adamant that SAM is not about license compliance.
Compliance,” he said, “is a byproduct of software asset management.”
Rivera discussed the role of SAM in an interview with Computerworld.

I like the fact that he also talks about the need to educate people on SAM…

But it’s part of the whole education that we have to do in the field as well around what SAM is and how to educate on SAM.