With software increasingly seen as a strategic asset and Software Asset Management (SAM) is a critical business tool, BSA is actively working towards educating Indian enterprises on the need for IT compliance and the risks associated with the use of unlicensed software. To know more about it, Dataquest spoke to with Jodie Kelley, General Counsel and Senior Vice President, BSA. Excerpts….
Can you shed some light on the need for IT compliance for Indian enterprise in today’s scenario?
The need for IT Compliance for Indian enterprises and for enterprises all over the world has never been greater. I was speaking at a Compliance Week seminar in November and given that 2014 was labeled the year of the mega breach, what everyone there talked about was the need for security. The conversation now is not how you’ve been breached, but when are you going to be breached! Given the critical role of security in managing business efficiency effectively, the very first step is to understand what you have on your network and make sure it’s genuine and licensed.
Is security is one of the major reasons behind the need for IT compliance?
It isn’t the only reason; however, it is a critical one. Our Verafirm certified customers such as KPIT Technologies, have experienced tremendous improvements in efficiency. So, in addition to security, there are lots of other business benefits of being IT compliant.
What are some of the tools that enable firms manage software effectively?
There are lots of different tools and each company does it in a way that works for them. As an example, on our website, there are some self-diagnostic tools and the big four (auditors) have their own tools that can help companies understand what they have on their network.
However, as an essential first step, it is important to get a system in place that fundamentally tracks all software assets, takes a comprehensive review of a firm’s SAM policies, processes, outcomes and license positions. The ISO standard at a high level encompasses all the steps, but it works differently for different companies depending on the structure.
What are some the risks associated with the unlicensed software use?
So when you are talking about unlicensed software, there are two things that jump to mind. One is, just, that’s not genuine. More often than not, people go online and download software thinking that it’s genuine but it’s not. And there is huge risk associated with it because it could have any kind of virus or worm. But even when software is under licensed and you use copies of it over and over again, these copies don’t get security patches and updates.
This not only creates vulnerability in your own systems, but if you connect to third parties that are vulnerable, you can also become exposed. There are conversations about the US retailer chain Target, which was breached recently. It is interesting to note that it was breached through its air- conditioning vendor, which was actually the company that was vulnerable, but they connected into their system.
But don’t you think for the small firms, going for the licensed software is little bit costly rather than using unlicensed software?
The cost of recovering from a data breaches because of unlicensed software use, in terms of legal liability and reputational harm, costs a lot more to firms than the upfront investment made on software. These are interesting times where the method of delivery of software is changing and there are so many options including subscription models. So for those companies that don’t want to make an upfront investment, but instead want to pay a much smaller amount every month, that’s an option. And so if you’re a truly small business and you’re trying to get going, there is a way to get the protection and the efficiency of the real software without writing a big cheque.
What steps do you think that company should take to fill the IT compliance gap?
The first and the most important thing for any company is to take stalk of its software assets and its license positions. The ISO 19770-1 standard lays out the steps and BSA also have a training program that we offer to help people go through it. Organizations can sometimes be surprised to realize that they did not even know what was installed on their network.
The next step is to manage your IT environment and figure out the procurement cycle. At a conference that I attended last November, a gentleman from PWC said that a recent audit had shown that 85 percent of people accessing the cloud in a company surveyed were doing it in a way that was unauthorized. Different companies tackle this in different ways. Some have locked down the systems so that people cannot get anything without going to IT. Some have come up with the technology solutions so people can get things, but there are authorized lists and managed distribution.
The idea essentially is to effectively track licenses, meter usage, handle patch management, and support software deployment till its retirement.
Can you please tell me more about the Verafirm Council for Constructive Partnership on Software?
Yes, we are very excited for that and it is one of the reasons that I am here.
The Verafirm Council for Constructive Partnership is constituted to promote strategic partnership between software vendors and enterprises by facilitating better understanding of each other’s concerns, positions, expectations and goals. This will be achieved by fostering open and constructive dialogue on all issues of mutual interest and hopefully address the biggest challenge faced by CIO’s today – the complexity of software licensing and IT compliance. It is aimed at starting a broader conversation going to make this easier and more streamlined for all stakeholders.
I am particularly happy that it’s happening in India because we piloted our first Verafirm Certification here and India is kind of leading the rest of the globe on that. These are all good indications. We are excited because in our kick-off session today, the Council was really engaged and was constructive about helping each other.