When I was raising money for startups, I remember VCs asking me two question. Do I have a company or a product? And do I have a pain pill or a nice-to-have?
Of course, I, said I had a pain pill. But they persisted by asking me about how big a pain I was solving and what the consequences are for not solving the problem. This effectively is the question that I asked CIOs in the weekly #CIOChat Twitter chat. Their answers should be enlightening to all concerned with ITAM.
How important is knowing/discovering the state or health of IT assets?
In a non-cloud world, CIOs say that IT leaders needed to be designing around failure and scaling. For this reason, it’s was important to know the health of business services, and to take out individual broken components. But in today’s increasingly cloud world, CIOs say you may not care quite as much about this problem.
With this said, CIOs do believe it remains a best practice for IT leaders to know the fundamentals that drive service levels and in turn, drive business service delivery. Monitoring tools for infrastructure and software performance allow IT leaders to capture real time feedback and make critical automated decisions to enhance or protect business services.
Importantly, IT today should not focus only on the IT assets it owns. Given the proliferation of devices coming into enterprises from employees, customers, and partners, it is important to monitor all endpoint devices. At the same time, CIOs are clear that ITAM gets more complex when you add SaaS and PaaS vendors and their stacks. There’s clearly a deep rabbit hole when you try to monitor and manage them, but the fact is they’re part of your infrastructure too! A cloud service provider outage can take out unexpected service components.
One CIO said let’s use humans and their health as an analogy. If you don’t know the state of your personal health, how can you ensure your longevity? The complex question is how do you get visibility into a hybrid/complex infrastructure? And do you still need it? Should you monitor service health and user experience instead? CIOs say that IT leaders need to be more proactive regarding service health. It’s much better to find out the potential issues before disaster strikes. Correcting an issue prior to catastrophic failure is more cost effective and less impactful. CIOs, for this reason, need to do an annual IT health check.
However, CIOs stress that one of the fastest ways to get your operations folks to grumble is to kill them with too many alerts. One CIO said that they had a very senior, very talented, and very grumpy application administrator walk in to their office and share 1000 emails they received because everything alerted during planned downtime. It was time, clearly, to adjust how things are managed. However, one of the fastest ways to make business leadership grumble is to miss a critical one! It’s a careful balance. If everything is an alert, nothing is monitored as it just becomes noise.
In the public cloud era, is it important to track asset location and usage within public cloud vendors?
CIOs say the answer depends. If you’re scripted and designed to not care, then it is my stuff working and what is spend question. If you’re hybrid or more traditional, then you need to leverage asset tracking more like you used to or should have. You can’t secure what you don’t know about unless you want to be the recipient of a shockingly high cloud bill. You need to continually track usage in the cloud. CIOs suggest that IT leaders should be managing to the extent vendors enable such granularity. Clearly, this depends on the organization’s size and scope and the power they can bring to the negotiation table.
ITAM for Financial Stewardship?
CIOs say that ITAM remains an important element of financial stewardship. They say organizations are increasingly moving from datacenter sprawl to cloud sprawl. Public cloud services are an OPEX charge and left unintended and unmonitored they can become a costly mistake, especially for CIOs that need to make EBITDA targets.
Meanwhile, the question is where is your stuff can have business implications, especially if you have sensitive data that must stay within a particular country. CIOs asked me here have I ever tried to figure out the dependency map for your cloud service providers? It’s enough to drive you crazy if you dig deep enough. One CIO said they prefer to track location, usage, performance, etc. when available based upon the contract. They, also, want to have knowledge of the entire environment so that during contract renewal or replacement they can make informed decisions.
How important is being able to onboard and offboard IT assets in an automated way?
CIOs say that automation can help ensure the process is properly completed and logged. Manual efforts around ITAM remain prone to issues. And then there’s is underlying hard stuff like what monitors the monitoring monitor?
Most automated processes require an occasional review by humans. In short, eliminating human error is important as is speed, but it is important to acknowledge that equipment and software make mistakes too. That’s why an audit log is a requirement for automated processes; it allows for review. If you’re using IaaS, the abstraction layer is a big part of the reason for doing it. Inventory control for this world should be close to automatic today.
The fact is that many vendors count on customers not analyzing their usage and payments. It is the difference between audit logs and auditing logs. If you have a reasonably secure means of keeping a copy elsewhere then making sure you have a trackable history. CIOs believe this may be a good problem area for blockchain to be applied.
Is SANS 20 requirements a major driver?
CIOs say yes if it is if it is your compliance benchmark. They add, however, that adopting SANS blindly, or not adapting your own standards to what you’re doing now is one of those “maybe you should think about it a bit more” moments. CIOs think that IT leaders should consider what compliance standards make sense now that they are using cloud systems. They, also, need to determine how they will modify benchmarks as things change. Once public cloud providers allowed anyone with a credit card to quickly provision a server or a service, many CIOs lost the ability to track and report on unauthorized systems. CIOs should partner with the CFO to understand these one-off charges to identify and secure the business.
In an era of BYOD, should personal assets be part of the inventory and their software policed?
In the era of cloud services, does the BYOD devices matter from an inventory perspective? Should it? It’s possible to build trust boundaries and tooling to make this less of a problem, but it’s expensive and may not match a company’s threat/spend model.
CIO say that they must be if they have corporate data, there can be no exceptions to the rule. They are part of inventory by default when you put mobile device management tools on them. Different inventory than company owned but still inventory. If it’s on your network, you can get a lot of information via your NOC. Thanks to mobile device management solutions, it is relatively cost effective to secure and monitor all devices. IT must protect corporate data regardless of who owns the device. Don’t prevent users from working just because you don’t own the device. Allow them a secure option to work.
With litigious legacy software vendors, does it remain important to track software usage and licenses?
CIOs agree. Audits are a revenue stream for stalled traditional enterprise software companies. Every license needs to be tracked for this reason at a level that makes sense for the company. Not just for litigation purposes, but for basic management. You, also, need to make sure you understand who owns the data and what will be done if a breach occurs. You want to track and monitor usage prior to any audit. It’s not a matter of if you will get audited but when you will get audited. One CIO said that they recently had a very large database company push for an audit when they don’t even use their products.
It seems clear ITAM continues to be relevant as a category. However, things have changed from the pre-cloud era. Today, ITAM is less about counting assets and IT financial management and more about security and compliance.