Four Steps to Manage Software Risks

Jodie Kelley


October 1, 2015

software management risk

Advances in software development and technology have given us the freedom to embrace new opportunities and innovate in ways people could only imagine just a few years ago. From how we store information to how we run a business to how we communicate, software is helping improve our daily lives in many ways.

But the fast pace of technological advances brings its own set of challenges. The cost of dealing with cyberrisks like data breaches and malware is staggering—and rising. As a result, corporations struggle with how best to protect themselves.

Every business today has multiple entry points, and everyone who touches a company’s network can add or detract from its risk profile. There are concrete steps companies can take to mitigate their risks, however. A recent International Data Corporation (IDC) study suggests a simple but absolutely critical first step: understanding what is in your own network, and ensuring the software you are running is genuine and fully licensed.

This step is particularly important given IDC’s finding that the existence of counterfeit and unlicensed software in an IT network correlates very highly with the presence of malware in that environment. Other risks lie in legacy IT infrastructure and in the procurement and use of unlicensed software. Overlooking whether software is properly licensed increases your vulnerability, plain and simple.

Thus, a number of organizations, including the Committee of Sponsoring Organizations (COSO) and the National Institute of Standards and Technology (NIST) have called for the implementation of strong software asset management (SAM) practices. The revised COSO Internal Control-Integrated Framework (2013) now includes a recommendation that companies adopt internal controls related to verifying the legal use of technology, including software license compliance. The NIST Cybersecurity Framework recommends that organizations identify and inventory both hardware infrastructure and software platforms and applications. These frameworks provide a practical approach as companies focus on protecting against cyber incidents, and highlight SAM as a key component of that strategy.

Global standards for software asset management can provide guidance. Risk managers can look to the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard 19770-1 for best practices in tackling the challenges around SAM. The ISO SAM standard was designed specifically to provide actionable steps to help companies manage and monitor their software assets. Its four-tiered approach provides a holistic guide to help companies improve their software controls.

Step 1: Know what is in your network and conduct an assessment of the software you are running. Managing internal risk is as important as managing external risk when it comes to software. Gather and maintain reliable, consistent data that can be used to assess whether the software in your network is genuine and properly licensed. In addition, determine whether or not all users have correct licenses to use the software. This will ensure that a major problem is not already sitting in your network.

Step 2: Consider current and future business needs and align to the right licensing model. When allowed by the vendor, re-using business licenses can help cut costs. Consider new forms of licensing that may be more cost-effective for your organization, such as cloud-enabled subscription licensing models. You can also ensure you are getting the appropriate value for your expenditure by making better use of maintenance clauses in your software license agreements.

Step 3: Put policies and controls in place to manage the lifecycle of your software. Manage the lifecycle of your software by ensuring you have policies and controls related to the procurement, deployment and retirement of software. Having licensed, genuine software ensures you receive the updates, patches and support needed to protect your systems and their data. It is critical to implement these updates and patches immediately to maximize their deterrent value. Remove software quickly from retired hardware and properly redeploy any licenses within the business.

Step 4: Integrate SAM practices throughout the entire business. All departments and employees should know they have a role in effective SAM. This is particularly important given the increasing use of personal electronic devices in the workplace. Incorporating SAM practices into your existing internal control environment across the entire business will maximize benefits and help guard against cyberrisks.
Jodie L. Kelley is senior vice president and general counsel at BSA | The Software Alliance, which pioneers compliance programs that promote legal software use and advocates for public policies that foster technology innovation and drive growth in the digital economy.