Quantifying IT resource needs
Many organizations deal with the challenge of software license provision by over-purchasing relative to need. Many organizations have poor visibility of how many licenses are needed for any given application, and in some cases simply purchase a copy for every user in Active Directory.
In considering the amount of money that can be wasted through over-provisioning, it would seem reasonable that an organization’s governance framework should include oversight of how the organization manages its IT resourcing. This doesn’t mean involvement in decisions regarding platforms and applications, but involvement in how those decisions are taken. What is the process that leads up to any significant IT investment? Who participates? Who reviews usage from time to time to check alignment with perceived need?
License Compliance – so easy to assume
Another aspect of IT that GRC teams may be unaware of until it’s too late, is the punitive damages that can be awarded for software vendors if they can prove the organization to be under-licensed. GRC should have at least an oversight of IT’s license compliance management activities and tools, and a role in cross-examining IT to make sure the provisions are strong enough.
Data Security – GRC is already involved with IT
Data security has been a high profile IT-related topic in GRC for a long time, but the technology is so specialized that it is reasonable for a GRC team to defer to the expert opinion of their in-house data security specialists, rather than developing enough expertise to be able to assess what the specialists are doing.
So GRC is already involved in monitoring the management of IT-related risk, but to date I’ve never come across a connection of IT asset management and GRC. Is this because IT is still the ‘black art’ element of the organization? But IT resource provisioning is not so complex as data security. Perhaps it’s time for GRC’s involvement with IT to be broadened to include software license compliance and software asset optimization. What it needs is a Provisioning Lifecycle Management framework such as Connect to ensure there is enough diligence in how IT resource needs are assessed and fulfilled. A framework like Connect would provide the visibility of decision making and resource deployment that the GRC team would need to decide if financial waste was being minimized without compromising license compliance.