Software audits: an emerging trend?

With the economy bottoming out, members have reported a rise in software audits. 5-6 members that I have talked with report that they have been audited three times in past three quarters while prior to that they had never been audited before. While researching this issue I found two data points that point to this issue gaining prominence:

  • According to FAST, The Federation Against Software Theft audits among members were up 20% as reported in Computer Weekly and CNET.
  • According to our sister council the Infrastructure Executive Council, head of infrastructure are focused on getting a handle on asset management including software licensing to help them cut costs.

 Is this a short lived trend as software companies face a global slow down in revenue or is this a sign of things to come? Don’t get me wrong software piracy is a problem that needs to be tackled but would software vendors continue these audits when this may ultimately hurt their relationships with their customers? To me this appears a trend that will change with the economy. So as the economy improves vendors will focus on revenue growth rather than software audits.

I have also faced another question: Is this truly a CISO responsibility? Who is responsible for keeping and managing software audit in the company: Buying the licenses should be handled through procurement, and installing/tracking them should fall under infrastructure. While I agree with those two points, CISO’s are also responsible for this issue because maintaining compliance to contractual obligations is part of their compliance responsibilities. In any case,  CISOs should raise the flag in their organization and start thinking about following questions:

  • Whose job is inventorying software use in the organization?
  • Whose job is responding to software audits?
  • Is this a temporary situation we can brute force our way through, or do we need to get systematic about answering these?
  • Do we have relief in our contracts from these audits?
  • Does the cost of responding to audits shift the balance in favor of open source or SaaS?
  • Does virtualization further complicate this process? How do you keep track of this for software license purposes? “sampling” or continuous monitoring?
  •  Do you need to rethink the way you pay (i.e. is your payment prorated to the amount of time it is in use (good) or do you pay per installation (bad)?
Explore posts in the same categories: Risk Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: