software asset management and cybersecurity · cyber security — almost a third ... for example,...

Software Asset Management and Cybersecurity

Ritesh TiwariPartnerKPMG in India

2

Document Classification: KPMG Confidential

© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.C

on

ten

ts

1. SAM – evolution and complexity

2. Cybersecurity challenges

3. SAM and Cybersecurity –Inseparable components

4. Continuous compliance and Security monitoring

SAM evolution and complexity

4


© 2017 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Software Asset Management

“All of the infrastructure and processes necessary for the effective management, control and protection of the software assets within an organization, throughout all stages of their lifecycle”

ITIL Best Practice guide - Software Asset Management

❖ SAM is NOT just about a tool

❖ SAM is NOT just about a one-time discovery exercise

❖ SAM is NOT just about PCs

❖ SAM is NOT just about IT

5



How software licensing has evolved

1999 2002 2003 2006 2007-08 2011 2012 2014 2017

Salesforce.com

- Early start of SaaS model

Amazon Web Services

Microsoft and IBM started reviews

Google cloud

platform (initial

release)

Most of the

Enterprises audited

by one OEM

Cloud becomes

integral part of

organization

Cloud, BYOL and

BYOD becomes

integral part of IT

Autodesk and Adobe

started auditsEnterprise audits

started by most of

the OEMs

6



Know your challenges and opportunities …

1/3 of a company’sstrategic IT vendors

will be less than

5 years old

Vendorrelationship skills

will be a Top Fivecompetency among CIOs

<15%of vendor management

programs will leverage dataanalytics and BI – despitethis being a top priority

of CIOs

30%of enterprises will

focus on optimizingIT business value,

not just cost

>75%of IT leaders will

be prone to investingin high-risk vendors

due to lack of financialanalysis skills

40%of IT spend willbe outside theCIO’s control

Enterpriseswill spend

10x moreon software asset

management servicesthan on tools

IT assets will be

splitbetween less than

10 very large providersand many credible

regional playersglobally

Source: gartner.com/us/itam

20%of IT procurement staff will

be replaced by externalservice providers because

of budget restrictions

to drive business outcomes

Cybersecurity challenges

8



Cyber Threat

9



Cyber Threat - Ransomware

10



Cyber Threat – Spear phishing

11



Cyber Threat – Spear phishing

12



Hacks from preventable vulnerabilities

99.9%of the exploited

vulnerabilities were compromised more than a year after theCVE was published

80%of successful attacks will

exploit well known

vulnerabilities which could

have been detected by

security monitoring

Gartner Verizon

*CVE = common vulnerabilities and exposures. A CVE list (of compromised software) is

commonly available on the publicly available National Vulnerability database.

13



Cyber securityEveryone is talking about cyber security. Organizational leaders are fretting while hackers seem to be able to ghost their way effortlessly into their systems to steal emails and secrets.

Cyber security

— Almost a third of respondents (32 per cent) reported that their organisation had been subject to a major IT security incident or cyber attack during the past 24 months

— It is concerning that less than a quarter of IT leaders feel ‘very well positioned’ to deal with IT security/ cyber attacks

— Only 40% of the respondents cited ‘insiders’ as a significant concern, however an increasingly higher proportions of cyber incidents are originating from within an organisation

14



Cloud and SAM

Cloud is no longer a choice

— IT is not the sole purchaser

of cloud solutions

— 49% of the organisations

plan to make a ‘significant’

investment in Software as a

Service in the next one to

three years, compared to

31% who were making

‘significant’ investment in

the current year

Next gen operating

models

— 59% of

organisations are

looking to

implement next gen

methods such as

Dev Ops to develop

and deliver IT

services

SAM and Cyber securityInseparable components

Ritesh Tiwari

16



SAM and Cyber security –Regulatory view

Corporate Governance Code 2017

Principle 5.4

The board should establish a framework for governance of enterprise IT that is aligned with the company’s business needs and priorities, stimulates business opportunities and performance, strengthens risk management, and supports the company’s objectives.

Explanation 3

— Consideration of IT risks and risk mitigation policies, plans, and measures. For example, business continuity management, IT security, incident management, and

IT asset management.

NIST’s Cybersecurity Framework

Identify – ID.AM Asset Management

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and organization’s risk strategy

Protect – PR.DS Data Security

Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

Detect – DE.CM Continuous Monitoring

The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.

17



But,

do we really

know ?

Do you know what’s running on machine

As a core principle of SAM,

▪ Organization should know what is running on each machine

▪ Which software title are patched/out of support

▪ Which users are having what level of access

▪ If machine is updated with latest AV definition or not

Most of Ransomware attacks originate because organization’s don’t know what’s running on machine

▪ We observed lot of companies are still having old/outdated systems in network

▪ Ransomwares are present in machine but not yet activated

▪ Pirated/Unlicensed software installed results into attack

▪ Media content downloaded from torrent can result into attack

18



Do we know what’s running on machine

SAM and Cyber securityContinuous monitoring

Ritesh Tiwari

20



SAM AutomationThe cost of performing a manual inventory can be exceptionally high.

Annual

Savings

‘Number of

Machines

Number of

Inventories

per year

Hours required to

manually inventoryCost of IT

staff

Intangibles

(reduced liabilities,

interruption to bau,

impact of error in

management info, etc.)

21



Hot debatesShould SAM team

be held

accountable in the

event of cyber

breach?

01An increasing number of

organisation appear to be

experiencing cyber attacks. Is

cyber one of the responsibilities

of your SAM team?

— What SAM deliverables should be covered under

cyber?

— What has triggered SAM teams to start building cyber

capabilities?

— What types of tools do you use/ need to cover your

cyber responsibilities?

Some topics:

Are you managing

software assets on

Cloud?02

With deeper penetration of cloud

(Public and Private), how are you

managing SAM

— What will be impact on SAM in Public and Private

cloud?

— What will be impact on managing software assets in

BYOD/BYOL scenarios

— What types of tool do you use/need to manage

assets everywhere?

Thank you



The information contained herein is of a general nature and is not intended to address the circumstances of any particular

individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such

information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on

such information without appropriate professional advice after a thorough examination of the particular situation.

© 2017 KPMG, an n Registered Partnership and a member firm of the KPMG network of independent member firms affiliated

with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

https://www.linkedin.com/company/kpmg-advisory

https://plus.google.com/111087034030305010189

https://twitter.com/kpmguk

https://www.youtube.com/user/KPMGUK

software asset management and cybersecurity · cyber security — almost a third ... for example,...

Documents