Tech Journal It’s Time to Get Serious About Software Asset Management in Government

When government agencies rally the troops for cyberwar, strong Software Asset Management (SAM) practices may seem like a trivial defense. But in a world where process is an advantage, SAM can no longer be overlooked.

In September 2020, a large government agency suffered a data breach that exploited the information of 46,000 veterans to divert medical payments. That's pocket change compared to another organization's shocking data breach that occurred in 2015. As a result, in August 2020 that same organization finished paying for an 18-month credit monitoring services contract to the tune of $400 million.

The average public sector data breach costs $2.3 million, according to Ponemon Institute's 2018 Cost of Data Breach Study. That's statistically below the overall average — but for government, the quality of potentially stolen information could pose serious risks to the country.

Government cyberattacks are wake up calls.

Working primarily with NASA and The United States Department of Energy, I know how high the stakes are for the federal space. A data breach for a major retailer can be devastating to its brand image, for example — but an attack on a federal agency could be a national security risk. Today's hackers have the most sophisticated tools in digital history to exploit and steal data, but what they want more than anything is an entry point. One of those entry points can appear from poor SAM practices.

Hackers don't care what they're infiltrating, whether it's IoT sensor data or a 20-year-old hard drive — they only care how to get their foot in the door.

Now, compared to emerging tech, I know SAM isn't the sexiest talking point in the digital workplace, but it's one of those critical enablers for holistic cybersecurity and there's no way around it. Hackers don't care what they're infiltrating, whether it's Internet of Things (IoT) sensor data or a 20-year-old hard drive — they only care how to get their foot in the door. SAM is "another door to lock" within your organization (even if it's a tiny side door). And surprisingly, SAM is one of the more overlooked and messy processes for government IT teams.

How does out-of-date software get hacked?

The software lifecycle has many moving parts. For government agencies, it starts with procurement, which has unique purchasing contract requirements such as GSA, SEWP and others. But the brunt of the work occurs in the management stage, which involves monitoring usage, licensing compliance, software entitlement visibility, reusing and much more.

That's a lot to account for and in the bustle of the management process (one that's commonly ill-defined and not standardized), software often becomes out of date, which means it no longer produces patches to fix software vulnerabilities. As we've all seen in the IT world, out-of-date defenses don't hold a candle to new and increasingly intelligent cyberthreats.

Exploit kits: Highly effective and dangerous
Hackers use exploit kits to find software vulnerabilities on an endpoint, then inject malware through security gaps. This malware attack method underscores the importance of running software updates to patch security flaws.

All-inclusive security matters. Here's how to finally close the SAM gap.

According to SAM research from Deloitte, 72% of IT leaders say they haven't created a formal SAM strategy and 74% haven’t created a formal SAM function. The reasons? Technology complexity, complicated licensing agreements and immature processes, to name a few. To me, these findings suggest that even if an agency were to invest in a SAM tool, getting strategic with that investment is another story altogether.

When I speak with federal agency clients, a lot of groundwork needs to be done before they decide on a SAM solution. Here are steps that need to be taken:

1. Define your challenges. Is your agency struggling with usage visibility? Do you lack an exhaustive and accurate inventory of owned software? Do you have a comprehensive strategy but need a way to assess process performance? This will narrow down your search as you source potential solution features.
2. Assess your SAM team. At the end of the day, people power the platform. Making sure your staff members are prepared to maximize a SAM tool is key to long-term success. Ensure that people have knowledge in the specific area of your SAM strategy. For example, is an IT procurement teammate interpreting data and processes within the procurement stage? Consider what training will need to be done before you deploy a tool, and if you have the resources to provide that training.
3. Consider your current environment. Introducing a tool into any organization's existing environment is rarely smooth sailing. Whether you have data living on spreadsheets to transfer to a new platform, or an existing platform that needs new tool integration, understanding the effect of your investment and how to account for it is critical.
4. Most importantly, align to a strategy. The features of a SAM tool can drive efficiencies, but a tool should complement an overarching strategy to truly be effective. Without clearly defined processes for how the tool will be used, who will be able to use it, how users should handle troubleshooting and more, agencies run the risk of investing in a tool that won't be properly used — and mistakes will likely surface.

350K new pieces of malware are detected every day, according to DataProt.

Process is everything.

Armed with better SAM strategies, tools and methods, organizations can feel good knowing they've checked one more “peace of mind” box when it comes to securing all possible entry points from data theft. But the work doesn't stop there. Having a well-defined process goes a long way — not only for SAM, but also for any IT asset that could open the door to cybercrime.

Adopt a holistic approach to software. Insight Public Sector can help you take control of the software lifecycle with tech-forward tools, expert consulting and more.

About the author: