Information Technology Asset Management (ITAM) suffers from a perception issue. On one hand, implementing an ITAM program promises a significant operational and capital expense savings of up to 30% of your software budget. On the other hand, a recent survey of CIOs and CFOs reports that 84% never see any of that cost savings.
I have been working the ITAM and SAM (software asset management – a component of ITAM services dealing specifically with software licenses, service agreements, and audits) for over 20 years. I have seen asset management tools and processes go wrong for a myriad of reasons. But the easiest and fastest issue to fix is the poor implementation and enforcement of an asset lifecycle.
Nearly every configuration asset management database (CMDB) or asset managed data repository (Asset MDR) follows the same five asset lifecycles phases provided by the ISO/IEC 19970-1:2017 best business practices:
- Acquisition/Development – assets in scope are acquired (or created) in a controlled manner and properly recorded
- Release/Deployment – ensure that releases of IT assets in scope are planned and executed in a way that supports ITAM requirements
- Operation – ensure that operational processing utilizing IT assets in scope is executed in a way that supports ITAM requirements
- (Re)deployment* – ensures that the deployment and redeployment of IT assets in scope is executed in a way that supports ITAM requirements
- Retirement – remove IT assets in scope from their current use, with subsequent repurposing, recycling, and disposal where appropriate, in accordance with company policy and meeting all record-keeping requirements
*NOTE – the ISO/IEC lumps Deployment and Redeployment processes under the same title, to ITAM practitioners’ detriment. You’ll see why further down…
The overriding theme of these definitions is that they are procedurally driven and subjective to the needs of the organizations’ overriding requirements. But that also means CMDBs and Asset MDRs have to keep their asset lifecycle flags subjective to their specific customer’s procedural demands. And if the customer’s organization doesn’t properly define what these phases are, then the ITAM team cannot keep up with all the deployments and changes, and the CMDB/Asset MDR reporting becomes untrustworthy, and that explains why so many CIOs and CFOs report such low opinions of the whole affair.
The trick to rebuilding asset lifecycle definitions is to make sure they are objective, exclusive and based on measurable data attributes. By objective, I mean not open to interpretation by whoever is setting the asset lifecycle flag (as opposed to subjective definitions, used to describe art for the beholder, stiff peaks in a merengue, or pornography to a supreme court justice). By exclusive, I mean that an asset cannot be in two phases simultaneously. And by measurable data attributes, I mean data collected by the CMDB/Asset MDR, either collected by automated mechanisms or by other teams’ activities.
With this in mind, let us apply new definitions to these five asset lifecycle phases but change the definitions so that they are objective, exclusive, and based on measurable data attributes:
- Acquisition/Development – money, or the promise of money, has been paid for the possession or right to use the asset but has not yet been received nor deployed into the computing environment
Data attributes: Purchase Order Number or Invoice Number
- Release/Deployment – Asset has been physically received and accounted for, and is now being made ready for use in the computing environment, but not yet deployed into the computing environment.
Data attributes: Purchase Order Number or Invoice Number, plus Bill of Lading details and visual inventory
- Operation – Asset is active in the computing environment
Data attributes: All the attributes for Phase #1 & #2, plus: current IP Address, network scanning tools, usage logs, command, and control tool records, etc.
- (Re)deployment* – Asset has been removed from the computing environment temporarily, with the intent it will be used again
Data attributes: Same as Phase #1 & #2, but all data attributes from Phase #3 would be out of date
- Retirement – Asset has been removed from the computing environment permanently and is no longer the property or concern of the organization.
Data attributes: All from Phases #1-4, plus a Chain of Custody record (i.e., disposal certificate, donation receipt, police report, etc.)
*NOTE – Sharp-eyed readers will notice Release/Deployment and (Re)deployment are not exactly objective and exclusive from one another. And you’re right. I promise I will explain this if you stay with me!
Thanks to these definitions, an intrepid ITAM manager can look at the data attributes coming into their CMDB/Asset MDR and know which asset has moved their position in the asset lifecycle. Your ITAM team can look at the sum total of devices in your environment, sift out the asset records with lifecycle settings that match the expected data attributes and focus on researching the ones that don’t. Maybe a trouble ticket or change request wasn’t properly created before the Service Desk replaced a PC? Or only part of a shipment was received because of supply chain issues? Was a laptop lost or stolen, and was Cyber Security notified? And if that piece of hardware has been pulled off the wire, can the software assigned to it be applied elsewhere?
With the ITAM team actively testing the veracity of the data attributes defining the asset lifecycle, two things then happen. First, the number of asset records the ITAM team needed to research and update manually is a good metric for both the health of service support processes and the overall accuracy of the data contained within the CMDB/Asset MDR. Second, the more accurate and responsive reporting from the CMDB/Asset MDR will improve the overall trustworthiness of the CMDB/Asset MDR by the CFOs and CIOs.
Now, let’s address the asterisk, our Roger Maris of ITAM, the (Re)Deployment phase. The ISO/IEC 19770-1:2017 standard combines the initial deployment and recovery and redeployment of assets into a single phase. And this is to the ITAM industry’s detriment. Asset recovery and redeployment is one of the three processes Gartner identifies as key to reaching that 30% cost savings (mentioned earlier in this article). Any asset already owned and redeployed prevents a new asset from being purchased; a straight-line cost savings for both the hardware and software budgets. ITAM teams can more clearly show these savings by tracking and reporting exactly how many assets pass through this “Redeployment” phase.
And that we don’t explain why so few of the C-Suite Leadership claim to see any benefit from our efforts.