If you are a technologist at Danske Bank, Rachel Ryan wants you to know that she’s not the “software police.”

Ryan is the first vice president and global head of IT asset management (Itam) at the Nordic bank. Itam is a methodology for keeping tabs on all the assets of an organization, including hardware and software. Itam’s remit is broad: an Itam team could work closely with network security to ensure the removal of any software containing vulnerabilities; or it might be responsible for making sure that laptops are wiped of sensitive data at the end of their lives; or it could be tasked with finding loopholes in the complex licenses of large enterprise software vendors like Microsoft, Oracle, and IBM.

Itam’s proponents say it can save large organizations millions, but it’s still often seen by businesses as a passive function—largely about keeping the organization safe from compliance risk—rather than an active one that can optimize spending on software and cloud architecture. And it can be difficult to find license specialists with the necessary skillsets.

Getting business buy-in and finding the right people for the job were Ryan’s main challenges when she joined Danske back in 2019, tasked with the newly created role of building a specialized Itam team.

“Initially, it was about establishing the department as not the software police, but as a department that can bring value to the business. And we had to demonstrate that value. So it was very much about changing the perception of our role from just compliance, to cost optimization. We were very conscious about building relationships and bringing people information so they could make business decisions on the information that we are providing,” Ryan says.

Preston, UK-based Ryan, who speaks with the broad accent of her native Lancashire, started her career in tech sales. Before joining Danske, she was global software asset management lead at pharmaceutical giant AstraZeneca, where she spent just over eight years, prior to which she spent a decade at Fujitsu in software operations and licensing roles.

Before she joined the bank, Danske’s Itam team consisted of six or seven specialists who worked with external third parties to manage the bank’s tech estate. External consultants told the bank it should grow its team. “They decided they needed somebody who was experienced in running large global programs, they needed some expertise in Microsoft, IBM and Oracle, and they needed to upskill everybody,” Ryan says.

The “somebody” they hired was Ryan, who immediately set about growing the team’s headcount. “I said I would bring in some high-level expertise, and then we would train from the top down and upskill everyone over two years,” she says.

“In Itam, you need the technical specialists and the specialists in licensing. People can be skilled up to a degree, but it’s very difficult to train someone fresh. In software licensing it takes a long time and a lot of experience—these are key personnel with very specific skillsets. Those are not cheap, and I had to go outside of the normal countries to find them,” Ryan says.

Ryan’s team now consists of 19 people spread across three countries—the UK, Lithuania, and Denmark—all of whom have been accredited as specialists in parsing the licenses of the large vendors, including Microsoft, IBM, and Oracle. After the first year, the business asked Ryan to expand to take on responsibility for hardware asset management, so she founded a dedicated team in India for that.

In building her team at Danske, Ryan looked for the depth of experience of people who have worked as specialists for years. “You’d have to be very naïve to think you could just tell someone, ‘OK go on a course on Oracle.’ That’s when you end up with multi-millions in non-compliance [penalties],” she says.

This is why many of her team are based in the UK, rather than the bank’s headquarters in Copenhagen, Denmark, or in low-cost development centers overseas. “For the IBMs and the Oracles, you’ve got to go for people who have worked at large corporates. And the big corporates that are doing it well are in the UK and Europe—countries like Germany—and they’re very established. To find these people, you have to look at engineering firms like Volvo, BMW, something like [shipping company] Maersk, or the big pharmas. You’re looking at large corporates with like 20,000 employees—that’s where you’ll find the people with a lot of experience,” Ryan says.

Though she would not be drawn on an exact number, Ryan says her team has saved Danske “millions” of euros since 2019. The savings principally came from optimizing the use of software—that is, saving on new purchases and renewals, and right-sizing on license use—and heightened the profile of her team from being perceived as a back-up department to now being recognized as a key contributor to the bank’s bottom line.

But it wasn’t easy—it took some work to get the right people in place first.

Specialist discipline

Itam as a discipline is about 15 years old, Ryan says. It emerged when the licenses of the largest enterprise software vendors started to get more and more convoluted as they sought to monetize their IP and track usage by conducting huge audits. Many large corporates have found to their dismay they have 10,000 users of a product and were only licensed for 1,000; or perhaps that a software license signed by their US headquarters didn’t extend to use by teams outside the US, for example, technical teams in locations such as India.

“What happened is that suddenly, the vendors realized, ‘Wow, this is a bigger money-maker than it is to actually sell software’,” Ryan says.

According to polls conducted by consultancy Gartner, the percentage of Itam professionals subject to vendor software audits rose from 30% to 62% between 2005 and 2012. A decade later, Itam software provider Flexera’s State of Itam 2022 report showed that in the past three years, 50% of Itam teams at 465 mostly large companies were audited by Microsoft. Software asset managers (SAMs) still focus most of their time on managing internal and external audits, the survey says.

Of Flexera’s respondents, 24% paid more than $1 million in “true-up” costs to become compliant and penalties related to audits over the past three years, while nine percent paid over $5 million.

These audits are so lucrative that users have wondered whether the large vendors are deliberately making their licenses more complicated. The large vendors, on the other hand, say they are trying to capture all the possible usage of their IP and ensure that the customer understands the costs upfront. They say they continually review and reduce the complexity of their licenses. Microsoft, for instance, streamlines license management under one single organization-wide agreement, according to its Enterprise Agreement.

Either way, an ecosystem of SAM practitioners specializing in the ins and outs of the licenses of different vendors has evolved. Most of these professionals boast years of knowledge honed from careers at resellers or the vendors themselves.

Over time, Ryan says, Itam has become as much about right-sizing and reducing costs as it was about protecting the company from audit and liability. Most large corporates are paying for software they don’t even use. Any computer probably has apps that go unused but come standard as part of Microsoft Office 365. It’s no different for enterprises.

“Software asset management became a methodology firstly to understand the different complex licensing rules, and then to put all the processes of governance and controls there, and then we moved into saying, ‘We can save you millions on your next big agreement’,” Ryan says.

Evolution to Finops

Itam has become an established discipline with an ISO standard (ISO 19770) and trade associations like the Itam Forum, of which Ryan is a board member. But the skills of SAM practitioners are having to adapt as large organizations move onto the cloud.

Finops (a portmanteau of “finance” and “operations”) is the next trend in Itam, says Tony Mackelworth, who is head of Microsoft advisory for software provider SoftwareOne. Mackelworth has been at the vendor, which offers Itam-focused solutions, for nine and a half years, and helps develop platforms aimed at saving customers money on their cloud architecture. Prior to this role, he worked with Microsoft and then BT in licensing and SAM roles, where, he says, he became an expert in product usage rights and standard contract rules—and, more importantly, how to apply those rules to real-world server environments.

When Mackelworth began his career, infrastructure was on-premise. Procurement took place over long lifecycles with capital expenditure sunk into datacenters over years-long horizons. “There was always the pressure to optimize costs, but it was a more static and less dynamic environment. You could apply SAM principles and capabilities to that,” he says.

As the years went by, virtualization and then cloud computing emerged, and tracking licenses got tougher. Cloud offers elasticity, allowing users to scale resources up and down as they wish, but assigning licensing assets to this ever-shifting environment is a challenge.

“Today, cloud spend is an operating expense. And the purchasing power can be in the hands of individual engineers, not in procurement. They can spin up new workloads with elastic scaling of those resources. So that means you have a very dynamic, elastic environment that they have to manage on an ongoing basis. And that is a challenge for many organizations,” Mackelworth says.

SAM practitioners must increasingly combine that knowledge of licensing and commercial programs with a technical understanding of cloud architecture, tracking innovations in Amazon Web Services, Microsoft Azure, and Google Cloud Platform, as well as in software-as-a-service apps in older platforms like Microsoft 365.

“Even vendors like SAP and Oracle are moving to hyperscale environments. As organizations move workloads to the cloud or refactor applications natively for the cloud, there’s going to be increased demand for Itam professionals in finance,” Mackelworth says.

Flexera’s research shows that SAM teams are still in the early stages of understanding cloud and SaaS—with less than half saying they right-size SaaS subscriptions—but adds that most expect to increase their work in these areas, reducing their focus on datacenter and desktop software. But there are savings to be had by understanding contracts. Among Flexera’s respondents, 89% of teams with mature SAM programs realized savings from reusing licenses.

In turn, the hyperscalers have introduced mechanisms that allow customers to access discounts. Many offer a model called ‘bring your own license,’ allowing customers to apply licenses they already have to a cloud platform.

Azure has Hybrid Benefit, a licensing mechanism aimed at reducing the costs of running workloads in the cloud by enabling Windows Server and SQL Server licenses, and Red Hat and Suse Linux subscriptions, on Azure. AWS similarly offers the ability to switch between its own licenses and those for Windows Server and SQL Server workloads, retaining the application, instance, and networking configuration associated with the workload.  

On the other hand, vendors offer discounts to incentivize customers to license with them in volume, rather than bringing their own or buying on-demand licenses.

These are all nuances SAM practitioners must be aware of, as well as “whether customers make purchases monthly or over longer terms like multiple years. Licensing has a role in all these factors that can really impact the bottom and top lines of the profit and loss balance sheet,” Mackelworth says.

SoftwareONE works with customers to understand exactly what their cloud usage is, and if those functions are going to be revenue generators or cost centers, even extending accountability to individual engineers

 “The role of Itam in finance is connecting the silos of IT procurement to engineers and cloud architects to understand what is going on in their environment and know how spend is allocated across the business,” Mackelworth says. “It’s a collaborative effort to understand what cloud spend is … making sure that KPIs and success criteria are aligned with policy.”

And it’s when the Itam department can demonstrate that it can save the business money by improving this awareness and accountability of cloud costs that it will get business buy-in, he adds.

Itam as a moving target

Ryan says that now Danske’s Itam team is in place and showing its worth to the business, it will focus more on finops, as well as “shadow IT”—users deploying hardware or software outside the auspices of the IT department.

Shadow IT mostly happens by accident: for example, an employee wants to try out some software, pays for it themselves, or uses their company credit card, and installs it. This usage could present a security and compliance risk, especially in an era of data protection regulation. Ryan says shadow IT has grown significantly due to the cloud, which has made it easier for users to buy and use software outside of the governance and controls of the IT department.  

Like Mackelworth, she also sees Itam evolving. The thinking behind the discipline is trending towards encompassing wider and broader definitions of an IT asset—including business applications, services, and even people. As everything in an organization becomes an IT asset, mapping it all to obtain a comprehensive view of those assets and how they interrelate becomes crucial to an Itam team.    

Danske has been working on mapping its business applications and services under a methodology called the Common Service Data Model (CSDM). This model is a framework for building configuration management databases—databases that organizations use to store information about their hardware and software assets. These are an important tool in Itam: Flexera’s report says that 71% of respondents use a CMDB, with on-prem virtual machines representing the most-tracked type of cloud assets in these databases.

“We at Danske Bank have been working on the CSDM, which is mapping all the business applications and services. We started that journey in 2020, and want to move further into that journey this year,” Ryan says. “We will be looking at the different tooling and integrations and how we can share data to different departments. We want to give a visual to our business application owners so they can see everything, how it all fits together, so they can manage risk and costs.”