With demands on CIOs increasing, having complete visibility over all software, licences, compliance and costs is essential. KPMG’s CIO shares his insights into how Software Asset Management (SAM) helps his complex role.

Chief Information Officers (CIOs) are increasingly mandated to run IT like a business. This means they have increased accountability over the use of, and spend on, technology assets including software, hardware and cloud services.

Optimal SAM is one approach that CIOs can take to meet this expectation. SAM can offer complete visibility over software usage across all of a company’s technology environments, at all times. It can help CIOs control compliance, costs, and cyber security risks, and ensure they are well positioned to offer insight to the broader organisation.  

However, is SAM high on the agenda of CIOs in 2021?

To get a deeper understanding of how CIOs view SAM, we spoke to Craig Wishart, CIO, KPMG Australia. He says that SAM is integral to his agenda, and considers that his peers across other organisations are increasingly aware that they need to prioritise SAM.

Wishart outlines four ways that SAM helps him tackle the challenges faced as a CIO – licence managementmanaging costcyber riskvendor risk management.

“SAM supports strategic decision-making. Being able to rationalise the software assets within the firm, and being able to capitalise on them with selected vendors is critical to ensuring you get a good ROI on your software investments”.


Craig Wishart
Chief Information Officer
KPMG Australia


1. License management

Wishart needs a ‘single source of truth’ for all assets and licenses owned or used by the company, including computers, infrastructure and cloud. As a comprehensive licence management program, SAM helps him to achieve this.

“It helps to ensure that the company remains compliant and can reduce costs,” Wishart says.

Software licences were once more simply defined as an ‘end-user license’, or a ‘server-side license’. Now, Wishart explains, there are many more metrics and usage rights associated with a licence.

“It could be based on administrative access, connections between systems, functionality, number of users, for example.”

He says good SAM can give visibility to the nature of licences attached to each piece of software, and all the metadata required for better decision-making around licence agreements.

Further, SAM provides a level of transparency which builds trust with Divisions/Business Units when applying recharges.


2. Managing cost

In an era of cost optimisation, CIOs must know the total cost of software to their organisation – department by department, user by user. SAM can help offer this insight, Wishart says.

“CIOs of all industries are expected to be CEOs of a ‘technology business’ now – and if you’re a CEO of a company and you can’t explain your balance sheet or your P&L to your shareholders, then it is an issue. Similarly CIOs are expected to understand the organisation’s P&L at the same level of detail”

This visibility over software means CIOs can bring deeper “price thinking” to procurement processes.

“It’s the ability to see what it really costs to run the business, and then being able to charge back, or proportion the costs, to the end user or consumer of the service. Cost transparency is a goal for many CIOs”. Foundations for establishing trust are often built from confidence ‘in the numbers’. CIOs must be able to talk to the financial aspects of the ICT function as competently as a CFO.

Wishart says many firms are adjusting from a traditional CapEx model, in which licences were purchased and there was a yearly maintenance fee, to an on-demand consumption-based model.

“It is really important that CIOs understand that because it directly impacts your bottom line. SAM helps here as it means you can have real-time information about software usage and consumption behaviours and patterns, allowing for optimisation of spend.”

Wishart says as CIOs (typically) spend about 20-30 percent of their budget on software. Visibility, and using data to drive negotiation strategies with vendors, can make an impact to the bottom line especially when organisations are moving more to the cloud and cloud subscriptions are becoming more complex. Many CIOs are being challenged further with reducing single vendor risk and moving to multi-cloud and multi-vendor relationships.

SAM can also help CIOs have better control over ‘shadow IT’. Those costs are often not visible to the firm; they’re done at a user level. It’s important that all software is licensed in such a way that the business is paying for what it uses,” he says. Organisations also have an obligation to pay for what is used.


3. Cyber risk in review

With cyber security a core risk to business, Wishart needs a clear view of all the vulnerabilities that can come to the organisation via software. SAM helps him to see where danger hotspots exist.

“It helps give a very clear view of the cyber risk exposures from software that have either been subscribed to at an enterprise level, or subscribed to at an end user level,” he says.

With people working across multiple devices, Wishart thinks that within 2-3 years laptops could be a secondary device for work use, after phones or tablets, and the majority of software will be cloud-based rather than installed on laptops. This mobility and diversification presents CIOs with even more security challenges. 

“We used to focus on vulnerabilities on our end user computer network – we now focus on vulnerabilities across cloud services and third-party devices,” he says.

Cyber security management is complex and it is important that all software vulnerabilities are understood, including patching and compliance core disciplines.


4. Vendor risk management

As organisations engage more cloud software, CIOs have to know how the vendor is managing the data, and what security control frameworks they employ, and importantly how they audit their processes and practices, Wishart says.

“Outsourcing to cloud services doesn’t negate your accountability and management of risk and security.”

Wishart says established SAM disciplines allow for CIOs to improve monitoring and event management. Vendor management is challenging. Many CIOs are dealing with multiple vendors and managing proper compliance and third party risk assessments has to be a priority. SAM disciplines allow for better discussions with vendors. 

CIOs must understand where and how their data is managed by third parties, on all levels. For many organisations data is a currency and asset, as such CIOs are now challenged with protecting and mitigating risk of data assets.

“You may as a CIO have been thinking of it as an optional, but it will become critical to your success if it isn’t already.”