Understanding the true impact of asset management

Sean Dawson: Hello, and welcome to the Cask Distillery Podcast, where we unlock the full potential of ServiceNow with expert insights and practical strategies, only here on the Cask Distillery Podcast. And today, we’re going to be talking about ITAM and security. Building a strong alliance that drives success. 

And I have Teri Bopst with me, and I wanted to give you her a quick intro. Teri has had more than 25 years of experience in IT. She’s had 13 specifically dedicated to IT asset management specifically, and two decades of leadership experience. And she’s the director of IT asset management here at Cask. 

Welcome, Teri, and thank you for coming on the show with us. 

Teri Bobst: Thank you, Sean. It’s great to be here.

Sean Dawson: Oh, it’s going to be a good time. So, we’re going to be talking about, as I mentioned earlier, we’re talking about ITAM in security and that alliance that drives success on the platform and for organizations. But as I usually like to do for our listeners, is, I wanted to see if you could give us an overview of IT asset management. I might get in the habit of calling it ITAM, as we typically do, but I wanted to go over that for those that might not be familiar, because there might be those that know ITAM from, you know, ITSM side, where you’re basically dealing with hardware or Hardware Asset Management Pro, SAM Pro, all that different stuff.

But I was wondering if you could give a quick, high-level overview of what ITAM is. 

Teri Bobst: Yeah, you bet, Sean. So, IT asset management—or ITAM, we’ll call it that throughout this to shorten it—you know, is a program that is foundational to your organization. It really interacts with every department in some fashion. It starts with understanding what you need to do business, and it encompasses all IT hardware, software, and services. So, it’s really knowing what you have, where it is, who or how it’s being used, how much it costs, and understanding the complete life cycle of those assets with the goal of keeping your assets in use throughout their life cycle.

You know, assets that sit on a shelf or in a drawer, they just cost you money, and they introduce risk. And the solid ITAM program can protect you from that. 

Sean Dawson: So there’s a pretty good ROI behind that when you start looking at that stuff. Correct?

Teri Bobst: Absolutely. IT asset management is probably one of the easiest places to prove an ROI because there is so much cost involved when you think about an organization and everything, you know, IT related that they purchase and understanding that you’re really purchasing what you need and that it’s being used.

Sean Dawson: Okay. All right. Let’s get a little bit into the security side of this since that’s what we’re talking about. Not just ITAM as a whole, but I think it’s good to frame that around what ITAM is. So, how does ITAM help protect the organization? 

Teri Bobst: Yeah, so I do want to, you know, start out by saying that when we talk about protection in the context of asset management, that really refers to proactive and strategic measures that are taken to safeguard your/an organization’s assets, whether they’re digital, physical, or resources. So the protection isn’t just limited to IT security, even though that’s a significant component. ITAM really offers financial, legal, and operational protection as well.

Sean Dawson: Okay, let’s go the other way. Can you talk a little bit about how security protects the assets then? 

Teri Bobst: Yeah, absolutely. So having a solid security program, you know, really protects your assets through things like issue management, security incidents, legal holds. Really, one of the larger areas is technology-oriented protection. So, think authentication methods, access control, encryption standards, firewalls, all of those things that really protect, you know, your assets and what can happen with them, who can log into them, making sure that they’re not vulnerable to exploits. And then, also, patch management is a really big area when, you know, that’s what keeps your software up to date and really protects you from the vulnerability of having outdated software. 

Sean Dawson: Okay. And I—so something else I was thinking about is thinking about the foundation. Meaning, like, within ServiceNow, you’ve got CSDM/CMDB. How does that data support your ITAM program, and even including the security initiatives that the organization—how does that all link?

Teri Bobst: Yeah. So a CMDB is critical to your asset management program. And what I usually try to explain to people we’re talking about is the CI, you know, which lives in your CMDB—your configuration item—is really the entire in-use phase of your asset lifecycle. So, when we talk about encompassing the entire asset lifecycle, that’s really from planning through disposal, but the entire in-use phase, which is really where you’re getting the value out of the money you’ve spent on your assets, is monitored and managed through your CMDB.

So who is using it? Who’s logging into it? What resources are, you know, available on that asset? What software is installed on it? What’s your OS? What’s your patch management? All of those things come from your CMDB and through a solid configuration management program.

Sean Dawson: Okay. And you mentioned something that I want to dive into a little bit more. When you talk about life cycle, I think it’s good for listeners to understand the breadth of the life cycle, because I know that, you know, when I was managing IT in the commercial side of business is when you think of life cycle, “Oh, I bought it. I have a five-year depreciation, and then I’ve got to dispose of it.”

But there’s so much more than that to think about and consider. I thought it would be good for the listeners to talk a little bit about life cycle, even though it’s not specifically lined up with security. I thought it would be great to have a quick overview for those that go, “Life cycle? What is that?” Can you talk a little bit about that and go a little deeper than, you know, my high-level quick overview? 

Teri Bobst: Yeah, absolutely. It’s really one of the things that I get very passionate about when we talk about IT asset management. You know, that’s a very process-oriented program. And really, the processes are those life cycle stages. In fact, I have recently published a blog that our viewers can access on how do you do ITAM. And it’s from my practitioner standpoint of really helping people that don’t really know what ITAM is and how you can even get started. And I always recommend you start with understanding the life cycle. 

So, the planning phase. You know: What do I need? What are my standards that I’m going to introduce into my environment? Where am I going to buy it? How much does it cost? And moving into request, how is it going to be available to my users, you know? How do I have a method via the service catalog for them to submit those requests? And then, how do I fulfill the request?

You know, so, going with your procurement team, making sure that you have the right vendors lined up to really purchase those assets, make sure you have the right forecasting so that you can take advantage of budgeting for larger purchases and really helps protect you financially because you know what you need and you can get more buying and negotiating power from your vendors.

Of course, you go into deployment. That’s when you actually, you know, hand it over to your end user or to your data center. And now it goes into use. And that’s really where that configuration management part comes into. So, the largest part of your asset life cycle should always be in use. And that should always be your goal. Like I said, that’s where you really get the value out of the spend that you’re investing in these assets. So, having solid monitoring systems that make sure you know how, who’s using it, how it’s being used, what’s installed, and that it is in use, right? 

So, you know, if an asset goes missing, that’s one of the first ways to know is that your monitoring system hasn’t picked it up. So, you know, this laptop hasn’t checked in two weeks. Where is this laptop at? Those are all really important things and really encompass that protection of your organization that we’re talking about today. And then, of course, you do also have to manage the disposition of the assets. That’s a huge component, you know: making sure that your data is sanitized, that you’re not letting assets leave your environment that may have personal data, HR data, or just organizational data.

So really, having solid data sanitization processes and then through disposal. So, who are my disposal vendors? Are they disposing this in accordance with EPA guidelines? We don’t—no organization wants their assets to end up in a landfill somewhere that haven’t been properly disposed of. So making sure you know your vendors, that they are certified, that you have a really solid contract in place with them. 

So I know that was a lot, but that’s really the asset life cycle. It is a lot, and it’s very important to understand. 

Sean Dawson: Yeah. I think—thanks for going over that. I—it was a loaded question, cause I knew that, but I wanted the listeners to understand the full breadth of that journey and what that looks like and things to consider. Because I think, at least for me as an IT person or an IT professional, sometimes I have the habit of oversimplifying something. “Oh, I’m just tracking an asset. I’m just putting in.” There’s a lot more to that. There’s governance. There’s thought. There’s decisions. Who’s going to do what? So, it just adds more to that. 

So, coming back to more about the security side and the link with ITAM, I know there’s other areas in the platform that we touch, and kind of I wanted to hit on each one of them if we can. So, one of the examples here would be like ITSM. How does that interact with SecOps and ITAM in your eyes? 

Teri Bobst: Yeah, so ITSM is really closely connected to ITAM. When you think about incidents, how your organization is going to work those incidents, if they need to be kind of escalated to security incidents, it’s very important to understand the asset that incident is being reported on. Who that asset is assigned to, where it’s located. You know, if there’s ever any kind of data breach, you have to immediately be able to know where that came from. Where are those at? And so it really ties closely into incident management, as well as it creating efficiencies within your service management department. You know, when a user calls in for an issue with their assets, instead of having to try to walk it in user through finding their serial number or their service code on an asset, you know, in platforms such as ServiceNow where they’re all interlinked, the help desk agent, service desk agent, can immediately know, “Okay, this is the asset because it’s assigned to you that we’re going to be talking about,” and immediately begin logging that incident against the proper CI for the tracking purposes. 

Sean Dawson: Okay. Okay. So let’s go to another area. Let’s talk about IT operations management, or ITOM. How does that link into ITAM? 

Teri Bobst: Yes, we touched on that a little bit. You know, ITOM is really managing your CMDB among many other things. Service prepping discovery, so ITOM and ITAM really are handing off with each other, because you buy an asset, and when you talk to any asset professional, they’re going to tell you the asset comes first. That’s just how we are, because that’s what you plan, and that’s what you purchase. But if you don’t have a solid ITOM program that really allows you to understand how that asset and that configuration item are being used, then you’re really losing out on a large part of that life cycle. It’s absolutely critical to know, you know, a CI is—I always say it’s—there are two sides of the same coin: an asset and a CI. And the CI is the part that is used to really provide the business service to your organization. And all of the data from there comes through an ITOM program.

Sean Dawson: Correct. Good thoughts on that. So, the other area, and this might be a surprise to some people, I wanted to talk—have you talk a little bit about HRSD. So, HR service delivery and how it links to ITAM. 

Teri Bobst: Yeah, that’s a great one. And it’s probably been overlooked until recently. I have seen a lot more interest in linking HR with ITAM. And there is a huge benefit to user experience for linking your HR with your ITAM program. And when I talk about user experience, you know, it’s onboarding of new users, making sure that they have the tools they need on day one to do their job.

So again, not only is that user experience, but that also falls back into that operational protection, because you are protecting the efficiency of your organization. You know, there’s nothing worse than hiring a new employee and them not having the resources they need to go to work and having to sit and just wait for it, you know? That’s a waste of everyone’s time. So being able to trigger onboarding events through your HR application and having your ITAM team closely linked with that along with service delivery so you know that this new employee, what they’re going to need to do their job, have it issued to them on day one so that they can immediately begin adding the value that you hired them for.

Also, HR also is closely linked on offboarding. And offboarding is not so much about user experience, but it is really important on the protection aspect, because when an employee is offboarded, you need to understand exactly what they have. You need to know, you know, what assets they had, what software they had, so that you can initiate reclamation events against those, because, you know, in our remote environment that we work in today, those assets may be at a home office, and you don’t want them to just be left out in the wild. You want them to be returned to your organization.

A big part of the financial protection that an ITM program gives you is the ability to reclaim those assets in a timely manner, because chances are they still have usable life. You want to reclaim them. You want to do data sanitization so that you’re protecting anything that that employee may have had stored on that asset, then getting it back into your asset pool so that it can be redeployed. And that way, you’re not buying a new asset because you have reclaimed one that can immediately be put back into use. 

And that software is really a huge component of that as well. You know, your software licenses are very expensive. And organizations spend hundreds of thousands, millions of dollars on their software licensing. And if you don’t know that this is no longer being used because this employee has been offboarded, then you’re just going to continue to buy more instead of harvesting those licenses and then reusing them. 

Sean Dawson: Yeah, that is so good. I’ve got—you’re getting me excited, because I’ve got thoughts that I will finish up with here, but it—there are so many benefits to an organization to have an ITAM program.

So as you’ve been talking, one thing that’s hit me and not—obviously, I already know this—but ITAM is not just about tracking assets. There’s other pieces of, and it links to so many things. I really love it. But I wanted to have—there is one more area I wanted to touch on, which is, you know, the topic of conversation is GRC. So, governance, risk, and compliance, and how that fits into the ITAM arena. 

Teri Bobst: Yeah, absolutely. So, anytime you talk about GRC, it’s all around understanding your asset estate, because there’s really where your risks and compliance come in. So you may have many regulatory bodies that you have to be accountable to. And really, those are all around understanding what assets are being used in those areas that are governed by those regulatory and compliance issues. You know, compliance is huge with software. So every software vendor, you have a license agreement with them, and that license agreement generally dictates how that software is used and how many rights you have to use it.

So, it’s really critical to have that solid, mature ITAM program to really be able to have a solid GRC program. They’re, you know, software audits. They say it’s not a matter of if—it’s when an organization is going to be audited. And it doesn’t have to be scary, because if you have a really good ITAM and an SAM program, you’re going to immediately be able to show that vendor that’s initiating the audit, you know, “This is what I have purchased from you, and this is how it’s being used. And this is how many people are using it and how many assets it’s installed on.” And so it can really take that, you know, nightmare audit and make it a way less painful procedure.

Sean Dawson: Yeah, great. Thank you for going through that—quite a list—with me. The last thing I wanted to talk to you about is, I wanted to see from your perspective about what an ITAM maturity looks like. And what do listeners need to be considering? So, what does maturity look like within IT asset management?

Teri Bobst: Yeah, so that’s a great question, Sean. Maturity really begins with starting your processes. So, you know, like we talked about identifying those life cycles, understanding what each phase of those life cycles look like within your organization. Writing those processes that are really going to manage those life cycles.

And that’s really where you have to start. And that’s why, you know, the “How Do You Do ITAM” blog that I’ve written, that’s the reason I wrote it, is because it can be so daunting on knowing how to even get started on an ITAM program. You just know it’s this thing you need to do. And, you know, you’re probably getting executive buy-in at this point because in today’s economic climate, you know, understanding how you can save money is a top priority among all C suites. And really, ITAM is kind of that glowing beacon of “Hey, over here, you’re spending millions of dollars. Let’s make sure this is being managed well.” 

So really, starting with understanding the processes and, you know, documenting those processes is critical. Don’t just have them in your head and think you know what they are. Really go through the process. It’s great to have a partner that can help guide you through that, you know, such as our team here at Cask, because we are very much practitioners in the space, and we are very passionate about ITAM and helping organizations reach that ITAM maturity.

So the, really, the next thing is all around the data. The data is the critical thing in ITAM that really makes it’s to where all of these other organizations or departments that we have talked about can start benefiting from ITAM. So, you have to have trustworthy data, because the worst thing is, you know, to get buy-in maybe from your security team that, you know, “ITAM is great. We know you guys can provide what we need to help protect this environment.” And then they get the data, and it’s very questionable. And that’s definitely not something you want to do. So that’s why the processes are key to start, because the processes are what is going to help you build to that mature data standpoint that really gets you into that optimized maturity level, where all of your other departments can depend on your IT asset management data. And then they’ll start coming to you. Legal is a great area that ITAM benefits when you talk about legal holds or scary things like investigations and you need to be able to secure those assets quickly so that they can be handled in an investigation, you know, with a solid, mature ITAM program. There’s a huge benefits to the legal department, the finance department, HR. It’s just really never ending. It touches every aspect of your organization. 

Sean Dawson: That’s good. That has been so insightful. Thanks for sharing all that. And I wanted to at least open the floor to you if there was anything I missed or anything you’d like to add for the listeners as they’re thinking about an ITAM program. If not, then we’re done. But I thought I would ask: Is there anything else you’d like to tell the listeners about ITAM and thinking about that allegiance with security or ITAM in general?

Teri Bobst: Well, you know, I think the main thing that I want all of our listeners to understand is you need to be doing ITAM. It’s critical to your organization. So get started somewhere. You know, the ServiceNow platform, of course, it is a platform that ties all of these areas together. So it really makes it a seamless process—when you talk about linking with IPSM or HR or ITOM or security operations—having that single platform where all of those things live really will make the job of maturing your program across your organization much simpler.

And really, I always like to make sure people understand the breadth of ITAM, that it is not just about buying assets. It really does have significant impact. It has—you know, it can protect your organization through financial aspects, legal, operational, IT, security, HR. You know, it increases efficiency across your departments, which, again, is a financial protection for you, knowing what you have, making sure you’re not buying more, making sure your assets are all in use through their life cycle—that is really the benefits that you can gain through an ITAM program. And really, when we think about—, you know, I say it touches every organization, every department, the computers we’re using today. Those are IT asset management. These webcams that we’re going with video? It’s IT asset management. The software that we’re using to run everything within our business? That’s ITAM. It really—no matter if you’re in an office, if you’re working from home, you know, if you’re in a corporate location, everything that your employees do on a day-to-day basis includes IT asset management. 

Sean Dawson: Well, thanks for that. It was great to speak to you. And thank you so much. I know how busy you are in taking time out of your schedule to talk with us here. So I really appreciate it. Thank you, Teri. 

Teri Bobst: All right. Thank you, Sean. This is great.

Sean Dawson: You’re welcome. So one thing I want to ask listeners to do is we have a couple of things that you can go do is—first of all, we have “How Do You Do IT?” I’m sorry. “How Do You Do ITAM?” on our blog. So go take a look at that article. It is excellent and goes into detail in writing what Teri was talking about here. So, if you want a second view of it, it’s a great article to take a look at. 

And lastly is, would you be willing to do us a favor and subscribe to this on the YouTube channel? It just basically helps out the algorithm and shows that there’s value. If you’re getting value out of this, just hit the Like button. And if you’re listening to this on any of the podcast platforms that we are publishing this on, give us a rating. Let us know how we’re doing. And if you have any suggestions for us, as always, let us know, make a comment, shoot us an email, whatever it is, let us know what you want to hear.

So that’s it for today. Thank you again, Teri. And we’ll talk to you later. Bye bye.

Teri Bobst: Thank you, Sean. Bye.