How much info is too much? (Part 1 of 4)

Robert Broxup

Businesses often need to demonstrate credibility when bidding for projects, but how much information is too much information? When should the information be provided, if at all? To what extent can the supply chain process become victim to sophisticated social engineering attacks and what are the key signs to watch for while attempting to win projects with new clients. This article is the first in a series of blogs aimed at exploring these issues. They are born out of some strange and unexpected questions which if answered, would undoubtedly demonstrate a lack of credibility.

When a business or individual has requirements that need fulfilling, and they approach a supplier, individual or service provider for help, asking for what they want is the crucial step. If you were to walk into a shop and ask for something, typically you would expect a member of staff to show you what they could offer you. In more complex scenarios where you had a problem but were not sure what you needed, it may involve some discussion but would also result in being shown what was available to help. If you were to approach a solicitor for advice on dealing with an issue, the same would apply; the discussion would flow based on what you need and the problems that you have. This example may sound obvious, but this is far from what happens in information technology, and requests for information during the procurement process are often suspicious.

We would not expect someone to approach a solicitor and ask about issues with previous customers. It would seem perverse to need a solicitor for a divorce and to ask questions about previous divorces. If we did ask such a question, a solicitor would be unlikely to answer. The matter would be private and confidential, and to discuss it would be very unprofessional. With the shop scenario, someone in a shop asking who had previously bought a product or service would be equally nonsensical.

Closer to IT security, consider for a second that you sell and install burglar alarms and offer a monitoring service, and a customer wants to buy your services. You would expect the discussion to include the size of the house, the number of rooms and other factors to determine the best level of security required. What you would not expect is for the customer to ask who previously bought your security systems, where you installed the alarms and your response times.

These examples when presented this way sound rather peculiar, but in fact, these are reasonable analogies of what happens in the IT sector. Although much of the IT services provided would not be a problem, IT security is a sector where discretion and client confidentiality are a matter of significant importance.

  • Clients ask for a non-disclosure agreement (NDA) to be signed because they don’t want information about them or their projects to be disclosed
  • Beyond the issue of a discussion breaching a signed NDA, discussing previous clients with new clients or potential new clients is unprofessional, not to mention being in breach of a fiduciary duty
  • The very notion that in Information Technology, that suppliers and consultants disclose details of past clients’ projects to demonstrate credibility is so prevalent that IT professionals are an obvious target
  • Businesses and individuals will feel compelled to answer questions at an unreasonable level of detail, for fear that not doing so might exclude them entirely from an opportunity
  • Hackers often gather information from different sources to build profiles of an organisation’s systems and team structures in preparation for an attack

Here is a thought for consideration: You could ask for detailed information about a past project, and we could tell you. You would never be able to trust us with anything confidential, knowing that in the future, someone might ask us about your project, and we might discuss it.

The point is simple, discussing past clients and projects is unprofessional, unethical, and successfully demonstrates a complete lack of integrity and credibility; event more important about security-related matters.

Consequences of inadequate IT governance

Robert Broxup

Governance of Information Technology is essential to adequately direct and control the current and future use of technology within businesses and to ensure compliance with contractual, legislative and regulatory obligations. Failure to do so is highly likely to expose companies to one or more violations which could result in:

  • Regulatory sanctions
  • Criminal prosecution
  • Loss of reputation
  • Loss of clients

IT governance is required to align IT with the needs of the business. After all, the IT function is there to serve the company and not the other way around. In this context, IT is a fee-enabling function and seldom a fee-generating function. The corporate governance function and implemented framework will drive:

  • Implementation of security standards
  • Information storage, privacy and retention requirements
  • Compliance with intellectual property rights and 3rd party licences
  • Adherence to environmental regulations
  • Implementation of social responsibility standards
  • Health and safety requirements

Corporate governance contributes significantly to:

  • Effective implementation and exploitation of IT assets
  • Clarity and alignment of responsibility, authority and accountability
  • Efficient allocation of business resources
  • Innovation with fee-generating services in the marketplace
  • Business continuity and sustainability
  • Reducing operational expenditure
  • Achieving business objectives

Implementing IT governance encourages the building and maintaining of working-relationships throughout the business and avoids the pitfalls of IT isolation from overall business objectives.

Mixed enthusiasm for cost avoidance

Robert Broxup

Avoiding the need to spend money in the future isn’t always something to write home about. This software licence audit illustrates how we saved £250,000 in future expenditure – but it resulted in an overall lack of enthusiasm.

  • A software package costs £200 per licence. An audit shows that there are 2000 installations – a total cost of £400,000 in software licences.
  • An audit of purchasing records shows the purchase of only 500 licences.
  • The business has already spent £100,000 on licences, and to be fully compliant, an additional £300,000 of expenditure is required.
  • However, an audit of software usage shows that only 750 need to use this software package.
  • After removing software no longer needed, the business needs an additional 250 licences – reducing the additional licence cost from £300,000 to £50,000.
  • Removal of 1,250 unnecessary software installations has reduced future expenditure by £250,000.

As auditors, we can be enthusiastic about:

  • Saving the company £250,000
  • Reducing the commercial risks associated with unlicensed software

However, others’ enthusiasm wanes because:

  • An immediate expense of £50,000 is required.
  • The £250,000 was never actually spent, so it is not returning to any budget.
  • Nobody knew about the £250,000 risk exposure, so it is easily forgotten.
  • No further action is required on the £250,000 saving, whereas the £50,000 expenditure will no doubt require approval and be visible at C-suite and director level.
  • When considering the cost benefits associated with the audit, the identified need to spend £50,000 is something memorable, not the £250,000 saving.

While this example focuses on software licensing, the same logic applies across many other areas: invisible savings often go unnoticed, while visible costs trigger concern.

Practical Steps to Improve Software Management

Robert Broxup

Software Asset Management (SAM) is more than just a software licensing exercise – it is about maintaining control, reducing risk, and maximising value from your software investments. Effective SAM practices help organisations avoid compliance issues, reduce unnecessary costs, and improve operational efficiency. The following key points provide a practical foundation for managing software assets with confidence.

  • Maintain an accurate inventory of authorised software. Knowing what is allowed makes identifying and removing unauthorised software installations more manageable.
  • Ensure that all your software is correctly licensed. Avoid unnecessary purchasing of software licences by limiting usage based on job roles. Reconcile software purchases with software usage.
  • Maintain control over who can install software packages. Avoid ad hoc software installations and proliferation to reduce licence exposure and cyber threats.
  • Ensure that authorised software is up to date and supported by vendors. Reduce exploitable software vulnerabilities.
  • Segregate business-critical software from other lower priority systems. Avoid less important systems from impacting the business.
  • Keep control of software support costs. Accurate information about software usage contributes to avoiding excessively priced support contracts.
  • Choose the right product to fit your business environment. Ensure the solution works with existing platforms and operating systems, and the software works out of the box or with minimum configuration. Avoid the trap of buying software and then paying expensive project and development costs to make it fit for purpose.

Good SAM practices create a more stable, secure, and cost-effective IT environment. By actively managing software across its lifecycle, from procurement to retirement, organisations can minimise risk, reduce waste, and better align IT with business objectives. A little discipline in this area can go a long way toward supporting compliance, security, and more effective IT spend.