The Six-Figure Software Licensing Mistake

Even the best security staff is not above making costly mistakes

This is all background to get the juices flowing and get you thinking. I could bore (or entertain) you with how this whole incident played out but let me just say that it was painful and professionally damaging to more than one staffer, and when it was finally resolved a couple of months later, my budget was magically smaller by about $100K. While this might hurt in a private sector company, in a government organization like mine, it ruined the year. While many of you have already started going through your mental checklist, there are probably others hyperventilating at the thought that this could happen to you too! Since this article is intended to enlighten you, my CSO colleagues, here are some of the things I learned from this experience.

Have a Policy

You must have a security policy that specifically addresses the use of noncompany issued or approved software and that defines roles and responsibilities so that everyone understands who can and cannot download software and for what reasons. If your security staff is like mine, they can get creative and will play fast and loose unless there are specific policy guidelines for downloading and using “productivity software.” Don’t get me wrong. I love the fact that my gals and guys are always looking for ways to do their job better. The problem is, there are so many cool tools that many times they think there’s no harm in downloading and installing the latest version of an application. Unfortunately, the harm may not be known until the damage has already been done. I know. I’ve done it and had my hands slapped, as many of you have!

While we had a good policy regarding the use of legal software, it was a little loose on the use of illegal software. It’s critical to ensure your policy is unequivocal in identifying what types of licensed or unlicensed software can be installed. Is software licensed under GPL, LGPL or FSF approved? What about Copyleft? What does all this mean? Check out this helpful background . And read all licenses thoroughly.

A good policy should also state that only software that has been approved by your governing control board can be installed in your network environment. In addition to your working “software tools,” this policy should include encryption, PDA, MP3 and peer-to-peer software, as well as screen savers and browser plug-ins. Your policy should also address media and external devices that are personally owned. Not only are these a huge source of malware but they can compromise the integrity of your software environment, and the last thing you want is an unexpected knock on the door by the Business Software Alliance.