If you’re a compliance manager, I invite you to imagine your ideal day.
Imagine logging onto your compliance dashboard and finding actionable opportunities already waiting for you. Imagine being able to confirm and act on them in as little as 15 minutes – maybe even less. Now imagine closing a major deal based on that new compliance information, the very same day you see it.
I know a one-day sales cycle doesn’t happen often. But I personally know compliance managers who’ve had that experience. And even if you can’t count on booking same-day revenue, scores of compliance management organizations have radically streamlined and accelerated the entire process of discovering infringements and transforming them into cash. This post introduces a five-part series on how you, too, can achieve something close to the “ideal” compliance management experience…no matter how “less-than-ideal” your current environment might be.
To begin, it helps to consider why the compliance manager’s role is so difficult. At Revulytics, my colleagues and I have collaborated with hundreds of professionals who are working day and night to succeed at this task. We see the same patterns and obstacles repeatedly.
Many compliance managers come to the role with deep knowledge of their markets and products. But proactive compliance managers must negotiate for the engineering and IT resources needed to monetize compliance. Who embeds the telemetry? Who builds the analytics? Who maintains and supports it all? Investing scarce technical resources in compliance is often a tough sell when there’s a huge list of customer features screaming to be built. Put politely, compliance managers rarely have as much input into product roadmaps as they’d like.
Second, even with organizational cooperation, compliance management is just plain complex. Managers are typically bombarded with scattered data from multiple disconnected sources. It’s a bit like the ancient fable about the sightless folks trying to interpret different parts of the elephant. It’s hard to know what you’re seeing, but chances are the whole picture is different – and bigger – than the tiny piece you’ve grabbed onto.
To address these problems, compliance managers often turn to basic “phone home” telemetry approaches. This frequently involves customizing a home-grown solution for making software contact you when it’s installed, registered, and/or activated.
This is better than nothing. But it’s not much better.
Most compliance managers are quickly disappointed with simple “phone home” approaches. Before you can do better, you need to understand why these first-generation techniques generate little revenue, and can’t scale as you grow.
To begin, “phone home” commonly returns only an IP address. In only 3-5% of cases does this identify infringers with sufficient confidence for software companies to act. Typically, basic “phone home” can’t accurately identify IP addresses associated with access through hosted providers, cloud services, VPNs, or proxy servers; addresses protected by privacy
Even if you can figure out who’s infringing with reasonable confidence, you’ve discovered little or nothing about the level of misuse. Without machine-specific data, you don’t know how many unique devices are infringing. You have no way to profile how infringers are actually working with your software. Are they just kicking tires? Or are they in there all day, using multiple modules, aggressively profiting from your intellectual property in their own high-priority projects? You don’t know. So, too, it’s often difficult or impossible to prove overuse or abuse of paid licenses via IP addresses alone.
There’s one more problem. A surprisingly large number of infringers will pay if you can prove infringement. As sophisticated compliance managers know, you can often position yourself on the side of the enterprise or its IT management. You can help them self-audit to uncover security risks within their own organizations – and, as they’ve increasingly realized, cracked software is a major security risk. Occasionally, they’re even appreciative.
But you can only help them self-audit if you have detailed, actionable data to share. Not just an IP address.
We’ve now outlined the challenge. The next four posts will guide you through overcoming it.
First, we’ll show how to integrate and automate compliance management that goes way beyond collecting just IP addresses. You’ll learn how to build efficient workflows for uncovering potential non-compliance. Next, we’ll guide you through confirming that a potential infringement is real, determining whether it’s worth
By the time we’re done, you’ll know how to establish infrastructure and processes that make your “ideal” compliance day possible – and just might deliver the occasional one-day sales cycle!
Read the entire Imagining Your “Ideal” Day as a Software Compliance Manager series
Learn how ISVs that build a mature software compliance program gain a competitive advantage by increasing revenue & protecting IP.
Vice President, Products & Strategy at Revulytics
Victor DeMarines brings extensive security product management and marketing experience to Revulytics, where he is responsible for product strategy and direction. He is a frequent speaker and author on topics including piracy, reverse engineering and the protection of intellectual property.
No one likes to be audited. On its own, the word “audit” implies wrongdoing or, at the least, carelessness. Opening the books ...
It looks like a great deal. For just $189.99, you can download the latest version of the Microsoft Office Professional 2019. ...
While it may seem obvious, the best way to retain customers (and grow your footprint within an existing account) is to ensure ...