Over 90% of organizations that responded to a Gartner Research Circle survey use open-source software (OSS) in their enterprise, including for mission-critical workloads. Organizations choose OSS expecting it to be cheaper, more customizable, and of higher quality than commercial counterparts. Yet organizations may find that the expected benefits don’t materialize or are canceled out by new risks.
Security risks rank high on the list of concerns. Additionally, a lack of commercial support options and the potential disappearance of the OSS community can raise financial risks. Team members who participate in open-source projects can also create legal risks that reach beyond the domain of IT. Effective, cross-organizational governance policies can help organizations proactively manage these issues.
Governance policies and processes are key to protecting your organization from these risks, and to ensure the longevity of the software products your teams build. They help you manage and control where and when OSS can be used, and under what circumstances team members are permitted to contribute to or create OSS projects.
An effective governance policy defines the people, policies, and enforcement practices around OSS usage.
Form a governance committee
OSS governance is best tackled by a cross-functional team that has clear responsibility for defining the OSS governance policy and defining processes that ensure compliance.
Committee members should represent a span of relevant organizational areas. Governance isn’t any one individual’s full-time job, nor do the different aspects of governance reside entirely in one area of the organization. The committee therefore should include representatives from as many affected parts of the organization as is feasible.
Committee membership often starts with a core group made up of software engineering or enterprise architecture leaders, combined with other stakeholders from IT operations, security and risk, finance, and legal and compliance, to name a few.
Committee membership is not a prerequisite for stakeholder groups to contribute. Committees should, however, define and document levels of involvement for committee members and non-committee stakeholders. A RACI chart offers one method to categorize involvement as:
Given its cross-functional nature, the committee should answer to the executive leaders responsible for corporate policies, although it may report directly to the chief counsel, chief information security officer (CISO), or the CIO, depending on organizational structure.
Craft a governance policy
Effective policies define what is allowed and who has decision-making authority related to the use of OSS. The policy also documents the required processes and procedures for compliance, as well as the consequences for noncompliance. The policies will achieve greater buy-in if they are explicitly connected to the organization’s defined goals for OSS adoption, as well as its tolerance for risk, decision-making criteria and rationale for adopting certain constraints.
From that foundation, the policy addresses three different levels of OSS engagement:
Set the conditions for policy compliance
For many organizations, forming a committee and crafting a governance policy are relatively simple and straightforward. The real benefit of a governance policy comes through adoption and compliance, however. That requires committee leaders to:
The original article by Anne Thomas, distinguished vice president analyst at Gartner, is here.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Blue Planet Studio