In the wake of Hurricane Irene, National Public Radio ran a piece on the challenges of risk management. Government officials, right up to the President, took heat for over blowing the potential danger, whereas surely they'd have been vilified if things had gone the other way and people had died due to insufficient warning. Don't get me started on the riskless society. The public's reaction reminds me of when my youngest was four and I chided her about how dangerous it was to run into a parking lot without looking. "But I didn't get hit by a car," was her reaction.
So, your company develops software and you have legitimate concerns about loose open source management practices. How do you, on one hand, get people's attention so that the company can manage risks, and on the other, avoid the appearance of fear-mongering? It's a challenge the Black Duck (my employer) marketing group faces every day. I don't know that we've completely cracked the code, but here are some thoughts:
Don't be a "negative Nancy"- Similar to the conventional wisdom on giving feedback to kids or colleagues: "Here's what I like about what you did; here are areas that could be improved." Always emphasize first the big benefits of open source and that the reason to manage risks is so that the company can continue to enjoy those benefits.
Associate with the mainstream- Communicate that having policies and procedures for managing risk are a normal part of doing business. (That's what Sarbarnes Oxley is about.) Managing how open source is used in software development is just another process like managing requirements, quality, security or issue tracking.
Don't go it alone- A sole voice is lonely. Chicken Little would have done well to line up Ducky Lucky or Turkey Lurkey to support her position. Or should have relied on some industry experts. I remember Jim Zemlin, the executive director of the Linux Foundation, as part of introducing the Open Compliance Program, flashing a slide that listed all open source lawsuits and wagging a cautioning finger. My colleague, Peter Vescuso, and I both reacted that neither of us could get away with it, but Jim is so well-established as an open source supporter that it was taken as sage advice, not FUD.
Know your stuff- One erroneous claim or bad fact can undercut an otherwise cogent argument. Whether it's legal, security or operational risks you are discussing, don't go beyond what you can substantiate and explain.
So, be a knowledgeable supporter of open source and find respected allies to help you protect your organizations ability to leverage this great resource.
Phil Odence Vice President of Business Development for Black Duck Software, makers of enterprise app development tools that address management, compliance and security challenges associated with open source. In that role Phil is responsible for expanding Black Duck’s reach, image and product breadth by developing partnerships in the multi-source development ecosystem. He came to Black Duck from Empirix (formerly RSW Software and Hammer Technologies) a leader in carrier VoIP, contact center and Web application testing and monitoring. He served there as Vice President of Business Development successfully developing the firm’s alliance program, creating strategic partnerships, starting up new businesses and supporting M&A activities. Prior to Empirix, Phil was a partner at High Performance Systems, a computer simulation modeling firm where he was responsible for consulting and partnerships with leading management consultancies, including McKinsey and A.T. Kearney.
He began his career with Teradyne’s digital logic simulation group in several sales and marketing management roles. He has an AB in Engineering Science and an MS in System Simulation from Dartmouth College.
Black Duck counts a long list of well-known technology companies as partners. These include IBM, Novell, Red Hat, HP, Intel and Microsoft.
When not at work, Phil can be found running barefoot, which he documents in his entertaining Barefoot? Phil blog.