Reprint from Gartner
By Mark Driver, Nitish Tyagi
Technology innovation leaders can leverage open-source software (OSS) to drive innovation, achieve cost savings and enhance flexibility. However, proper management and governance are crucial for moving beyond the hype, mitigating risks and increasing business value.
Overview
Key Findings
- Open-source software (OSS) is used within mission-critical IT workloads by virtually all IT organizations worldwide, often without their explicit awareness. Enterprises leverage OSS to meet their business needs, fostering innovation, flexibility, accelerated software development, and cost savings compared to homegrown or third-party commercial alternatives.
- OSS assets share the same core risks as any other software technology, such as quality, security and long-term viability. However, inadequate management and governance are particularly pertinent risks for OSS solutions because they are often not governed through sufficient support contracts — whether internal or contracted.
- OSS adoption across the enterprise varies widely by technology area, with infrastructure software, application development, DevOps toolchains, and data and analytics, including AI, being the most common areas of usage. ### Recommendations Technology innovation leaders like CTOs should:
- Embrace open source as a strategic investment that, when properly managed, can yield innovation, reduce total cost of ownership (TCO), and increase talent retention and business value.
- Build and enforce governance for OSS by establishing an open-source program office (OSPO) or a subcommittee. The OSPO should also be responsible for promoting companywide benefits of open source, including developing training and education materials for efficient use of OSS.
- Develop a strategic OSS plan that prioritizes key technology areas with the highest ROI for OSS adoption, in order to optimize technology investments and drive innovation. ## Introduction The open-source movement has fueled the digital economy and served as the bedrock of innovation across several CTO priority areas, including artificial intelligence, cloud computing and DevOps. The boom in AI foundational models in 2023 sparked renewed interest in open AI models, as enterprises sought better transparency, customizability and reduced vendor lock-in for building their generative AI applications. Open source is a model for the development and distribution of software that provides access to source code and encourages — and at times enforces — community stewardship and support of the technology (see Figure 1).
Figure 1: OSS in the Enterprise
Gartner (February 2021)
Open-source software in enterprises offers benefits like cost savings, flexibility, talent acquisition, and innovation. However, it also presents risks related to technical, legal, and security issues. Successful implementation requires effective governance, communication, and cultural strategies.
Analysis
Questions
- What is open-source software?
- Who uses open source today?
- What are the key benefits of adopting OSS?
- What are the key risks of adopting OSS?
- How should we assess the viability of OSS projects?
- Which business models underpin OSS and what are the pros and cons of each?
- How can organizations use OSS most effectively?
- How do we build adequate governance around OSS usage?
- What is an OSPO and what are its responsibilities?
- How do we measure the success of our open-source efforts? ### 1. What Is Open-Source Software?
There is no legally binding definition of OSS. The term is not copyrighted, and no government or international standards organization, such as the International Organization for Standardization, governs the concept. However, the most broadly supported definition is governed by a nonprofit group composed of open-source pioneers and developers. The Open Source Initiative (OSI) has collectively defined a set of attributes that, in its collective opinion, meets the minimal definition of OSS.1 In the absence of legally binding control over the term, the OSI has established a critical mass of consensus among most of the broader open-source developer community. In defining OSS, Gartner has a strong deference to the OSI.
At its core, the concept of open source hinges on a licensing scheme. Although many aspects contribute to a broader set of ideals related to the concept of OSS, such as community, open innovation and transparency, the license establishes the baseline for what constitutes OSS. The open-source definition (OSD) provides a set of minimal attributes for an open-source license. The OSI supports a submission process in which its members openly discuss, debate and “approve” submitted software licenses. An OSI executive board then either approves these submissions as OSI-approved licenses or rejects them.
The OSI maintains a list of approved licenses, and we strongly advise potential OSS users to cross-reference licenses against this OSI-approved list.2 While a license missing from this list may not necessarily be non-open-source, the OSI-approved process removes doubt by providing a broadly supported third-party expert opinion on license compliance. Consequently, adopters should be cautious of any software solution advertised as “open source” if its license is not on the OSI-approved license list.
OSS licenses focus on four key “freedoms” afforded to licensees:
- Freedom to use the software without restrictions.
- Freedom to access and examine the source code.
- Freedom to modify the software.
- Freedom to redistribute or share the software with others. ### 2. Who Uses Open Source Today?
OSS is used in mission-critical IT workloads by the vast majority of end-user and vendor-side IT organizations worldwide, whether they are aware of it or not. This includes use across a broad range of areas, with prominence in software engineering, infrastructure software, DevOps, and data and analytics, including AI.
According to the 2024 State of the Software Supply Chain report by Sonatype, 90% of production workloads originate from open source.3 Most commercial products include some form of OSS.4 Many enterprises actively seek OSS as an alternative to traditional buy-versus-build options, such as homegrown solutions or those licensed from proprietary third parties.
3. What Are the Key Benefits of Adopting OSS?
There is a long list of motivating factors for leveraging open source among IT organizations, but all can be summarized under these four categories:
- Freedom and flexibility: Many adopters turn to open source to gain flexibility over homegrown or proprietary alternatives. This promise of flexibility emerges in a number of scenarios, but access to the source code is the key differentiator. Additionally, no single entity has exclusive and authoritative control over an open-source project. Therefore, adopters can normally find multiple commercial suppliers for mature projects when needed.
- Innovation: Open source is the dominant software model for open innovation efforts in the new digital economy. It also allows enterprises to tap into a wider pool of innovative talent and access software features more rapidly.
- Cost: Nearly every open-source adopter expects cost savings compared to homegrown or licensed proprietary third-party solutions. However, Gartner’s research indicates that cost savings depend on many factors, including governance, infrastructure and the skills needed to operationalize OSS. Organizations should always assess the TCO for OSS to compare the cost benefits with closed alternatives.
- Acquisition and retention of talent: Many developers and infrastructure engineers want to work on cutting-edge projects, want their contributions to be recognized beyond monetary rewards and want to engage in social learning. OSS usage provides opportunities across these areas and serves as a magnet for attracting and retaining motivated talent. ### 4. What Are the Key Risks of Adopting OSS? The core risks related to open source have been and continue to be the same as any other software asset:
- Technical risks: These include general quality of service defects and security vulnerabilities, uncertain end of life, and potentially poor or nonexistent documentation.
- Legal risks: These involve factors related to OSS license compliance, as well as potential loss or infringement of intellectual property.
- Security risks: These begin with the nature of OSS acquisition costs. The total cost of acquisition for open source is close to zero. However, a critical side effect of such low acquisition costs is that many open-source assets are either undermanaged or altogether unmanaged due to poor governance or lack of skills. This lack of management can easily expose both quality and security risks, as these assets are not patched and updated as frequently as they should be. ### 5. How Should We Assess the Viability of OSS Projects?
Evaluate OSS projects on a case-by-case basis. Similar to proprietary software, capabilities such as functionality, integration and cost of ownership are all key criteria to evaluate. One critical advantage of well-managed OSS projects is better transparency. Unlike commercial proprietary solutions, the metadata (such as bugs and code burndown) supporting OSS is easily discovered and documented. Ensuring that you choose a viable and sustainable OSS project is important, and these selection factors can aid that decision:
- Project funding: A key component that decides whether the community will stay in the long run. Projects affiliated with groups such as the Cloud Native Computing Foundation (CNCF), the Eclipse Foundation or the Linux Foundation typically have a better chance of securing good funding.
- Code activity: Often measured through metrics such as commits per quarter, turnaround time for resolving issues, the quantity and diversity of code contributors, and where the software is hosted.
- Software release history: Well-managed OSS projects deliver a regular cadence of software releases and demonstrate overall project maturity.
- Community support and documentation: Measured by bug fixes in the project issue tracker, as well as the vibrancy and helpfulness of support discussion threads in community forums and mailing lists. Documentation such as “security policy” or “how to/FAQs” shows the maturity of the project.
- Ecosystem: Diversity of companies and individual developers contributing code to the project (a good mix of vendors and end-user contributors is a healthy sign).
- Licensing model: Measured by the permissiveness of use and redistribution and any negative implications of misusing the license.
- Security reporting: Assesses the process for fixing code-related bugs and security flaws, and whether there is a robust way to privately report them.
- Maintainers’ ratings: Considers who the top maintainers are, what other projects they are maintaining, how many repositories they are maintaining, and whether they have a trustworthy profile. ### 6. Which Business Models Underpin OSS and What Are the Pros and Cons of Each?
Open-source providers or vendors leverage several business strategies to support OSS. The most common ones are shown in Table 1. It is important that technology innovation leaders understand the benefits and limitations of each.

7. How Can Organizations Use OSS Most Effectively?
To be successful with open source, you must recognize its importance to your business strategy, enforce policies for effective governance and management, and communicate its value to various stakeholders. Any open-source effort needs to be addressed on an organizationwide basis, with participation from leadership across enterprise architecture, engineering, security, compliance and risk, infrastructure and operations, and sourcing. Every organization serious about open source must create an open-source strategy with input from various leaders that clearly and succinctly identifies the benefits, risks and policies governing it.
The strategy document should include:
- An overview of why OSS is important and its alignment with the broader business and IT strategy.
- Management of open-source efforts in a coordinated manner across the organization, often through the creation of an OSPO. ### 8. How Do We Build Adequate Governance Around OSS Usage?
Creating an OSS governance policy, which defines rules, roles, responsibilities and authoritative limits, is a critical first step CTOs can take. The policy should establish appropriate rules for the following:
- Consumption: What types of OSS are teams permitted to use, and who is authorized to approve acquisitions? How are exceptions handled?
- Contribution: Are developers allowed to contribute company intellectual property to an OSS community? What limits are placed on such contributions?
- Creation: How do we determine the creation of our own OSS project? Who authorizes such a decision? What licenses should the team use to protect the corporate intellectual property? How should the OSS project be governed and marketed?
- Security: How does the project incorporate the “secure by design” principle and address ongoing security issues as they emerge over time? ### 9. What Is an OSPO and What Are Its Responsibilities?
An open-source program office (OSPO) unifies ad hoc efforts within the organization and creates a centralized competency center to advance organizational goals. The responsibilities of an OSPO are outlined in Table 2.

10. How Do We Measure the Success of Our Open-Source Efforts?
There are several metrics that can be used to measure OSS success within an organization. There is no absolute value for success here. Instead, success is defined by the ability to continuously improve across these metrics over time. Some of these common metrics are outlined in Table 3.


The original link: https://www.gartner.com/doc/reprints?id=1-2L3XDVTH&ct=250602&st=sb
 


 
    
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.