Does your organization’s IT governance framework include the governance and management of open source components? We asked this question during a webinar with the ISACA organization and the responses were curious. Full disclosure, the audience was made up of ISACA members, so most if not all webinar attendees are currently using COBIT as a governance and management framework. There are still many organizations that do not have a formal IT governance framework in place. Forrester’s 2011 “The State of IT Governance, Q4, 2010” analysis pegged the number at 65% “having a formal IT governance framework.” My point? The likelihood is that polls of this group will reflect more governace sophistication than the industry average.
So, back to the polling question. While 37% of the webinar attendees said that they do extend their use of COBIT to govern and manage the use of open source, 39% said they don’t extend COBIT’s use to the management and governance of open source. In addition, 23% said that they have a “no open source use” policy. Having a policy that excludes the use of open source is simply not realistic.
What should we make of these numbers? If 62% of these organizations either have no open source policy or don’t use COBIT to manage to a policy, it’s not hard to believe Gartner’s prediction that “by 2014, 50% of Global organizations will experience technology, cost and security challenges through lack of open-source governance.”
Most organizations we speak with are working through the challenges of becoming more strategic in their use of open source components and realize that encouraging the use of open source can help drive greater productivity and cost savings by making developer organizations more efficient and innovative. And, by extending COBIT to OSS governance and management, business management functions would have the visibility and controls necessary to mitigate associated risks by ensuring internal compliance and adherence to regulatory requirements.
So what’s the reason for the gap? Well, putting a formal IT governance and management framework in place is hard. It takes time, costs money and requires cross-enterprise collaboration and commitment from a broad range of stakeholders. Which organization is going to drive the initiative? Who pays?
What are long term implications of either a policy that forbids the use of open source or one that simply doesn’t take the use of open source into consideration? Again from Gartner: “Open source is ubiquitous, it’s unavoidable….having a policy against open source is impractical and places you at a competitive disadvantage.”
So here’s a question for the 62%. When are you going to get started?
