Open Source in the Enterprise is Inevitable

By chromatic
July 23, 2008

You may also download this file. Running time: 00:31:20

Bernard Golden is an authority on open source in the enterprise, and the author of a new report from O'Reilly called Open Source in the Enterprise. The question isn't "if", but "how".

O'Reilly recently interviewed Bernard about the report and some of the surprising conclusions -- including job data which indicates that a significant percentage of jobs in the Fortune 500 include open source software.

[Let's talk about] open source in the enterprise from the early days back when there was even the barest hint that there could be commercial involvement in open source that the term open source was palatable to people who were in big businesses. People have been talking about open source and the enterprise so ten years now. What's different now that was not there ten years ago?

Well, I mean to my mind what's changed is it's -- the adoption has been gradually building over the course of time and now it's reaching a tipping point where it's becoming a much more significant presence. And most organizations are at least aware that they're using it. And some are overtly pursuing an open source oriented strategy for part of their IT strategy. So it's very consistent with most what I'd call revolutions in that the take up is relatively gradual. There's no one day where everybody wakes up and goes, Ah-ha, and shifts enmasse, but it sort of builds and builds and eventually gets to a point where it's the deal; it's the way things are done. I mean the same thing happened with PCs. So this is not a new kind of thing. And it's not something sui generis to open source. This is the way innovation gets adopted by enterprises.

An O'Reilly Radar Report

Open Source in the EnterpriseOpen Source in the Enterprise — Using open source in the enterprise -- the question is no longer "if," but "how?" The low cost, easy access, and expansive license terms of open source are certainly attractive -- especially since IT budgets have decreased 3-5% every year, while software costs have increased, and IT staffs have been tasked to create web services and pursue Web 2.0 initiatives. Learn more.

In your mind, is a disruptive technology such as open source nearly inevitable?

Well, for sure. You know, I mean -- well, I'm a huge believer in free. And that cheap trumps expensive long-term. There aren't many markets where being the expensive alternative is a positive characteristic.

These are luxury markets.

Yeah. Luxury goods where it's, Hey, I spent $5,000 for this handbag, makes it better than a $2,000 handbag. There's certain markets. But most markets lower price entrants tend to displace higher price entrants assuming they're on the -- roughly on the same functionality scale. So I do think it's inevitable in that the cost structure is very, very compelling for open source.

By cost structure, one of the points you bring out in your report, is that it's not just upfront costs but even opportunity costs of acquiring the software for doing an initial deployment or exploration.

One of the great things about open source is that it has very low barriers to trial. So you have an opportunity to really start experimenting almost immediately, and that means that if you've got a particular kind of opportunity or a business situation that presents itself, you can get going right away. You don't have to sort of do this upfront planning and upfront justification for the licenses and so forth. And it gives you an opportunity to get going really quickly so you can explore much more cheaply. So it gives you a chance to lower your cost of experimentation. And that's a real benefit particularly in a time of economic change or economic turmoil or significant economic change in a macro level which is what's going on in trends in our global economies; lots and lots of change. So in that kind of environment, the ability to experiment quickly and cheaply is a positive characteristic for open source software vis-a-vis the proprietary alternatives.

There are downsides as well though. I remember at HP in the late nineties when no one had heard of the Linux kernel and Apache httpd was probably the only success. It was really easy to take an old decommissioned machine, stick it under a desk and all of the sudden, my department had a web server, so the CIO might not know that we're using the Linux kernel. We're not using Apache; we're not using Debian, but there could be hundreds of these boxes performing vital functions that is not apparent to centralized IT for example.

That's a traditional story about open source. And I guess really a major driver for the report being put together and a major theme is that this stuff has come out from under the table, under their desk or out of the watering closet and into kind of more consciousness. But it takes a long time for that to happen, you know, it's a gradual trend. But it's becoming more -- awareness is becoming stronger and so people start formalizing around it more.

Actually, I heard a very sort of humorous anecdote about this. Someone was in talking to a CIO about open source and the CIO said, Well, we don't use any open source. I mean we're just proprietary. And they said, "You mean you're not using Apache? You're not using Tomcat?" And he says, "Oh, yeah. Yeah. Absolutely. We use Tomcat. We use Apache." Well, where do you get Apache from? Well, we get it from the Apache Corporation. Clearly that person had not poked very deeply into what that was. I thought that was a pretty funny anecdote about it.

ASF will be happy to hear that their branding is working. They can up their support fees too.


Well, do you think this -- in your years of watching open source adoption in the enterprise, do you think a lot of this is top down, bottom up or is it inevitably a combination of the two? If go to Red Hat and say let's put an ad in CIO magazine saying the cost of acquisition for Jboss and Tomcat running on Red Hat Enterprise Linux is a fraction of that for IBM's proprietary offering or the Oracle stack or something like that. Versus somebody who's been in the organization for ten years who started like I did by putting a little web server under his desk and is now in a position of authority in the organization. Do you have a sense that adoption comes from one or the other or is it always both?

Well, I tend to think that it's bottom up. And I think that most innovation is. It's very hard when you're at the top of an organization and sort of consumed with keeping kind of the mainstream initiatives of the organization going and so forth. It's very hard to sort of make mindshare for, Well what are the innovative things we ought to do? Let's go do that. Whereas somebody further down can take it upon themselves out of a personal interest or out of a need or something to experiment and typically what happens is that enough of those experiments happen.

Awareness gradually builds and moves up the food chain until it gets high enough up where somebody goes, "Oh, this is really something we're doing a lot of." And then they start to connect the dots and say, Well, how are we handling this? Should we be doing more of it? What are the common characteristics? Then it starts to get more widely adopted.

As I mentioned earlier, the PC is a really good example of that. I mean today it's hard to think of it, but when PCs first showed up in enterprises, they were not an official IT initiative, far from it. They were brought in by people kind of through the front door or maybe the back door from home, and they sort of plunked them on their desk. And they said, This helps me do my job. I can run spreadsheets. I can do what if analysis.

The initial reaction by most IT organizations was to attempt to ban them. And, you know, that's not part of our official structure and so forth. And essentially people said, Well, you're going to get rid of this PC when you clutch my cold dead fingers from around it, kind of thing. And -- pry my dead cold fingers from around it, and they stuck, and then they started to grow, and eventually it became enough well-known and there was enough business value that it started to become more of an official thing.

At that point, you started to get IT groups doing things like, Well, we need a budget for them. We need to sort of define standard hardware, standard software loads, approved software lists so forth and so on. And that's very much how it worked. So it's sort of typically from my perspective, these things always start bottom up. They bubble upwards, and at a certain point, they achieve a critical mass where they become more official policy.

In 2008, with regard to open source, what part of the cycle are we in?

It's surprising to many people and even surprising to me, but I think we're still early. Most organizations are probably aware that they're using open source, but they have not yet really connected the dots of what that implies and that they should be more regular about it.

In the report, I sort of characterize three action plans for organizations to pursue around open source. And the one is kind of the early stage or ad hoc and that probably makes up like 90 percent of open space users, enterprises that is. They're aware of it. They use it for isolated instances. It's still being adopted kind of from bottom up. They're aware of specific success stories. But they haven't yet gotten to a place where they kind of go, Okay. This is going to be a regular part of the way we do business going forward. We need to plan for it and incorporate it into our standard processes and so forth.

Mainstream users by contrast are very aware of open source. They regularly consider it. They often times will do things like as part of their technology initiatives say, "You've got to examine whether there's an open source alternative for us to use within this technology initiative and identify the ones you've looked at and give a no go recommendation about them." It's kind of wired into their process that open source is something to be actively considered. And that's really only a very few percent. I'd say less than five percent of most organizations.

Then at the very top, at the tip of the period, you've got maybe one or two percent that are really looking on open source as being a real source and supporter or enabler of innovation. And sort of how can we build new kinds of apps where we can take advantage and leverage the economics of open source or build a community around what we want to do to help build our business. That's a smaller percentage yet still.

Do you foresee those numbers changing over time? Would it follow a classic disruptive technology adoption curve?

Absolutely. We use it certain places or it happens as a skunk works or we weren't really paying attention and they snuck open source, that's all going to drop away. It will become kind of, For every system we build, we will consider whether we have some options around open source. Absolutely. There's no question about that. It's coming though. I don't know that we're there yet with most organizations.

Does that require evangelism on the part of open source developers, companies that have already adopted it, maturity of the available open source applications and support channels? What are the drivers of this besides, of course, free which is hard to compete with?

I think the drivers are a couple fold. One is actual experience within the organization. Okay. We built some things, and there's four of them or five of them. Let's look at the commonalities and see if it all makes sense. Should we do more of it? That's one. And then the second is the all purpose, What are my peers doing? What are our peer organizations doing? Oh, are they doing a lot of it? Well then we ought to be on top of it too. So it's just kind of keeping up with the Jones sort of thing as well. To me, those are the key factors that really drive an innovative technology or disruptive technology to be something that becomes part of every day processes.

You didn't even take the bait on "is it mature enough"? Are the applications there? Support channels? Shall I assume that you think that for many applications they are?

It's funny, you know? I find it ironic because I still run in to people who I'll have that discussion and they'll kind of reflexively say, Well, the problem is they're no support. And really to my mind that is the knee-jerk reaction of a late adopter or I don't know what an appropriately acerbic term is, but that's someone who is using that as a rationalization, a fig leaf for, I don't really want to do anything different than what I'm doing now, so if I just kind of trot this excuse out, I won't have to really confront it. I mean there's a zillion open source products, and so obviously some of them have the right kind support capabilities, are mature enough. Some of them aren't. There's no doubt about that. But many, many of them do have those characteristics and capabilities.

To reflexively refute the use of any open source by saying, "it doesn't have that", to me is just so backward looking. It's confining yourself to a laggard position. Depending on the industry and depending on the company that might be a comfortable position to be in. But for many companies and many industries, that's unacceptable. To put forward that kind of response I think is a real abdication of the responsibility that someone who is in charge of an organization's technology strategy -- that's an abdication of that responsibility.

Those are pretty strong words, but I'm glad to hear them.

That's the job of someone in that role is to understand what are the new trends, the new developments. And particularly what are the disruptive trends. Just like you'd expect someone in marketing to know what are the new disruptive ways of reaching out to customers. And if in 1998 or in 2000 someone said, Well, I'm not going to use that web marketing stuff because it's not really clear if [it will succeed]whatever the rationalization would be that would be the equivalent of I don't know if there's support there for it....

You'd look at that and you'd say, That's somebody in charge of marketing who is missing part of their responsibility. Part of their responsibility is to find new ways to reach our customers. That person should be doing that. And if they weren't doing it, you would question their -- the appropriateness of them being in that role for your company.

That's an interesting analogy as well because nearly all of the software driving the internet is in fact open source.

That's true. If you look at Web 2.0 stuff -- so I talked about that kind of one or two percent of companies who are being really innovative. I think Web 2.0 as a concept fits into that category. They're all open source powered. And they have to be because they're built with the assumption that you're going to have large scale in terms of your systems. You need to have a way to react quickly, you know, roll out new systems, be able to expand your capabilities quickly. That's all open source. I mean they just -- for them it's not even a question; they never had that debate. They just of course default to using open source because --

It's not if we're going to use it, but which projects will we use.

What are the right ones for us to use to pursue our strategy which is based on large scale expansions, the ability to react quickly, be agile and so forth. So for them it's not a -- the internet, yeah, is a -- is just -- it's powered by open source. There's no question about it.

It in fact powers open source in return.

Open source wouldn't exist without the Internet. There's no question about it, and it's an enabler for it. The fact that the internet in general and broadband penetration specifically has been spreading throughout the world, has been a huge enabler of open source software and the creation of open source distribution uses and so forth.

I remember reading in your report where you broke down adoption strategies for these three categories of companies you describe. What I didn't see in a great deal of detail was breaking these down per industry. So it's not as if airlines are adopting this; technology companies are adopting this, not adopting this. Did your data study give you a sense of penetration in specific vertical industries?

Our data mining didn't go in that direction, although that would be a very interesting direction. And maybe version 2.0 of the report will look at specific industries. That's a very good suggestion and one that really should be taken up. Intuitively and anecdotally, industries that have taken up a lot are ones that were really cost pressured. So travel is one. Retail is another.


Well, startups absolutely. We can come back to that in a moment. And also telecomm, because they're all under extreme cost pressures. A lower cost alternative is very attractive to them. In terms of startups, yeah. And I would say that entrepreneurs are really drawn to it because for them the amount of money they spend is directly related to the amount of equity they give up.

The less they have to spend, the more equity they can retain. I'm sure you've seen this whole discussion that there's a question of sort of a complaint among venture capitalists because they say, Geez, this Web 2.0 stuff doesn't really take as much funding as those old companies did. Essentially it's hard for us to spend as much money on them as we used to be able to in the old days.

[There]'s kind of a plaintiff cry about that. Open source has been great for entrepreneurs. No question about that either.

I bring this up because one of the highlights of the study for me was looking at job data and pulling out job trends. And one of the surprising conclusions was that perhaps 10 percent of jobs within certain industries have a strong focus on open source.

That was pretty much across mainstream Fortune 500 companies. In other words, kind of the big manufacturing companies and so forth and so on. We had to strip out technology companies because many of them, as much as 40 or 50 percent of their jobs would be open source oriented. Generally across kind of the broad spectrum, about 10 percent of their jobs were focused on open source skills.

Did that surprise you as much as it surprised me?

Intuitively, I would have thought that it was going to be lower. It sort of surprised me that it was at that level. I haven't had an opportunity yet to really pursue it with enough CIOs to really understand what that implies or what that means. it might be the case that some of those CIOs even don't know that there's that many jobs. Those might be getting created and posted at levels lower in their organization.


But I was surprised. I've talked to people in the past and said, "what percent of an infrastructure do you expect is open source?" The numbers have come up one, two percent. Something like that. Based on that perspective, hearing that 10 percent of the people that they're hiring for technical jobs are open source developers or admins or whatever would be pretty surprising.

What kind of implications are there I mean for me as a businessman or for me as a technologist? What should I be looking at in the next year or two related to that information?

First and foremost, as we talked about that technology adopts, right? It comes up from the bottom. It bubbles up. At a certain point, higher level people start saying, We need to really sort of make more of a plan around this, be more formal, have more of a structured approach to it. Well, this data should tell people, Hey, it's getting to that point. I need to really come up with a more structured approach to it. I need to make sure -- do I have a plan to create the right skill sets that I need. Am I recruiting in the right places for those kind of folks. And in the report, I talk about things like creating the ability to work with communities.

That was one of my favorite things you mentioned altogether. As a practicing technologist, I find that businesses are almost ignorant of the fact that community-driven software development which powers a lot of open source projects relies on the active participation of users, turning them into actual contributors.

Just participating in communities I think scares a lot of enterprises.


It seems just kind of squishy and kind of uncomfortable, but those skills are fundamental if you're going to be successful with open source.

You're not going to get what you want from me unless I know your needs.

You're not going to get good quality support unless you know how to work with a community too and so forth. That's a skill set that you have to figure out how to create within your organization, and that's what that 10 percent should alert people to is, Oh, I have to come up with a formal way to put these kinds of things into place with my organization, because it's clearly an important part of what's going within my company or within my peer set of companies. The report goes into kind of all of the things that you need to do around that as part of these action plans.

All right. Suppose I'm a CIO or a CTO, I go out. I buy your report right now which I recommend; it's a great report. Where do I go after that? Does it lay out things that I need to be doing in the next three months, six months, nine months? Are these the trends you need to pay attention to? Where do I go from there?

Well, it's more than trends because I hate the kinds of things that sort of go, Oh, there's a big problem. You should be aware of it. Thanks. Thanks for telling me that.

Now I have something to keep me up at night.

Now I've got another problem. I'm trying to get rid of problems. The report lays out action plans for each of those three organizations: kind of the ad hoc or beginning organization, the mainstream organization and the advanced one. What are the things that you should do in terms of building your capability to use open source or to begin to adopt it in a more mainstream manner? What things do you have to put in place to do that? The report concludes with that section of action plans that are really focused on here's the four or five things that you need to do if you're this kind of an open source using organization. Depending on -- obviously they differ depending on which type of organization you are.

Those are all of my questions, Bernard. Is there anything I didn't ask you that you think our readers and listeners need to know?

One thing you didn't really talk about was the drivers that we identified for why enterprises would adopt open source, and I think those are very interesting. I mean we touched a little bit about the agility and scale. But there's other dimensions, other reasons that enterprises look at open source that are important for what they need to accomplish. One was quality and security, and the fact that open source tends to be very responsive around bugs.

One of our case studies, referred to the Coverity software checker which received a Department of Homeland Security grant to analyze several popular free software projects for quality, responsiveness to bugs, even just the quality of their code.

That's right, and at least in their conclusion, open source came out quite favorably, particularly in the responsiveness. They came out with this report that said, Here's all of these bugs that we identified. And some of them were fairly [common] in any software. The fellow running the study from Coverity was surprised at how quickly all of those bugs were looked at and addressed and fixed.

Wasn't the period something like two weeks? Within two weeks, we'd solved 80 percent of these bugs?

It was quite dramatic and quite remarkable in contrast with a typical kind of proprietary product approach to these kinds of things. Quality and security is another reason why enterprises look at adopting open source. Cost we talked about, and there's a lot of dimensions of cost. There's the pure license fee issue, over the life of a project that could be very significant. But there's also the question of the timing of when you make payments which we talked a little bit about in terms of you don't have to pay upfront to begin using the software; you can use it and make more investment as you get more value out of it.


That's another one. Of course, sovereignty is a huge issue throughout the world which is essentially governments and companies in we'll call them non-American nations, non-U.S. nations I should say, don't want to have their technology future dictated by companies from the United States.

The perpetual fear about the N.S.A. back door in Windows for example.

That's for sure one. The question of is my stuff going to be secure or is somebody coming in and eavesdropping. Which if you're a country with your own secrecy needs, the thought that the U.S. might be kind of sending in a packet and all of the sudden reading all of your private information is very concerning. Beyond the pure sort of national security issues, there's issues that many countries want to develop their own IT capabilities in their economies because they see that as a fundamental foundational skill for all of the other kinds of things that they'll be wanting to do. Purchasing packaged software that comes in a bundle that you can't do much with, from their perspective, retards the ability for them to develop a native IT capability. So they like open source because it gives them more flexibility. They can modify it. They can have their own people begin working on the code. And so it gives them ability to sort of build up their own internal capabilities. And so that's another driver for enterprises.

Innovation is a big one. There's a couple of good case studies in the report talking about companies that have leveraged open source and open source community to pursue further their own particular business interests. So this isn't kind of innovation at large for the economy or for the society; it's innovation for that particular company. It's a way of them defending their business strategy but leveraging open source as a way to accomplish that. That's another driver for enterprises. So there's a number of drivers that were identified in the report as why open source is important to enterprises, and why enterprises are taking advantage of it.

Those are all things that if you are a CIO or a CTO, you should be looking at and saying, is that characteristic important to me? Or, is that driver important to me, and if it is, what are the things I need to do? We actually do a mapping of open source characteristics so there's a number of characteristics of open source, things like expansive licensing or high quality or community, whatever it might be. And we sort of do a mapping between the drivers that I've just been discussing and those characteristics so you can really look at what capabilities do I need to build my organization, what things are going to be important to me about open source.

Then you can look at the products you use to ensure that they're strong in those areas of those characteristics so that they'll support the drivers that you want to be pursuing. That's an area of the report that we didn't get a chance to talk about earlier that is a key part of it. Because at the end of the day, open source may be a great thing on its own, but it really has to be seen in the context of what are the things that I'm trying to accomplish as an organization? What are my business objectives small and large? And does open source support me in pursuing those things? If it doesn't, then it's kind of like, Well, okay. Great. It's a great thing. But if it does, then it's something that really needs to be examined very closely.

Transcript provided by Wendy Smith

You might also be interested in:

Popular Topics


Or, visit our complete archives.

Recommended for You

Got a Question?