What IT Leaders Need to Know About Open Source Software

Here are answers to some common questions about open source technology, which can be a key enabler of innovation and digital transformation efforts.

Guest Commentary, Guest Commentary

March 23, 2021

6 Min Read
Image: duncanandison - stock.adobe.com

Whether they are aware of it or not, more than 95% of IT organizations worldwide use open source software (OSS) within mission-critical IT workloads. Furthermore, interest in open source continues to grow: Gartner predicts that more than 70% of enterprises will increase their IT spending in OSS through 2025.

IT organizations leverage OSS to gain cost savings, flexibility, and innovation benefits over homegrown or third-party commercial alternatives. Yet even as OSS proliferates across enterprise environments, many CIOs, CTOs, and enterprise architecture leaders lack a comprehensive understanding of its business value and use cases.

Here are answers to some common questions that IT leaders may have about open source technology, which can be a key enabler of innovation and digital transformation efforts:

1. What is open source software?

“Open source” is a model for the development and distribution of software that provides access to source code and encourages community stewardship and support of the technology. OSS is defined by a specific license scheme, enabled by broad collaboration among developers and users via the internet, and empowered by large and diverse communities that leverage open innovation principles.

2. Why do organizations use OSS?

IT organizations worldwide use OSS across a broad set of use cases, most commonly in application development, infrastructure software, DevOps and data and analytics, including artificial intelligence (AI). Many enterprises seek out OSS directly as an alternative to traditional buy-versus-build options.

While many factors may influence an organization’s decision to use OSS, the most common reasons for doing so include: 

  • Cost: Nearly every open-source adopter expects cost savings, when compared with homegrown or licensed proprietary third-party solutions. However, Gartner research has shown that open-source efforts do not always save money. This outcome hinges on many factors, including governance and skills needed to operationalize it.

  • Freedom and Flexibility: The ability to gain access to the source code is a frequently cited benefit of OSS. In addition, no single entity has exclusive control over an open-source project, so adopters usually have the flexibility to find multiple commercial suppliers when needed for mature projects. Adopters also find flexibility in choosing self-support versus commercial support options. The key to maximizing ROI advantages afforded through OSS flexibility lies between the theoretical freedom to exercise control and customization, and the realistic ability to do so, which is limited by factors such as engineering knowledge and bandwidth.

  • Talent Acquisition and Retention: Many developers and infrastructure engineers want to work on cutting edge projects, they want their contributions to be recognized beyond monetary rewards, and they want to engage in social learning. OSS usage provides opportunity across all these factors, and it is becoming a magnet for hiring and retaining motivated talent.

  • Innovation: Open source is the dominant software model for open innovation efforts in the new digital economy. It also allows enterprises to tap into a wider pool of innovative talent and provides the ability to access software features faster from public repositories.

3. What are the risks of OSS?

Despite conventional wisdom, open-source solutions are, by their nature, neither more nor less secure than proprietary third-party solutions. Instead, a combination of factors, such as license selection, developer best practices and project management rigor, establish a unique risk profile for each OSS solution.

The core risks related to open source include: 

  • Technical risks, including general quality of service defects and security vulnerabilities.

  • Legal risks, including factors related to OSS license compliance as well as potential intellectual property infringements.

  • Security risks, which begin with the nature of OSS acquisition costs. The total cost of acquisition for open source is virtually zero, as open-source adopters are never compelled to pay for the privilege of using it. Unfortunately, one critical side effect of this low burden of acquisition is that many open-source assets are either undermanaged or altogether unmanaged once established in an IT portfolio. This undermanagement can easily expose both quality and security risks because these assets are not patched and updated as frequently as they should be.

Finally, vendor lock-in can still be a risk factor, given the trend among vendors to add proprietary extensions on top of an open-source foundation (open core).

Ultimately, whether built, bought, or borrowed, software development efforts require rigorous standards and best practices for security, quality and risk management. OSS adopters must measure its risks against their own risk thresholds and usage scenarios, while considering factors such as project maturity, license suitability and availability of commercial third-party support options.

4. How should organizations evaluate OSS?

The selection of OSS isn’t dramatically different from selecting proprietary, commercial off-the-shelf software. Key criteria to evaluate include functionality, integration, and cost of ownership. One critical advantage that good OSS projects enjoy is better transparency. Unlike private proprietary solutions, the metadata supporting OSS are easily discovered and documented.

IT leaders should include the following criteria when evaluating an OSS project: 

  • Code activity, which is measured through metrics like commits per quarter, as well as by the quantity and diversity of code contributors and where it is hosted.

  • Software release history, which should show a regular cadence of software releases and overall project maturity.

  • Community support and documentation, which can be measured by bug fixes in the project issue tracker, as well as the vibrancy and helpfulness of support discussion threads.

  • Ecosystem, which should include a diverse range of companies and individual developers contributing code to it.

  • Licensing model,which is measured by the permissiveness of use and redistribution and any negative implications of misusing the license.

  • Security reporting, including the process for fixing code-related bugs and security flaws and whether there is a robust way to privately report them.

5. How can organizations use OSS most effectively?

Being successful with open source requires that IT leaders recognize its strategic importance to the business strategy, enforce policies for effective governance and communicate its value to various stakeholders.

Any open-source effort needs to be tackled on an organization-wide basis, with participation from leadership across enterprise architecture, engineering, security and risk, infrastructure and operations (I&O), and sourcing. In large enterprises, establishing an open-source program office is an effective way to govern and scale open-source efforts.

IT leaders should see open source as an inevitable investment that, with proper management, will yield considerable innovation, total cost of ownership, talent retention and business value benefits.


Arun Chandrasekaran is a Distinguished Research Vice President at Gartner, where his research's focus is on providing strategic advice to CTOs and CIOs on how to spur technology innovation within enterprise IT. Gartner analysts will discuss application innovation and software engineering strategies at the Gartner Application Innovation & Business Solutions Summit 2021 taking place virtually May 26-27 in the Americas.


About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights