Re: OpenChain Certification and Business Value
Absolutely, I agree. Actually in some Orgs. that have a large Product foot-prints across various business models (On-Prem, SaaS, Enterprise, Managed XaaS etc.), OpenChain is part of the Organization’s broader Third Party Assets Initiative that not just includes Third party OpenSource (OS) components but also TP commercial assets that need to be regulated and validated for Security and Compliance. The actual Third Party Compliance processes are embedded within the Product’s Development life cycle in to what can be perceived as a fully integrated ‘Dev-Sec-Ops’ model that addresses these main goals (Not a complete list):
From: <main@...> on behalf of "Andrew Aitken via lists.openchainproject.org" <andrew.aitken=wipro.com@...>
A couple of things to keep in mind, OpenChain is an element of a compliance program which is in turn an element of an open source governance program and the business justification for Openchain can be tied to the larger goals for compliance and governance which will vary by industry. If you embed lots of open source in products you sell, then you are very concerned about license compliance and IP leakage, if you’re in a highly regulated environment like financial services you’re more concerned about regulatory compliance, cybersecurity risks and operational overhead maintenance, what I refer to as open source component lifecycle management. When Openchain conformance is a part of those larger efforts it is much easier to justify.
Global Open Source Practice Leader
From: main@... <main@...> On Behalf Of Trent Allgood via lists.openchainproject.org
Sent: Sunday, February 21, 2021 7:18 AM
Subject: Re: [openchain] OpenChain Certification and Business Value
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
I agree with the previous statements as well. In addition, it might be hard to find current statements on Open Chain itself due to its relative infancy, especially as an ISO PAS, but Gartner has said a lot over the years about the business value of proper IT Asset Management (ITAM) & Software Asset Management (SAM) governance. ITAM includes SAM which itself includes Software License Management & Compliance which itself includes Open Source License Management & Compliance. One of the most common statistics used from Gartner (paraphrased) is: 'companies with mature Software Asset Management practices can recognize 30% cost savings the first year and 5% cost savings in each of the subsequent 5 years' (See G00214140 for the exact language). Gartner has also made several statements on the trend of IT Security concerns being the main driver for adopting proper SAM governance programs. An organization can't manage and mitigate what it is not aware of (e.g. the Equifax breach; the congressional report directly blames the lack of knowledge of what Software was running in the environment). This is commonly referred to as 'shadow IT' and Gartner states that it expects a third of future cyber security breaches to be facilitated by unmanaged shadow IT ('Gartner Predictions for IT Infrastructure and Operations 2016'). So depending on if your organization's scope is more broad than Open Source License Compliance, you may find additional compelling reasons and statistics. Keep in mind, there is also a family of ISO Standards for IT Asset Management: ISO/IEC 19770-1:2017.
ISO/IEC JTC1 SC7/WG21, Secretary
Anglepoint, Director, ITAM
'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'