This week's eWeek contains what should be a wake up call for every CIO regarding the pervasiveness and challenge that open source represents to their jobs and organizations. In the midst of an extensive interview with Jonathan Schwartz and Rich Green, Schwartz cites this anecdote, which provides dramatic evidence of the role open source plays in today's IT landscape. Here is the anecdote in its entirety:

"I was with the CIO of a very traditional financial institution recently. At the end of our meeting, I said, "By the way, we've just announced the closing of our acquisition of MySQL." The CIO looked at me, and she said, "Well, that's nice, but we really don't use MySQL here. We're a proprietary software shop." A very eager Sun sales rep was with me who had checked in with his buddy at MySQL and found out that this organization had downloaded MySQL 1,300 times in the last six months.

"[The CIO] was stunned by that. A couple of their technology folks who were also there said, "Actually, it's the No. 1 database all of us use. It's just that we don't have a commercial license because we've been told we're a proprietary vendor shop."

"So now we're in the midst of negotiating a license, and they'll wind up saving, like everybody else, $5 million or $10 million. And that, in a slowing economy, is a very helpful thing."

Schwartz recounts this incident as an example of how Sun is going to prosper with its open source strategy, and I'm pleased with their happy outcome, but the true meaning of this incident is far more profound and illustrates what a challenge open source represents to IT organizations' business-as-usual.

In this company, open source is being widely deployed; however, none of the existing processes are tuned to address this fact, and are, in fact, completely blind to the presence of open source in a large number of the company's IT projects. Think about the risk exposure this represents. Obviously, there are questions regarding whether the company is complying with the license obligations of the open source software, so the company's attorneys are likely to be concerned.

To my mind, though, legal risk is only a small part of the overall risk this CIO faces. The far larger risk is that there is no visibility into the makeup of a significant portion of the company's IT infrastructure. How can you confidently plan for SLA commitments when you're not sure of what software you're running, its maturity, supportability, and so on? Furthermore, as a CIO, you face the very real potential of being unable to adequately map out your workforce skills planning, since you are unaware of what development and operations commitments accompany these invisible software implementations. Finally, it's hard to attest to important regulatory requirements (if you're subject to regulations like recoverability and so on, as financial institutions are), when you don't know what will need to be recovered.

The initial response by many CIOs is to ban open source, but it's far too late to bar that gate. As Gartner has noted, over 90 per cent of all enterprises will be using open source by 2010. Given that, the critical action item for CIOs is to set up policies and processes to manage the use of open source and ensure that its benefits are retained while risks accompanying its use are reduced. The common term for this is "Open Source Governance." In my next posting I'll discuss what open source governance is and provide some pointers about how to move forward with it.