Embracing the Digital Supply Chain and worrying about Open Source (also available as podcast – see link below)

–    Paul, welcome and thank you for joining us for this interview where we will be discussing the current state on Open Source adoption and how that may affect organizations from a license  compliance and a security point of view. You’ve quite recently joined Source Code Control but in the past you also led the audit team for Microsoft in the UK, so please tell us a bit about your background

“Thanks Jesper. It’s been an interesting journey. I started out working on the graduate IT programme for a pharmaceutical company. My first job was swapping out green screens for 286’s with dual 5 ¼” floppy drives! I did a bunch of different things –  development, project management and infrastructure management. I got into asset management when I left Microsoft first time around in 2007. I’d always taken the view that for Microsoft “the rubber hits the road” when you sell a license and so I read licenses because I felt they were important. With a global, financial hardships coming in 2007, I figured IT companies were going to squeeze customers. So, I helped customers for 4 years and then Microsoft asked me to go back and run the SAM team. My last job at Microsoft UK was a year as Chief of Staff, but that’s a whole other interview”

You’ve obviously been on both sides of the fence now, so could you also gives us your thought on where do you see the SAM (or ITAM) today?

“I think we are at a watershed moment. The great SAM / ITAM people will morph into real digital leaders. They will think about the entire digital supply chain for an organisation and own it. I’ve joked before they should change their name to Digital Supply Chain Officers (DISCO). They will worry about the inputs and outputs for a company, concern themselves with risk and become thought leaders. Data will be vitally important to their role.
The good SAM / ITAM people will continue doing what they do. At the moment, I see a shift more back to hardware as being important. IoT and the lack of management there really worries me. But that ebbs and flows. They have to be prepared to embrace other areas too – IoT I’ve mentioned, but also Cloud Economics, Privacy and Software Development.
It’s an exciting time.”

You’ve mentioned the supply chain for IT, please explain this a bit more in-depth and why this is so important?

“I spend a lot of time with start-up companies. There isn’t one of them who doesn’t have software at the heart of their business. Look at the UK, the FTSE 100 has changed by 40% since 2012 and nearly every new entrant is an IT company. Disruptive companies – all IT. But I think the pendulum swing is towards exciting innovation and there’s not enough balance with proper governance. I don’t want to be a party spoiler, but look at every other exciting industry – automotive, telecoms, travel. They’ve been through that Tuckman cycle of forming, storming, norming, performing and we have a lot of norming to do!
We are definitely starting to see the cracks appear. Equifax lost 146m records and it was all down to mis-management of assets. But here is the issue – we don’t “own” those assets any more. We outsource development, we subscribe to cloud providers, we have BYOD, we re-use code from other developers – it’s a supply chain!
I think the clearest example is in software development. There are codebases with as little as 5% unique code, meaning 90-95% of your software comes from a variety of different sources with different licenses, different security requirements etc. You wrap up all those bits and turn them into your magic and pass it on to your customer. That’s definitely a supply chain!”

I noticed you’ve been working with NHS in a project – could you tell us a bit about this project – what it’s all about, their concerns and the results from your engagement with them?

“This is a great example. The UK NHS has paid a lot of money in the past for monolithic proprietary systems which haven’t delivered on productivity. There’s a couple of groups – Apperta Foundation and Code 4 Health who have looked at their supply chain and recognised the innovations in open standards for health and an ecosystem of smaller development companies building solutions. Our role is to help raise the quality of those developments by making sure they are secure, licensed and copyrighted correctly and built on solid foundations. Ultimately, the NHS want to build a library of high quality open solutions for health and build out a perpetually strengthening ecosystem.
It’s early days, but it is a fantastic project in which to be involved, run by some incredibly visionary people. It’s just my opinion, but some of the early solutions are superbly high quality and of course, patched, copyrighted and correctly licensed!”

You also provide training in Open Source – why is this important and what do people take away when they go to this training?

“96% of software published contains open source components. And before anyone says anything, yes, that includes .Net SQL etc. We recently scanned an app where the owner said “we are all .Net, we don’t use Open Source”. 20+ Open Source components! And hackable security flaws. And licensing problems.
We really struggle to know what the training course should be called (and I’m open to suggestions!). But it is something along the lines of “a bunch of things you really need to think about, if your business value is based to some extent on software development”.
We help people to understand the business risks involved in software development, what open source components are, how they are used, what the legal considerations are (copyright, licensing), best practice in managing components and what tools they can use to help.
We get lawyers, developers, project managers, risk managers, security officers on the course and I can genuinely say, everybody walks away with a better understanding. If you don’t want to be the next Equifax, it’s well worth it!”

And finally, if you’re a SAM manager realizing there are some potential issues in the Open Source area – how would you recommend the SAM manager to go about this?

“Go on the training course first! “for not much money, the worst that can happen is that you learn something”. But we also provide “smoke tests” where we can scan some of your software and get a sense of what scale of problem you are facing. For smaller companies with between 1 and 4 codebases we are also just launching a subscription service where you drop the software and we constantly check for security, licensing and copyright issues.
If you don’t fancy any of that, I would say, sit down with a big piece of blank paper and think about your Digital Supply Chain! Think about the areas you understand and the ones you don’t. It’s the first step on the way to the DISCO!”

Thank you Paul, it was a pleasure having you here.

Listen to the podcast>>>