We live in an application economy.
Like it or not -- this economy is underpinned by a sharp double-edged sword.
On one side of the sword -- innovation is king, speed is critical, and CEOs are challenging software development teams to release faster, improve quality, and accelerate innovation.
On the other side of the sword -- risk management is king, governance is critical, and CEOs (and auditors) are challenging IT organizations to create controls to minimize risk and automate compliance with a myriad of regulatory requirements, including GDPR, which is set to take effect in May 2018. GDPR mandates that organizations must know where and how the private data of EU citizens is stored and accessed and prove that such data is appropriately protected "by design and by default" with appropriate safeguards across the entire software lifecycle -- from development, to security, to operations.
Stuck in the middle are the teams of people who do the work and run the modern software factory. I am referring to software architects, developers, security professionals, and IT operations managers. For them, the intense pressure to innovate faster is not an excuse to cut corners. Trade-offs are not an option. They must dig deep, eliminate silos, collaborate more effectively, and find ways to serve both sides of the sword.
While open source provides tremendous energy for modern development teams -- it also creates a unique and difficult challenge for modern IT risk managers and governance professionals. The reasons are simple: open source components are not created equal and they can go stale quickly and expose organizations like Equifax to massive risk.
So, in order to serve both sides of the sword and thrive in the application economy, modern IT teams must: (1) continue to accelerate innovation by harnessing all of the good that open source has to offer, and (2) minimize risk by continuous governing open source quality, automating enforcement of defined application security policies, and ensuring compliance with regulations like GDPR.