 Watashi no Nemaiwa, Borek san, Jeff desu, and I wish I could do my entire presentation in Japanese. I'm very happy to be here, but I'm even happier that I have my colleague with me so that you will have simultaneous translation, or almost. My name again is Jeff Borek. I work in open source for IBM. I've been at IBM for most of my professional career and spent over half my time working in and around open source communities. So I am very pleased today to be joined by my IBM research colleague, Ohara-san. I will ask him to introduce himself please. Yes. My name is Morio Ohara in IBM research based in Tokyo. I'm involved in bringing open source innovations to hardware, like IBM still has hardware like a mainframe, and also enabling hardware innovations to open source communities. Thank you. And our topic today is how to future proof your OSPO. Work show of hands, how many work in OSPO in their organization? So about half. It is also my understanding that in Japan, OSPO name is more associated with a centralized group, but it is also possible to do an OSPO in a distributed fashion as well. But let's go ahead and start our conversation and we will get into additional details. And I actually should have interrupted the prior session because there was a question about open AI at the end, and we will also have some news to share. So with that, you saw this, if you were in this room for the prior session, you saw a graphic like this describing OSPO's becoming mainstream. Sometimes when I talk about open source at IBM, I like to say I stand on the shoulders of giants because IBM 30 years ago was a very involved leader in early open source. A good example of that is in 2000, IBM said, we will invest a billion dollars to enable Linux to be a first class citizen across all IBM hardware, and all IBM software will run and be certified either on REL or on SUSE. Very progressive for almost 24 years ago now. But in addition, IBM was very active in helping to establish the Apache foundation, another very important open source community that IBM helped to write some of the original bylaws to ensure that the Apache community would be very important in keeping the web open. And then lastly, IBM had a challenge associated with trying to rewrite its middleware portfolio onto Java and created a large framework for software development for Java and then could have commercialized that framework. But back then the Java community was highly fragmented with many, many different players, which was good because it provided options. But it also was challenging because how do you try and bring unification? And IBM donated all of that software development to form the Eclipse Foundation. Those are just three examples. So OSPOs are one of a phenomenon now that open source has gone from being individually driven to influenced by major companies like IBM and others to helping to create major platform companies like Facebook, like Apple, like Netflix, Google, etc. All of the hyperscalers could not exist without open source software if you think about it because the scale of hyperscaler computing and cloud computing could not be possible if that free software was not a major part of the foundation. And now we are in the phase of companies realizing the value of having direct participation. So companies will still consume open source through subscription support from Red Hat or Suze or others. But companies are realizing that there is benefit to direct participation. However, there are warning signs in all of this good news. You can see that organizations thinking funding for OSPOs is going to be in some potential threat because of economic headwinds. So, maybe, shall I... Please. Okay. So, I'm going to make a translation in Japanese, please. I applied many of theICA's in the open source for IBM. Now many companies are makingakin' a lot of money in the open source. And now many companies are making a lot of money in the open source. There are so many big value-earnings. And, please take as much time as possible, because we are going to have a lot of time to talk about the future of the OSPO and the future of the future of the OSPO and the future of the OSPO and the future of the OSPO and the future of the OSPO. And, please take as much time as possible, because lunch is after this, and of course they will stay with us as opposed to leave for lunch, so we have extra time. Just kidding. So, warning signs are there in the economy. As you can see, business and academic economists estimate the probability of recession is 50-50. So, maybe in 24 we have recession, maybe we don't. And also, I'm sorry, please. And the conference board that tracks growth of U.S. economy is basically saying it will be essentially flat. Yes, so maybe you can, yes, quick. And also. And lastly, research is showing that wage growth is stagnating, pandemic savings are being depleted, so certainly troubling headwinds. So, what should you do to future proof your OSPO? First, a misstep to avoid is not realizing what your why is. And there is a thought leader named Simon Sinek who several years ago wrote and did a TED talk on concept of starting with why, how great leaders inspire everyone to take action. Two main ways to influence and position your OSPO within your organization and drive its success, you can either try to negatively influence through manipulation or you can try to provide inspiration and inspiration is much more powerful. Why we work determines how well we work. So, my number one misstep to avoid is ensure your team and your organization understand why you're doing your OSPO. Because we all know in this room why, but when you go back to your organization, you have to ensure that leadership understands the value, because the reason your leadership will support you is that if they have a better understanding of why this is important. So, the second misstep to avoid is not a balancing your OSPO value, because the leadership is not a balancing your OSPO value. So, the second misstep to avoid is not a balancing your OSPO value, because there are many reasons for establishing an OSPO. Are you going to do an OSPO because you're excited about doubling your consumption of open source? Or are you really starting an OSPO because you realize you need to contribute back more effectively? What is the right balance for your organization and their reasons to fund your initiative? The next balance point is the engineering value of open source. So, an example, if you looked at the average enterprise application only five or seven years ago, it would maybe have about 50 open source components. Under the covers as part of the foundation, today the average enterprise application has over 500. It's a 10x increase. So, that brings big engineering value through reuse, but you also have to make sure that the business understands that value from an efficiency perspective. The community value versus the company value. So, what do we mean by this? Of course, the company wants to see value, but if you want your company to have a business value, then you have to have a business value. If you have a good relationship with the community, the community needs to see the value you're bringing as well through your OSPO. And maybe that's through having you send some people to events like this, but it's also having your company realize that it is in their best interest to help the community. If your company is only wanting to solve their unique problem, it is more difficult to get community cooperation. So, by helping you get better balance and better support. And we touched upon this before, but again, centralized versus distributed organization. There's no one perfect solution for how you structure your OSPO. So, you have to consider your organization and the most important communities your company wants to have. That will help you decide if you can be more effective with a centralized versus distributed approach. So, misstep number three, not managing all of the risks of open source use. So, historically, for the last decade, much of the focus has been on the legal risk. What does the license say that you can and cannot do with the code that you are taking? And what obligations does that bring? And that remains a very important risk. That's only one of the top three focuses. Of course, how to manage and manage the risk of using open source is also very important. The first thing we thought about was the legal risk, the legal risk. What is the license and what is it not allowed? We have to understand that and manage it. The second risk is security risk. What are CVEs? And CVE stands for critical vulnerability or exposure. What CVEs are in the software that you are consuming? Do you know? And if you know, what will you do about it? Yes, security risk is also an important point. Especially the software that you are using, the software that you are trying to use, what is the cause of the vulnerability? What is the future of project control? Because it is okay for a new project. Say, for example, any new project might come into open source controlled by a single company or even a single individual. But it is not wise to adopt that software unless it is under open governance. Because under open governance, there is a shared understanding of how things will evolve. And certainly an example of this challenge is the recent re-licensing done by some startups where they begin with an open source license and they achieve a certain level of adoption. And then they get pressure from their venture capital to change their license to increase their bottom line. Yes, one of the risks that we have been paying attention to recently is the balance risk. Because it is something that can be created in the community, we need to be very careful about who controls the software. Because we use a long period of software at a certain point, the license will change depending on the company that has the copyright, and that is a very big risk. So it is important that the whole community is managed and balanced in an open way. A quick show of hands again, how many work in an organization that has some type of developer advocacy group? So about maybe a quarter of our group today. So for those that maybe are not familiar, I will provide a point of view from myself on developer advocacy. Developer advocacy is not technical pre-sales. Technical pre-sales is very important and every tech company provides that. But the difference is that developer advocate focus should be on trying to help the average developer better understand how your company can support their increase of knowledge. And that is more appealing to a developer than just technical pre-sales support. We can talk about that more, but it is important to understand how your organization defines developer advocacy and how it relates to your OSPO. Developer advocacy is also an important point. How do you define that in your organization? So who provides leadership to your developer advocacy group? So who provides leadership to your developer advocates? What do they spend their time on? And how can your OSPO assist them and have good alignment with them? So who provides leadership to your developer advocates? What do they spend their time on? And how can your OSPO assist them and have good alignment with the overall goals of your company's policy and guidance around open source consumption and contribution? So what do they spend their time on? It is very important. So we need to understand how your OSPO helps the developers with their advocacy, but it is important to understand that. they need to better understand what's happening out in open source communities to help them improve the way they support internal development at your company. So some fraction of time of your developer advocates can be used to support your internal work and that helps improve the value perception of your OSPO. Yes, OSPO and the development advocacy activities are mainly related to the outside of the company and the relationship with the developer. Even in companies like that, there are internal developers in the company. For those people, it's important to know how to connect with the community and how to connect with the community. So for developers, it's important to have time for the company's developer. So I will actually go off-script briefly and share an inside story at IBM. So over 10 years ago, IBM made significant breakthroughs in AI but IBM believed back then that that breakthrough was best promoted through a proprietary approach and that approach was unfortunate and I won't go into a lot of details but it relates to this issue of developer advocacy because five years ago, we used developer advocacy to re-engage inside of IBM and helped create a inner-source project. So inner-source is like open-source but it is done inside your business and because of that coordination with developer advocacy, we were able to bring focus internally to change the way IBM developed AI software and we will talk more about the benefits of that but inner-source can be another way developer advocacy and your OSPO can support the business. This is something I didn't plan to talk about but it relates to the development of IBM's AI technology. In the past, there was a time when technology was better than technology in a proprietary open-source but at that time, a lot of projects were fragmented and in general, open-source is the same as reuse, engineering value, and business value. So in terms of that, the technology in the company and even in the company, as an open-source, community-driven, and reuse, we were able to come up with an inner-source idea and we are now in the progress of AI technology. Even though it is an inner-source, open-source is basically the same as open-source so it is important to do the same as OSPO. And we will touch on AI again at the conclusion of our talk today. So the last misstep to avoid is not establishing true executive support. What do we mean by this? Has your organization's approach towards open-source changed recently? And I would argue that open-source within your organization is like the weather in Tokyo. It changes rapidly. And so if your organization's attitude, leadership attitude towards open-source is not improving, by definition it is declining. So you always have to be communicating effectively with your leadership to remind them of the value that the organization is getting from your OSPO so that they do not make the mistake of missing the value you're providing. Yes. So I could go off script again and say, please raise your hands. How many of you like your executive support? But I'm not going to ask that question. I have empathy for your executives because if you've been here today and yesterday and this is a relatively new conference for you, you may feel overwhelmed. You may feel like you asked for a drink of water and you're getting a fire hose. Open-source is complex. But busy executives above you do not have the time to invest in truly understanding what's going on. And so they may make a portrait of you and so they may make a poor choice simply because they are too busy. So you have to work hard and it helps if your senior leadership has had past hands-on experience because a busy executive, it's easy to say, oh, open-source, that's free software. I have to pay attention to the bottom line. Open-source is like a large complex crystal and it isn't until you pick it up and look at all the facets that you understand just all of the potential and risk of open-source. And so that can be a challenge if your executive does not have experience hands-on. Yes. Open-source is such a difficult aspect for people to understand. For executives, there are softwares that are cheap or softwares that are simple. And so if the executives are actually involved in open-source and are involved in open-source, they know a lot of details, but if they are not, how can people in Ospo understand open-source, complicated systems, and value? It is very important. And do they have a multi-year investment view? It can be very challenging if your organization, you have not been effective in striking the right balance to avoid the challenge of, okay, it's fall plan and what is in next year's budget, right? So ensuring that your leadership understands that it is in their best interest to try and be consistent over time, not jump in one year and say, yes, we have an Ospo and then the next year say, oh, well, maybe we don't have an Ospo. How many quick question, how many were in the prior session on open-source here in this, okay, about not quite half? So the prior speaker talked about FOSS, the contribution back to communities that Microsoft and other companies have made contributions to. And that's really good, right? Open-source maintainers work hard. However, I have seen some organizations promote that so strongly that then their leadership thinks, well, we already have a different contribution program back to the community. You know, we don't need an Ospo to be charitable, right? So that's another thing that you just have to be aware of as you consider how you position this with your executives. Yes, well, the development of open-source software is something that takes a lot of time, so of course, it's something that you can't live with at the same time when you buy or sell a product. So if it's a normal company, you can decide the budget by the budget, and the investment plan for a number of years or the strategy for open-source or Ospo is important. So I woke up this morning and saw that the sky was cloudy and it had been raining, but as I was coming to the conference, the sun was out, and I was in a great mood. I was so happy to be in Japan. The sky was turning blue, and for this last or near-last slide, I brought a picture from my home, Seattle. I hope the last half hour of our discussion has not made you all depressed because for a half hour, we've been talking about all of the missteps you don't want to do, and yet I want to end on a positive note. So now that you know what not to do, develop a holistic strategy, policy, and operation model for your Ospo. By keeping these things in mind and focusing on the right balance, I believe that you also can have success with your Ospo initiative. Yes, so far, we've been talking about the misstep, how to make a mistake, and how to make sure that Ospo doesn't go too well. It was a bit of a dark discussion, but I would like to talk about how we can solve this problem. One thing, as I mentioned earlier, Ospo, your Ospo and my Ospo are different. There are different ways of thinking, so it is important to develop a model for your Ospo or to develop a policy for your Ospo. You have to address compliance even though it can be challenging at times, and you have to consider security even though it can be overwhelming at times. Because, again, as I mentioned at the beginning of the talk, the volume of open source that your company is using is tremendous, and even your own executives don't fully understand. When your executives buy software from other companies to help them run their business, that software they're buying is three-quarters open source inside the product. So, your role in Ospo is vital to your business's success, and it's also vital that you participate in helping to remediate the challenges in open source as part of the community. Another important thing is that compliance, security, and community are also important. Until now, we need to pay attention to what we've developed as open source and what we've experienced in open source. For example, when your software company is buying open source, it's important to consider what you're buying from open source. So, we need to deal with compliance, security, and community activities. So, I hope with our session you can go back to your organization and inspire your teams and inspire your leadership. But most importantly, inspire yourself because working in this area is a very important part of your organization's future success. Even though other parts of your team may not fully appreciate the reality of how impactful open source is on today's software supply chain. Thank you. I'm sorry. Thank you. So, in my photo is Mount Rainier. And I like to think of our Mount Rainier is like your Mount Fuji. It is far away and yet nearby. And I also want to say that I've been very frank with you. And so if we get in trouble, I will take all of the blame because this is my partner who has made communicating this value to you very easy to do and understood by everyone. So, some more good news. So I was candid with you about IBM's AI journey where over a decade ago IBM tried to approach AI in a very proprietary way. And the good news is about five years ago I went back to that same part of the organization and said to them hey, you may want to change this approach and move to a more open strategy. And that has produced good results for IBM. We talked about the inner source. Just within the last 24 hours IBM has announced a new AI alliance. And part of this is that it's become very confusing in the marketplace. So Google is doing AI, Microsoft is doing AI. I respect them as good engineers and good competitors. And open AI was a startup that proclaimed open. But then with chat GPT they had such a significant breakthrough that they have pivoted to a strategy that doesn't look as open. So we have put together a long list of organizations to collaborate. It's IBM META and it's also many universities and many other respected organizations to try and have an alliance around AI that is foundationally very open. The AI alliance was announced yesterday with IBM META. Open source is of course a big value, especially in the world of AI. Google and open AI are part of it. There are economic backgrounds and the value of open source is changing a little in the world of AI. There are about 50 companies in the world, such as universities, government agencies, companies, and about 50 companies in the world. We have announced that AI technology will also be able to teach open community innovation. Alright, we are just about out of time but if you are interested we will remain for some questions and these slides will be posted within the next hour so if you did not take every photo you wish to take you can get this information and with that I will play a microphone. Thank you very much. Yes, question? Thank you very much, I'm from China mobile and also we know the risks. I would like to introduce this sir, he's from China we have an Ospo Group in China so glad to meet you guys from Japan and also from the world. Many thanks for your experience and I think we should have your experience to let more guys know about it and let's work together to fight for Ospo. Thank you very much. Thank you. Additional question, please. Thank you for your good talk. Just in case I'm always a believable lover and I'm not talking about our executives but my question is, I'm 100% agree with cert with why and of course we are saying that the contribution is very important for executives but some executives say why because the business is always measured by money money means ROI, I is investment is zero, it is maximized, so we have we don't have to do anything, someone says so how to convince them like that? That's a very tough question. No, thank you for asking that. It is a journey not a destination because even if you this fall convince your executives that the investment for 2024 is reasonable and balanced you will have to do this all over again 12 months later. So, but a great example that many executives miss is that, hey, our products depend on this open source now if this open source went away we would be out of business and we make money by innovating around the core and we're much better doing that than if we went and tried to do everything proprietary. When we want to differentiate we have to find a way to add value to the top or around this open core and to get the core to accept our contributions that enable that value, they have to respect us. They have to appreciate what we are doing. Sometimes it's called chop wood carry water. If you show up to the community and say, oh, I'm just here to get my pull request in because that enables my features but good luck with the rest of your project the community will not be as cooperative when you help the community they will most often help you back and that's part of how you deal with that challenge. Thank you Jeff and Moriyoshi it's a great talk and I know you guys spoke a little bit about inner source and I was just wondering when it comes to that how maybe some suggestions for everybody about how you maybe measuring impact of how inner source is valuable for your companies. We do a lot of advocacy for developers externally but when it comes to our business units can you suggest that we can show our impact? Great question. So for example next level of detail a key part of enabling AI is to have a good natural language processing core and IBM had a very market leading core over a decade ago but two things happened I mentioned the first one which is IBM decided to try and make that much more proprietary number two IBM reorganized its entire business away from traditional here's our hardware company here's our enterprise software company and here's our services group and when they disaggregated the software group and split it up they created business units that were more focused on the way customers were buying things but it created tremendous fragmentation so don't quote me but over six years ago when I re-engaged with them we looked inside IBM how many people are building AI into IBM we had a product six years ago we had over a dozen NLP stacks you don't need a dozen different NLP stacks you need one good one and so helping your leadership see the value of intersource and through collaborative software development internally you can sell an intersource inside of your organization thank you I appreciate it please thank you for your presentation I'm curious about human resources about talent what type of talent is suited for OSP OSPO for example I think the person in the OSPO is connected to the communication scale yes no that very good question and I'll ask you to translate this answer as well but part of the challenge is that a logical think of organizational chart for your business they're all different so where do you put an OSPO in a large matrixed organization some say oh it's it's supporting engineering efficiency it should be in engineering software development others think oh no it's supporting developer advocacy it should be in marketing or no it should be in the legal organization because it's all about managing that risk so the challenge becomes an OSPO has to be a mix of complex talent that can collaborate effectively across your organization to help effectively communicate yes communication skills are important OSPO's activities are technical activities and legal license activities so in a large organization it's not easy to decide where to put it so I think it's good for people with different skills to collaborate so we are overtime but we'll take one last question and I'll go back to this slide as well any final questions before there will not be a question I just want to thank you for this talk because beyond OSPO I think it's a very inspiring talk about leadership and how to drive change and value organizations beyond technical part the human part is essential and it was a good example of that thank you thank you so much for that comment and with that my colleague