Governing the Corporate Jewels

By Tony Kontzer

In 2008, Sony Mobile Communications AB, then known as Sony Ericsson, was putting out new versions of some 25 different mobile handsets each year—all based on the (now nearly obsolete) Symbian mobile operating system. But a seismic change in the market that began the previous year was forcing Sony to consider abandoning Symbian.

That change? The arrival—and huge  success—of  Apple’s iPhone and Google’s Android mobile OS.

As it became clear that Symbian couldn’t compete with either Apple’s iOS or Android, Sony decided to jump on the Android bandwagon, kick-starting a switch from proprietary code to open source. It was a huge change that called for reconfiguring every piece of software for open source and training architects about open-source licenses. It also required Sony to find a way to keep on top of a burgeoning collection of open-source assets.

“We were facing a situation that we’d have millions of lines of code that’s open source, and we needed to comply,” says Carl-Eric Mols, Sony Mobile’s head of open-source software operations.

After an exhaustive search for a tool that would ensure compliance with a growing assortment of open-source licenses, Mols found Black Duck Software’s Protex open-source compliance solution. Protex essentially creates an archive of code prints (the software equivalent of fingerprints) and can check every piece of code Sony Mobile uses to ensure it’s not infringing on any of its licenses. That, in turn, protects the company’s IT investments, removes potential hiccups during software projects and reduces the risk of legal ramifications.

“We desperately need to understand what code we have and what license applies to that code,” says Mols. “If we don’t comply with our license terms, we can expose ourselves.”

GRC Market’s Growth Spurt

Like Sony Mobile, many companies are finding more and more reasons to establish controls over numerous aspects of IT. The market for providing IT governance, risk and compliance (GRC) solutions and services has emerged in the last decade, partly in response to regulations such as Sarbanes-Oxley, as well as corporate ethics scandals like the infamous Enron fiasco.

According to Forrester Research, the global market for GRC software and services was $1.4 billion in 2011, up from $590 million in 2006. Various estimates of anticipated growth for 2012 range from 18 to 40 percent. That market opportunity is attracting a crowd: Pundit Michael Rasmussen, a former analyst, places 400 vendors into the GRC category.

But as governance has moved to the forefront of IT priority lists, it has become about much more than regulatory compliance and corporate integrity. Whether companies are trying, as Sony Mobile has, to closely manage their most valuable IT assets, or they’re simply trying to establish controls around managing the massive amounts of data they’re collecting, analyzing and acting on, IT governance has become a critical method for ensuring greater accountability across the board when it comes to IT decision making.

“Information is the currency of the 21st century, and the need to drive business value from IT investments and manage IT risk has never been greater,” says Robert Stroud, a member of the strategic advisory council for the Information Systems Audit and Control Association (ISACA), an independent association of IT governance. “It’s imperative that companies have effective governance and management in place over information and technology so they can achieve this value and manage the related risk.”

While companies looking to establish optimal governance strategies generally try to do so proactively, many organizations find themselves, like Sony Mobile, turning to governance tools in response to some immediate stimulus.

“As seems to be human nature, companies frequently manage their governance issues reactively,” says Steve Keegan, a principal who runs the IT governance practice at management consultancy Pace Harmon.

In Sony Mobile’s case, adopting governance as a reaction has paid dividends, as the company made the transition to open source smoothly, phasing out its Symbian handsets in 2010 and introducing its first Android phone that same year. Mols says Sony Mobile also has become the biggest contributor—other than Google itself—to the Android open-source project, with more than 1,000 code contributions thus far.