This is Part 2 of a two-part article. The first part was published yesterday.
The Trojan Horse Scenario

No one in the open-source community faults Roesch or Check Point for making money from open-source software. After all, "free as in free speech, not free beer" is the mantra of Richard Stallman, the father of the free software movement (now more widely known as open source). But the open-source community, though far from monolithic, can agree on one thing: No one likes companies that would try to use open source as a Trojan horse for fee-based proprietary software.

At some point in the near future, companies without a sufficient understanding of what makes the open-source community tick are going to test the limits of mixed source, predicts Geoffrey Moore, managing director of TCG Advisors, a consultancy. "I think there is a potential for backlash from the open-source community against companies that do not play according to the aspirations or ethics of that community," says Moore.

Fallout from this kind of uprising could put a big hurt on a CIO's infrastructure. For example, open-source projects could be left for dead by their communities, with no one left to support them. Then there's "forking," in which the open-source code base is used to start a new project that is incompatible with the original version. Finally, there's the doomsday scenario: malicious hacking of a formerly open-source code base.

CIOs are concerned about getting caught in the middle of this fragile relationship—especially if their software provider goes under. "If I have some proprietary software, I have to worry about disrupting my infrastructure if I need to take it out and then find a replacement for it," says Strasnick. But if the code is open, as is the case with Strasnick's JBoss middleware system, users can take the code with them to another provider if the relationship sours.

"If JBoss decides to stop supporting my software," says Strasnick, "I will have the source code, and I can simply go find someone else to support it."

CIOs prefer the open-source business model that Roesch couldn't sell to potential investors: a services model in which the company sells support for a single, open-source code base.

"I like the services model because all my money goes into implementation and support," says Strasnick. A few well-known open-source companies, such as Red Hat (Linux), JBoss (middleware) and MySQL (database), are built around this model. But because the software code base is open to anyone, barriers to entry for competitors are low.

These companies have to be extremely lean and mean to go up against comparable proprietary software companies. "CIOs expect to pay less for open source," says Forrester's Goulde. "It has to provide 30 to 50 per cent savings." That would seem easy when the software is free, but the software usually isn't free for the companies that support it; many must provide their own employees to lead, manage and code the open-source products. The unpaid community that appeared around Linux took many years to develop and is the exception rather than the rule. Worse, venture capitalists don't like the services-only model because the margins on service are invariably lower than those for proprietary software. "The venture community is committed to getting a disproportionate amount of return on its capital," says Moore. "At some point, the company [they invest in] has to have sustainable competitive advantage." This helps explain why open-source companies have been slower to grow than their proprietary counterparts.

Another limiting factor is that it's next to impossible to build a business around open source in niche markets or in vertical industries. Only a small percentage of downloaders will pay for support from vendors (for example, Snort has 100,000 regular users, but only 800 have signed up for support), and developer and user communities won't grow unless the software is used by many, many people. So big, successful open-source products have certain things in common: They are broadly applicable across many types of companies and industries, and they tend to be in areas that companies don't believe provide a competitive advantage (such as infrastructure) because everyone -- including competitors --will have access to the software source code.

Yet even if the open-source software qualifies on all these fronts, building a business around it will still be difficult unless the software is complex and is an important part of keeping the business running. In this case, CIOs, especially those in small or midsize companies with small staffs, cannot afford to go without commercial support. Indeed, support is consistently the biggest concern of CIOs on Forrester Research's surveys, according to Goulde. "We need a vendor to take a portion of the risk if we're going to go with any software package," says NIH Federal Credit Union's Drake.

And CIOs always prefer to go with a big, established vendor for support rather than a small startup. That's why MySQL, for example, has formed partnerships with Hewlett-Packard and Dell to support its open-source database. MySQL takes a cut of the proceeds, and CIOs get the warm-and-fuzzies from knowing that a big vendor is standing behind the product, according to MySQL CEO Marten Mickos.

Yet the combination of CIOs' nervousness about small vendors and the venture capital community's reluctance to back open-source software means that CIOs will see more and more mixed-source sales pitches in the coming years. It pays to vet these vendors carefully (see "Your Open-Source Checklist").

The ROI of trust

For his part, Roesch believes that the Snort community will survive. "Check Point needed education about why it's important to keep it open, and they get it," says Roesch. Part of that education was that the open-source development model creates relationships between project owners and users that cannot be duplicated in the proprietary world. "A lot of the guys buying Sourcefire software are people who started using Snort in college, and now they're bringing it into their companies," he says. "It's hard to quantify the value of being able to go into a sales meeting against big vendors like Cisco and having someone [from the prospect company] ask for your autograph."

But that relationship, based on mutual trust and forged over many years, is fragile. If Check Point were to shut down Snort and close the source, says Roesch, "you would lose the goodwill of the community overnight.

"Getting these people's trust takes years," he adds. "Losing it takes minutes."