You don’t have to understand open source to have an opinion on it. But here’s the thing: your company is already running on it. The question isn’t whether to engage with open source, but whether you’re being intentional about it.
Here’s what CFOs should have on their radar.
1. “Free” is a starting price, not a total cost.
Maintenance costs are baked into every software decision. The question is whether you’re paying them in engineering time or in vendor fees. Every shortcut taken today becomes tech debt tomorrow, and McKinsey warns that companies spending more than half their IT budget servicing that debt are likely paying interest only, with little left for innovation (Lamarre et al., 2020). Open source lets you redirect that spend toward work that actually differentiates your business.
2. Your vendor leverage depends on it.
When your stack is built on open source foundations, you have a credible alternative to any vendor relationship. That optionality changes contract negotiations in your favor. Companies locked into proprietary systems don’t have the same walk-away power and vendors know it.
3. It shows up in your talent numbers.
Engineers tend to follow interesting technology, making a modern open source stack is a recruiting asset, and a legacy proprietary one is a quiet repellent. A modern open source stack is a recruiting asset; a legacy proprietary one is a quiet repellent. Gallup estimates that replacing an employee in a technical role costs around 80% of their annual salary, and that figure excludes harder-to-measure losses like institutional knowledge and team morale (Gallup, 2025). Retain one engineer who would have left, and open source has already paid for itself.
4. Your open source licenses are a portfolio to manage, not a minefield to avoid.
Many open source licenses, such as Apache, MIT, or BSD are straightforwardly business-friendly. The few that carry restrictions only become a problem when nobody’s tracking them. According to Synopsys’s 2024 Open Source Security and Risk Analysis report, 53% of audited codebases contained open source license conflicts (Synopsys Cybersecurity Research Center, 2024) That number that drops sharply for organizations that treat license exposure the way they’d treat any other portfolio: with visibility and periodic review.
5. You’re more dependent on it than you think.
The infrastructure underneath your products, including databases, operating systems, security tools, and cloud platforms, is almost certainly built on open source. That’s not a problem. But it is a reason to pay attention. Synopsys’s 2024 report found that 96% of commercial codebases contain open source components, with open source accounting for 77% of the total code scanned across more than 1,000 audits (Synopsys Cybersecurity Research Center, 2024).
References
Gallup. (2025, August 22). Employee retention depends on getting recognition right. https://www.gallup.com/workplace/650174/employee-retention-depends-getting-recognition-right.aspx
Lamarre, E., Smaje, K., & Zemmel, R. (2020, October 5). Tech debt: Reclaiming tech equity. McKinsey & Company. https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/tech-debt-reclaiming-tech-equity
Synopsys Cybersecurity Research Center. (2024). Open source security and risk analysis (OSSRA) report (9th ed.). Synopsys. https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html