At FOSSA, we’re fortunate to have the opportunity to help some of the world’s top companies manage open source license compliance. That includes Collibra, a data intelligence platform that serves customers like Twitter, Adobe, Lockheed Martin, and many more.
Amanda Weare is Collibra’s VP and Deputy General Counsel. She oversees the organization’s product compliance and privacy initiatives — including open source license compliance.
FOSSA’s content team recently had a chance to sit down with Weare to discuss her experience managing license compliance at Collibra, including implementing policies, fostering legal-engineering collaboration, and determining priorities.
FOSSA: To start, can you share some background on your career and your current role at Collibra? What were some of the main stops on your professional journey, and what are your current focus areas?
Weare: My current role at Collibra is Vice President, Deputy General Counsel - Product and Privacy, DPO. I manage both product compliance and privacy. My product compliance responsibilities include IP, open source compliance, and OEM-type relationships with third parties. Then, the privacy side encompasses anything related to data privacy, both with respect to our internal operations as well as to our customers and the treatment of their data. Before joining Collibra, I worked in the tech transactions practices of two global law firms as an IP transactions lawyer.
FOSSA: What's your background with open source license compliance, and how did you come to be involved with it at Collibra?
Weare: Open source license compliance is always something that’s been on my radar, dating back to when I was a junior attorney in tech licensing. So, it’s a responsibility that I inherited naturally when I joined Collibra. I had no prior specialization in open source license compliance, but my familiarity and experience in the space made me a good fit to lead our compliance efforts at Collibra.
FOSSA: What were some of the biggest OSS license compliance-related challenges that you encountered during your first months at Collibra?
Weare: We had a team of very experienced and knowledgeable engineers in the open source space, but there were no processes related to open source compliance. So, we were reliant on the good-faith efforts of our engineers to keep out problematic licenses and to keep up with compliance matters. While this worked historically, I knew that approach wouldn’t scale. The compliance-related challenge was not that I had a lot of mess to clean up in the code, but rather that I needed to create new processes that our engineering teams were unaccustomed to following.
FOSSA: What were some of the first compliance-related initiatives/activities that you launched, and why did you decide to prioritize them?
Weare: It was really to find stakeholders within the engineering organization that could partner with me on implementing new processes and more comprehensive policies around license compliance. And that was a challenge — it took time to find the right people to help build our compliance program. The reason this was so important is that, ideally, legal isn’t the sole internal champion for license compliance. You really need technical experts to own it. So, the biggest early initiative was to find the right people within our development organization and then message the importance of their involvement in compliance. These discussions started with our CTO and flowed down to the rest of the engineering organization.
FOSSA: What was your experience like in getting that engineering buy-in? Was there a specific “aha” moment?
Weare: Fortunately, we didn’t have any major license compliance problems where our livelihoods were at stake, which can of course scare people into action. That’s really not what happened. It was more that I set up weekly stand-up meetings, which is a format engineers are used to and comfortable with. Those meetings helped us work through our compliance-related action items and made sure we were on the same page.
Also, I received guidance from an outside open source expert, Kate Downing, who was recommended by the FOSSA team. Kate was always on those weekly calls. Like I mentioned, I’m not someone with specialized license compliance expertise, so it was helpful to rely on someone who has — like Kate — to make sure the tasks were delineated appropriately.
Then, we’ve recently had a couple of very large, Fortune 100-type enterprise customers that have been very vocal with us about the priority they place on OSS license compliance and disclosures. That certainly had an impact on making sure our team understood its importance. And, it helps to have a professional-looking license compliance report that FOSSA creates that shows what we’ve done.
FOSSA: Can you tell us about a few of the big wins you achieved during the early stages of building your compliance program?
Weare: I think the big win was really the initial publication of the compliance report and putting it on our website. Interested parties can find it in our documentation section. The other nice thing is that those reports are dated, so it’s really easy for me to coordinate with engineering on creating a refreshed version if need be.
FOSSA: Legal-engineering collaboration is often an important part of a successful and scalable license compliance program. How have you approached this partnership? Are there any strategies you've found particularly effective in working with your engineering organization on license compliance?
Weare: To be honest, I’m very lucky. As somebody who manages all product compliance-related matters — whether it’s data privacy or IP — I have a very close relationship with our product and engineering organization. I’ve really worked hard to cultivate that.
So, they like me, and I think my style — which is that I’m their partner — works well with product managers and engineers. I have regular meetings with some of their leadership so they know me and know I’m not there just to tell them what to do. I’m there to answer their questions. I’ve worked really hard to build those relationships. And so, when I ask them to do something for me, they know I’m not just trying to check a box, but rather that I’m being sincere and that this is something that needs to be done.
Also, I make it clear that I’m not just outsourcing something to engineering because I don’t want to do it. Rather, it’s really something that I don’t have the technical background to complete. I am on the calls with them and am as involved as possible, but I express the need to rely on their expertise. Ultimately, having that relationship with product and engineering, being open and honest with them, and not creating false deadlines is extremely important.
Another initiative that I think is an important part of the legal-engineering dynamic at Collibra is supporting our developers who wish to publish their own open source. We’ve set up an open source advisory board made up of me, a senior person on the engineering team, a senior person on the product compliance team, and somebody senior in security. We’ve created a way for engineers to get approval to release things into the open source community because we understand that’s often important to them. We’ve tried really hard not just to tell engineers what to do, but to create avenues for them to be creative.
FOSSA: What are your top priorities for Collibra's license compliance program for the rest of 2022 and beyond?
Weare: We’re looking to integrate FOSSA into the build process rather than just preparing reports and catching and fixing problems on the back end. Reports are important because they’re customer-facing, but creating them is not necessarily FOSSA’s primary purpose. By integrating FOSSA into our build process, we’ll have things set up so builds fail if there is a license that conflicts with our policies.
FOSSA: Finally, what advice would you give to in-house counsel who are in the early stages of building a compliance program?
Weare: I’d have a few recommendations. Unless you’re an open source expert — and there are very few organizations that have one in-house — my advice is to bring in an open source expert from the outside. Make them part of your build process, integrate them into Jira, and help them get to know your engineers. At Collibra, I drive our open source license compliance program, but a resource like Kate Downing, our outside OSS expert, makes a big difference. If a question comes in, we’ll talk through the issue and then I’ll make a risk-based decision with her counsel. I’m the final decision-maker, but I need and value her input to make those educated decisions.
Then, successfully implementing a tool like FOSSA requires both legal and engineering support. FOSSA is not a tool designed exclusively for legal teams — as I alluded to when I mentioned our plans to integrate it into our build process, engineering is very involved in the day-to-day. So, I think it’s a mistake for any lawyer to buy FOSSA and think they can do everything themselves. Ultimately, when you think about implementing and then using FOSSA on an ongoing basis, you need to understand both worlds — or work with someone like Kate who understands both worlds — to bridge that gap.