Dude, Where's My Code?

MAR 2, 2017 • Written by Brian Bassett

Stop me if you’ve heard this one…

After spending years understanding the inefficiencies of a marketspace, a brilliant subject-matter expert strikes out on their own as an entrepreneur. Using their grit, knowledge and connections, they build their business. Soon after, investors and paying clients follow to benefit from the new product.

Acting as the product owner and chief architect in the early stages, our intrepid founder identifies an efficiently-priced contract development team to help iterate from concept to functioning project. The development team spins up development and production environments and grants themselves full access. In an effort to smooth the process of working with a “non-technical” founder, the devs are the only ones with total stewardship over the systems. GitHub accounts are created, domains are purchased, administrator logins and passwords are all generated without passing control back to the owner or proper caretaker in the business.

Blindly trusting the tech crew – after all they are the chosen ones! – our founder focuses on strategic initiatives.

Surging ranks of customers drive the business to grow. Revenues rise.

Customers and employees bark that they need more: more features, more scalability, more reliability. Riding the wave of success, dreaming of bigger and better, the owner ramps up their technological investment.

Meanwhile, an expanding (and still heavily outsourced) development team isn’t adding the right amount of value no matter how much additional money is thrown at creating sufficient velocity.

The founder is cash-strapped and hard-pressed to find solutions.

Our entrepreneur now has doubts about their development staff. This is made infinitely worse when they now realize the strategic mistake of not gaining full access to administrator accounts, source code and production environments from the start.

That intrepid founder, who boldly explored a boundless marketspace, now feels trapped in their own business and held hostage by technologists.

Such a beleaguered CEO confessed to me a few months ago “Brian, I’m too poor to move out of the ghetto.”

Something Is Rotten in the State of Startup

Did the relationship start out this way? Probably not, but there are many variations of this same story. Roughly half the clients we bring on at Corgibytes encounter some sort of unfortunate gatekeeping practices. Here are a few stories (details changed to protect the innocent). Do any sound familiar?

  • A small, but successful, electronic health record company outsourced their entire tech stack. Product estimates from the vendor were given and a barely-functioning product came back, at triple the cost, crafted by junior offshore developers. Despite clients with deep pockets, cash flow margins were razor thin because of the development and maintenance cost-creep of their new, but fragile, application. The owner feared asking for SSH-level control because of the signal it would send to their vendor. Without root access to their systems, they can’t find a willing buyer who would knowingly pay market price for the company. Despite continued high development costs and egregious server fees, and a business owner feeling trapped, to this day they can’t seem to find their way out.

  • A major West Coast event management business used an outsourced team to build a custom ERP system to capture their unique business model. The vendor used source control issues to enact gatekeeping practices and during iteration, “telephone game” problems plagued the process of adding features and refining others. When the relationship was severed, the business made the financially-painful decision to walk away without promised (but yet to be added) features, for which they had already paid.

  • A celebrated retail company had a social media consultant who seemed to drop off the grid. Social media was a strategic brand advantage and days of lost content meant days of lost dollars. The company appealed to the consultant’s decency, begged and even offered money, and yet nothing gained them access to their core content management system. Luckily, since it was just blog posts, the company scraped text and images and found a way to re-constitute the content on a new platform. While a minor hassle, the experience left a deep impression on future technical decisions. “It was a big lesson learned for us,” the company’s CFO told me.

Corgibytes’ CTO, M. Scott Ford, believes that most relationships like these began with good intentions: “Sometimes choices are made by developers simply to reduce friction in building a product, but which end up pulling control away from the owners.”

Bernie Dietz, a lawyer who focuses his practice on entrepreneurs and business owners, believes “It is vital that the founder retains, from the beginning, control of all accounts and passwords so they can ‘lock out’ a non-compliant vendor without having to beg for the work product.”

Either way, they can wind up in the same place. And those choices can seem innocent. Until they aren’t.

Due (Diligence) the Right Thing

As I see it, there are two immediate takeaways for two different audiences:

  1. For technology practitioners, we need to think of ourselves more as fiduciaries than just developers. We need to act as the best stewards for our clients, even if it isn’t always in our own best short-term interests. More to the point, we should be helping clients by protecting them not just from industry pitfalls, but even safeguarding them against ourselves. In my experience, equitable partnerships where accountability is bidirectional leads to the best practices and the best business relationships. In finance, these practices are referred to as being “long-term greedy” as opposed to the more damaging short-term variety. This industry might seem large, but word gets around quickly for good or ill.

  2. For founders, being long-term greedy means you need to set yourself up for short-term success. One major part of this is having a realistic near-term exit strategy. No savvy investor is going to invest in a business without access to all the systems and a long history of the codebase. Having the keys to the production environment and source code matters; it might be one of the most important items on a modern to-due diligence list.

Devin Mathews, a private equity veteran and partner at ParkerGale, talked about his company’s process as they consider adding businesses to their portfolio of companies. Also, as one half of the Private Equity Funcast, he revealed the following on his We Got Your Due Diligence Right Here! episode:

“You have to develop [the] discipline [of the mastery of your codebase] long before you’re going to go sell the business, or it’s going to be a red flag. It’s going to say well, there isn’t discipline here, there isn’t a process here. I need to dig in a little deeper.”

On the same episode, Jim Milbery, Mathews’ partner at ParkerGale, agrees and explains why this matters:

“Show me the last twelve months of ticket check-ins […] so I can see what the velocity of the code is. […] Are there certain modules that seem to get a lot of bugs? […] Are there certain developers that are key because I see how many check-ins they make?”

Beyond the importance of having access to the system, there’s deep insight and value that a business can gain from exploring the logs of a code repository management tool like GitHub. Would you spend money in a business without recording where it went? Is there value in gaining insight into inefficiently administered areas of your budgets?

It’s time to start thinking of tools like GitHub as an accounting system for intellectual property.

So what are the right safeguards by businesses from the start?

Although Andrew Berger’s article on protecting intellectual property when outsourcing is a good starting point, it is always best to consult with a trusted attorney who specializes in this work.

Also, know that without the right contract in place, a vendor can assert their ownership of the intellectual property. In such a case, the founder has few, if any, options beyond starting over. When using an outside vendor rather than W-2 employees, IP rights only transfer based on a properly-worded contract. Compounding this, without a contract, you’re usually not entitled to reimbursement of your attorneys’ fees, which often makes it economically unviable to pursue a case in court.

Attorney Steve Fairchild of Fairchild Law advises to solve any legal complexities ahead of time with an employment contract that specifies who owns the intellectual property rights.

“Software development code is an intellectual property area that blurs the line between copyright and patent law,” Fairchild explains. “The distinctions can get messy and complex, but the legal solution is straightforward - the employment contract!”

Fairchild suggests that, in copyright law, a work for hire is considered owned by the person who hired the vendor, while patent law is the opposite: joint inventors equally own the entire invention.

Without a contract set up ahead of time, a founder’s options on how they go about extracting the intellectual property might be very limited.

While source code escrow is an option some businesses use while building trust with vendors, it would never be my first choice. At Corgibytes, we advise our clients to get full control of their code as soon as possible, even if it proves time-consuming or tricky to do so.

Dawson’s Law

So what steps can you take if there’s concern that gaining access to systems or source code could prove painful? The first step would be to check with your attorney to see what structures are already in place. Assuming that the contracts include the right language and can support your request, a pleasant but escalating level of communication might be the right move.

As James Dawson said in the cinematic masterpiece that is Road House …

Road House Pic

Rationale can be given in the form of adding a new team member or performing due diligence for a future sale. Communication could be as simple as:

  1. Polite request.
  2. Firm request with deadline.
  3. Firm request with promise of bringing an attorney at their expense.
  4. Someone get Dawson!

In the end, it is crucial to protect your business with the right contracts made by lawyers who understand entrepreneurship and intellectual property. When working with vendors and even employees, gatekeeping practices are symptoms which might lead to larger problems. Founders need to keep a tight rein on their accounting practices as much as a mastery of their source code. And beyond that, they should be using it as a way to gain an understanding of the velocity and impact of their product development team. Investigate all possible options in gaining access because it is vital to the success of a business.

Should you have questions, Corgibytes is here to help. Feel free to contact us!