
Ask HN: Why do institutions choose buggy enterprise cms over open source ones - gandolfinmyhead
why is it that big time banks choose the shittiest, most expensive and buggy cms that have equally expensive talent rather than build custom ones based on open source tech (actual open source tech not half assed solutions put on git that no gives a hoot about) for less than half of the price?
======
GFischer
I've been around for a couple of RFPs(1), and the company I work for had one
for a CMS recently.

The way it works is:

1) Business has a crappy, very manual website/intranet/whatever.

2) Someone with the actual capability to do something (CIO, manager, whatever)
decides this has to change.

3) Input is asked from people from the business and people that are nominally
technical. Usually the people that actually know the requirements or are going
to maintain the new system are not included.

4) Other people from security, audits, etc. chime in

5) Someone (business analyst or project manager) transforms the laundry list
of requirements into an RFP.

6) Business approves the RFP. It is sent out.

There are companies out there that live on RFPs. If you're lucky, they'll use
open source software, but they might re-package that into their own CMS.

Companies that have the CMS that ticks the most boxes in the laundry list have
a leg up. It doesn't matter if it's shitty and buggy, it's VERY hard to write
"non-buggy" in an RFP (if the company is wise, they'll have a trial period
with competing products, but that costs $$$).

So, the company ends up with proposals in the hundreds of thousands of dollars
for what could have been an in-house project (be warned, a mismanaged one can
run in the hundreds of thousands too, even with open source CMSs).

A period of time later, company will select the CMS and will drop that info on
the team that will actually implement and maintain the buggy piece of crap (or
even a decent product, if you're lucky).

(1)
[https://en.wikipedia.org/wiki/Request_for_proposal](https://en.wikipedia.org/wiki/Request_for_proposal)

See also:

[https://doubleyourfreelancing.com/3-things-freelancers-
know-...](https://doubleyourfreelancing.com/3-things-freelancers-know-rfps/)

------
cauterized
Because they want a support contract and someone to sue if things go badly
wrong.

~~~
NetStrikeForce
This is the answer. It is about doing business while shifting risk to a 3rd
party.

------
tue4Iezi
A lot of answers:

    
    
       - No one gets fired for buying IBM
       - The issues around compliance/security/support are/should be sorted as part of the contract
       - OS projects don't invite managers for lunch
       - You need to factor in the price of support if you run OS projects. You will probably need few devs and sysadmins to run an enterprise-level solution
       - Documentation/training/videos for end-users

~~~
NumberCruncher
\- OS won't pay your buddy a bonus who happens to work in b2b sales

\- OS won't offer you a fuctitious consulting job if your current employer
gives you a sack

\- OS won't fill your non existent swiss bank account

------
ig1
I imagine because most open source ones lack the features required
(compliance, security, activedirectory support, audit, etc.)

~~~
bediger4000
You know what feature open source software in general lacks, but buggy,
enterprise software has lots of?

Quid pro quo.

I'm not talking money pre se, although I'm sure most enterprise software sales
involve the CEO's "second cousin" getting a few dollars. A few games of bikini
golf in the Bahamas can get a Fortune 500 company to standardize on the worst
version control software in the world, or make using "cron" a firing offence.

------
EJTH
All software have security flaws, in open source it is simply easier to find
these, also quality of opensource varies alot.

Just take Drupal as an example, it is used ALOT, but isn't really pretty to
look at codewise, also it has had its share of vulnerabilities, which are very
easy to find, partly because all source code is readily available.

~~~
kzisme
Couldn't you then say that OSS software has more people looking for flaws to
patch, so it would be more secure - not less?

I suppose it does vary by project though.

~~~
EJTH
Its a double edged sword of course, but for the financial sector the money
saved on open source would be peanuts in the grand scheme of things.

A proprietary CMS may very well be holed like a swiss cheese, but it will not
be as obvious / easy to find the holes when you can't look at the source code,
you are basically left with fuzzers and manual/bruteforcing injection as your
only viably point of entry.

------
fred_is_fred
Many SVP/CIOs will not use a product unless there is "someone to call". Even
if that choice costs them millions of dollars.

