Open-source software presents a unique legal challenge - so how do commercial lawyers develop their technical skills in this landscape? We chat with Snyk's general counsel to find out.
Hi 👋 who are you?
My name’s Stephanie, I’m GC of Snyk.
What does Snyk do?
Snyk enables security and development teams to find and fix known vulnerabilities in their open-source. We’re a UK-headquartered late-stage startup with offices in Tel Aviv, Boston and Ottawa. Snyk recently raised, and we are looking forward to an exciting year of growth ahead! The use of open-source software (OSS) is ubiquitous, making up the majority of code used to build software today. A vulnerability in an open-source package will be amplified by the number of applications and organisations using it, which represents a huge security risk for those organisations.
Lawyers are a bit behind the curve in understanding OSS; but every company that writes software will use OSS. When a development team creates an application, there might be, say, 200,000 lines of code, but perhaps only 20 lines of proprietary code will be written by the developers. The rest could be OSS, and it could be subject to bugs or flaws that can impact your organisation’s security.
What's the journey been like - growing a legal function in a fast-paced company?
Scaling the legal team quickly is our #1 priority. When I joined as a consultant, 18 months ago, there were 30 employees - now we’re close to 200, adding roughly 20 people a month across our offices. The legal function needs to scale as quickly as the rest of the company but finding good lawyers to join us fast enough is a challenge! I’m building the legal team to be a team of three by the end of this year, and I’d prefer to hire people who can hit the ground running. I relied on external law firms and used overflow resources like Lexoo to fill in the gaps.
As is often the case in startups, my personal challenge is not to get buried in easy “legal ops” work that could be outsourced, freeing me up to deal with the bigger picture, like funding rounds, M&A, working with investors, improving processes and risk management.
"Lawyers have to be a little geeky to drill down into the fine detail of the product, instead of just being a lawyer in an ivory tower, dispensing solely legal advice"
Open-source software presents a very specific type of legal challenge - how do you balance specialist and generalist expertise?
I’ve been an in-house commercial and corporate lawyer for 20 years; in travel and leisure, telecoms and tech. When I started at Snyk, I had to become an open-source software expert! I knew as much as most commercial lawyers, which is enough to deal with a clause in a licensing agreement or a due diligence questionnaire - but I’m not from a software engineering background. It’s been a steep learning curve for me to learn about code repositories, dependencies, manifest files and the various software languages.
The open-source revolution has democratized the software development ecosystem - instead of writing code to achieve a function, a developer can take it from an OSS code repository, such as GitHub, Bitbucket, etc. This saves them development time, but also exposes the code to increased risk.
So then the question is: how do you protect against that risk? As an in-house lawyer or compliance manager, source code security should be part of your risk management strategy. Looking across all the areas of compliance (from privacy to anti-bribery) - the security and compliance of your OSS needs to be on that list of top risks. Start by asking your development team if they know what open-source packages they are using, and then ask them how they identify and address vulnerabilities.
How do you hire lawyers with the right expertise?
I always believe in hiring people who know more than me! My next hire will have more SaaS and software licensing knowledge - but the majority of work we do as a legal department is the same as in many small legal teams. The market is full of very bright people from tech startups who deal with SaaS products and software licensing. The challenge is hiring people who understand that velocity is the most important thing in a startup. Turning things around in 40 minutes, not 48 hours - that’s how we work in a high-growth startup.
How do you collaborate with the business to add value from a legal perspective?
I collaborate closely with the business - specifically the sales teams - to understand how they talk to customers and answer technical queries. I need to be as much a commercial person as a lawyer, because I need to explain technical issues to non-technical people (e.g. other lawyers). Being an in-house counsel is rarely just about being a good lawyer; it’s about understanding the drivers for the business and the customer’s business. I think it’s key for an in-house lawyer to be as interested in the business as the businesspeople are and to simplify technical concepts in a way everyone can understand.
"Velocity is the most important thing in a startup. Turning things around in 40 minutes, not 48 hours - that’s how we work in a high-growth startup"
Is it hard to convey legal ideas to a business person when you’re dealing with something complex like open-source security software?
Absolutely. In-house lawyers need to become very familiar with their company’s product, and this takes time and a thirst for learning. It’s not a great look for legal counsel to admit that they only know about indemnities but can’t explain why it matters in the context of the product. At Snyk, we have a lot of training resources and technical documents available to help with this.
Just like I have to explain legal concepts in a simple way, someone has to explain those technical concepts, to me, in a simple way. And then I need to be able to combine the legal, technical, and commercial in a negotiation to do a good job for my internal client. Lawyers have to be a little geeky to drill down into the fine detail of the product, instead of just being a lawyer in an ivory tower, dispensing solely legal advice.
Our core values include being “ridiculously easy to work with” and “one team”. My legal team needs to work seamlessly with the rest of the business, which means aligning closely to the needs and drivers of the other functions.
With technology constantly advancing, is there a struggle for security software to keep up?
It is a truism that everything is becoming software and software is eating the world. If “everything” is software, software needs to be secured against vulnerabilities and faults. At Snyk, teams of security analysts are researching every single day to ensure we’re keeping up with developments and acting faster than our competitors.
Many companies don’t realise they should be using a security tool of some sort to protect their OSS, so when a due diligence questionnaire asks them for details of what OSS they use, there will be a mad scramble if they don’t have a tool in place.
Does keeping up with changing technology make your job harder?
I’m not trying to keep up with everything. I'm interested in the latest tech advances, because I’m in the tech industry; but really I’m still focusing on being a lawyer and staying ahead of regulatory changes.
It’s interesting to observe what’s happening in the regulation of big tech - for example, the FAANGs - and what the governments are trying to do across the US and Europe to control the excesses of big tech. Keeping up these developments will help me with my job. Whether it’s reading blogs and bulletins, or having a network of peers who are in similar industries - it’s very important to have that wide network to be able to check in with others when technology is moving so fast and lawyers are trying to keep up with those changes.
"Commercial lawyers are adaptable, but the atmosphere and culture of a tech startup is unique. You either have that desire to work here or you don’t"
If you were advising a young lawyer looking for an in-house role, what would you say about joining a software company like Snyk?
Do they want to work in the high-growth tech sector? Are they comfortable with constant iteration and making decisions in grey areas? Disruption occurs at all levels in the organization, so they should be prepared to think and work in non-traditional ways. The most important quality involves being flexible, fast, and working to aggressive sales deadlines. There’s an ‘all hands on deck’ kind of approach that is more important than tech expertise or even legal knowledge. Commercial lawyers are adaptable, but the atmosphere and culture of a tech startup is unique. You either have that desire to work here or you don’t.
Visit Snyk to find out more about open-source security software.