Enterprise

How GitHub COO Erica Brescia runs the coding gold mines

GitHub sits at the center of the world's software-development activity, which makes the Microsoft-owned code repository a major target for hackers and a trend-setter in open source software.

​GitHub COO Erica Brescia

GitHub COO Erica Brescia

Photo: GitHub

An astonishing amount of the code that runs the world's software spends at least part of its life in GitHub. COO Erica Brescia is responsible for making sure that's not a disaster in the making.

Brescia joined GitHub after selling Bitnami, the open-source software deployment tool she co-founded, to VMware in 2019. She's responsible for all operational aspects of GitHub, which was acquired by Microsoft in 2018 for $7.5 billion in one of its largest deals to date.

Microsoft wanted to own GitHub because GitHub owns one of the most central gathering places for software development on the planet. More than 65 million software developers use GitHub to store code and collaborate on projects with colleagues and, increasingly, as part of their software assembly lines. That also makes it a prime target for hackers, as well a potential source of frustration for software developers around the world.

Brescia has witnessed a dramatic expansion in both enterprise sales and hiring at GitHub in the two years since she joined the company. She's also choreographed the tricky dance steps that come with operating a service used by almost everyone in tech that also happens to be owned by one of the biggest software companies ever created. In an interview with Protocol, she discussed the state of GitHub's infrastructure, changes in open-source software philosophies, and why "hybrid" work strategies will thrive in the post-pandemic era.

This interview has been edited and condensed for clarity.

It's been a little over two years since you joined Github. Can you give me a sense of what things have changed?

While I didn't work at GitHub previously, my husband actually did work [at GitHub] with our CTO; he had left before I joined. But I met the founders when they were just starting the company. I have long followed GitHub, and admired the company prior to joining it.

I think probably what's most interesting about what has changed is really the expansion of the platform. When Microsoft acquired the company it was really focused just on code collaboration and since then we've greatly expanded the surface area of GitHub to include, you know, Actions and a complete [continuous integration/continuous deployment, or CI/CD] engine, we've recently launched Codespaces, our security investments and products. Those announcements I think are of critical importance.

Certainly, from an operational perspective, the company has grown quite a bit. We were around 1,000 employees when I joined, and we're about 2,500 now.

In terms of the operating structure, is LinkedIn a good parallel for the way that GitHub works within the Microsoft world?

There's certainly a lot of similarities. The most important one is we really do manage the business independently on [its own] P&L. We have our own C-suite, just like LinkedIn, [and] we make our own decisions around the direction of the products and the business. Of course, we do that in some collaboration with folks at Microsoft. But our roadmap, our resource allocation, everything is really left up to us.

I think what might be a little bit different is there are a lot of opportunities on the product side to co-develop with Microsoft. I think Codespaces is a great example of that.

Do you anticipate they're having that kind of arm's-length separation for the foreseeable future?

I do. GitHub is the home for all developers no matter where they want to build. They might be deploying to Azure, but they might also want to deploy to AWS, or Alibaba, or Google or any number of other providers around the world. And so, you know, we'll always focus on what's best for developers and offering developers choice. We'll continue to leverage the resources and the opportunities that we have through Microsoft, whether that's an enormous global sales force or products like VS Code, that we can build on top of [to] accelerate GitHub in a way that provides us with a unique competitive advantage.

I remember when the deal was announced there was a fair amount of worry in some developer circles that GitHub would put this really big "deploy on Azure" button, like, right in the middle of the UI. As you think about co-development opportunities, how do you balance that desire to work more closely with Microsoft against this customer base that's very wide and diverse and has a wide variety of needs?

It's one of my favorite topics of conversation. Yeah, we will not have a "deploy to Azure" button without a "deploy to the other cloud vendors" button as well. Currently, we don't have either. And that's of critical importance from my perspective.

One of the organizations that rolls up to me is our business development and technology partnerships and engineering team. Their mandate is really to make sure that we have healthy and fruitful relationships with a variety of players in the ecosystem, not just the other cloud vendors, but also companies that compete with GitHub in various ways. When I first joined, my three first meetings outside of GitHub were all with CI/CD providers in advance of our launch of Actions to tell them what was coming and talk about how we can continue to work together to make sure the developer is going to have a great experience — not only with GitHub products, but also with other products that they might want to use in the ecosystem.

If you go back to my first Universe keynote [at GitHub's annual conference], which was towards the end of 2019, I had Clare Liguori from AWS on stage demoing our integration with them, we've done a bunch of great work there. It was Amazon, not Azure, that was on stage, and there's a good reason for that.

Ultimately we're here to deliver what developers need, and I'll go back to what I said before, which is, that's choice. I think you asked, how do you balance that? Part of it is through this lens of "developers first" whenever we're making product decisions, and whenever our product folks are meeting with our technology partnerships folks that is the topic of conversation.

Are we striking the right balance? Is this really what's best for developers? I think if we truly are always putting developers first that leads you to make the right decisions around preserving choice and optionality.

Where does GitHub run at the moment? Do you run on Azure? Do you maintain your own infrastructure?

We have quite a bit of our own infrastructure that we maintain. So we maintain our own data centers. And we also run some things on AWS and some things on Azure.

Has that changed in the last couple of years post acquisition?

Our infrastructure has greatly expanded because the platform has expanded vastly. We're continuing to invest across all three platforms, just depending on our needs. Obviously, Codespaces runs on Azure because we built it on top of VS Code. But there's plenty of other things that are running [in] other places.

There's an argument that security is better on the cloud versus maintaining your own data centers, although I would suspect that GitHub is a little more advanced than most organizations out there. But given the strategic importance of what people have stored in GitHub to their businesses, I am curious about how that works.

We have an exceptionally good track record from a security perspective and we have an incredible team of folks that does that work. That said, we've made a very significant additional investment in security this year; we hired an incredible guy, Mike Hanley, who scaled up Duo from under 100 employees through Cisco, then he was the CSO at Cisco.

We're greatly expanding that team. With the increase in nation-state threat actors that are after every technology company, I don't think that's unique to GitHub. But there's a lot of important investment that needs to be made across the industry.

I'm sure you're tracking all the executive order stuff on [software bill of materials] requirements and [Developer Certificate of Origin checks]. And, as you might imagine, we're very deep in in all of that work, and making sure that GitHub as a platform is not only secure in the platform itself, which is of the paramount importance given the value of intellectual property and code on our platform and the opportunities that that might provide to a bad actor, but also providing our customers with the tools that they need in order to not only develop, but maintain secure source code.

I think the original approach that some folks took to open source was like, "We're just gonna build something cool and figure it out later." And that's really, really risky business these days.

I know you have a very long history within the open source community, and this world has obviously changed so much over the last three or four years in terms of the way that people think about the relationship between open source software and commercial activity. If you were starting a company today, would you feel as confident about building around an open source project as you would have, say, eight or 10 years ago?

It depends on what you're building. I was on the phone with one of the founders of Isovalent earlier today, and they're building Cilium, which is based around [the data packet filtering tool] eBPF, which is a really interesting technology that I'm far from an expert on. I think this open core model really can work, it really can work well, but it just depends on what you're building and how people are going to use it.

I think that cloud and SaaS definitely did change things. People need to be thorough when they're thinking about their strategy from the beginning, when deciding whether or not to open source at all, and which parts of their business to open source and what they're going to build around that to drive additional value. With some companies, it's very, very clear; it's easy to draw a line between enterprise features and non-enterprise features. And then for other companies, that's a lot harder to do.

I think the original approach that some folks took to open source was like, "We're just gonna build something cool and figure it out later." And that's really, really risky business these days. I think you need to be more deliberate in your strategy and what you're trying to get out of open source.

I think the other thing — and then I'll stop because I could talk about this for a very long time — is the way that people think about open source as a part of their model has changed, too. You know, I think before people just thought, "I'll make it open source, and then everybody's gonna use it." I think folks [now] have a much better understanding of the commitment it takes to actually build something in open source and nurture a community around it.

What do you think about the ethical licensing movement?

I will be honest, I have not been tracking this closely. My high-level view is that I don't see how you can do that in a way that will make open source still palatable and consumable by businesses, which means it is a non-starter. Maybe there's some more state-of-the-art thinking that I'm not yet familiar with, but I don't see a way that you can codify that into a license, because ethics typically requires judgment. That's a hard thing to capture in a license and something that's very challenging for companies to get behind because of the lack of clarity. A lot of open-source development is happening by developers that are paid to work on open source.

What has GitHub learned from its experiences with employee protests over its work with ICE and with respect to the youtube-dl tool over the last couple of years?

Learning from things like youtube-dl, I think that's a very different case. And I think what we learned from that — we published a great blog post following that — was that, obviously we need to comply with the letter of the law, but we also need to make sure that we have all the support in place for developers when companies come after them for open-source projects, and file these DMCA notices that may not actually be valid, or are maybe solvable with some small fixes.

In terms of your other question, it's something that we'll continue to see across the board. Customers and employees are absolutely within their rights to voice their opinions, and vote with their feet if they're not happy with the decisions that a company is making.

I think what we learned is it's just really important to have a clear set of operating principles about how decisions are made and who you do business with. I think we made that clear to employees: that we are going to continue to do business with the U.S. government in this particular case, but it applies much more broadly beyond that, just making sure that people understand, "these are our views as a company." And we realize that you [the employee] might not always be aligned with those, but these are the decisions that we've made. You can choose to continue working and accept it if you have a different perspective, or find a place that's more aligned with your own views.

The key is really delivering clarity. I think that's the biggest learning: How are you going to operate as a business?

What is your current remote work strategy and how has it evolved over the past year, which obviously has been a disruption like none of us have ever really seen? And then what are your plans going forward as we continue to all try to figure this out?

GitHub was largely remote long before the pandemic, about 80% of the workforce works remotely around the world. Because we do all of our work on GitHub and use it to drive everything that we do, we were very well set up to make the full transition to having everybody working remotely.

We do not expect to require people to come back into the office — with very limited exceptions — over time. I am a very firm believer in hybrid work: I have myself worked either remotely or in a hybrid environment for a decade now. And my view is that if you really want to build a global and truly diverse team, hybrid is the winning strategy.

The reality is working from home most of the time doesn't necessarily work for everyone, right? We have people who live in multigenerational housing in different countries who have just too many distractions, or not enough space; our employees in Japan, they have typically smaller houses and working from their apartments is really challenging for them.

You have people in San Francisco who have really high rent, so they have a lot of roommates. I've been taking calls with people in the bathroom sitting on the floor, because that's the only place they had to go for a call. A lot of those folks want to come back into the office some of the time, they just want that flexibility to choose how and when they do that.

Like everybody else, I think we have learned over the last year and continued to evolve and improve. We expanded our home office reimbursement policy to get people even better setups at home; we already had a pretty robust policy in place, but folks get more now. The other and more important thing is that we're just more deliberate in thinking [about] how to connect people that are working remotely into the company and build belonging, which has been one of the things that companies have been struggling with.

Correction: An earlier version of this story misstated the number of active users. This story was updated on Sept. 17, 2021.

Enterprise

How I decided to leave the US and pursue a tech career in Europe

Melissa Di Donato moved to Europe to broaden her technology experience with a different market perspective. She planned to stay two years. Seventeen years later, she remains in London as CEO of Suse.

“It was a hard go for me in the beginning. I was entering inside of a company that had been very traditional in a sense.”

Photo: Suse

Click banner image for more How I decided seriesA native New Yorker, Melissa Di Donato made a life-changing decision back in 2005 when she packed up for Europe to further her career in technology. Then with IBM, she made London her new home base.

Today, Di Donato is CEO of Germany’s Suse, now a 30-year-old, open-source enterprise software company that specializes in Linux operating systems, container management, storage, and edge computing. As the company’s first female leader, she has led Suse through the coronavirus pandemic, a 2021 IPO on the Frankfurt Stock Exchange, and the acquisitions of Kubernetes management startup Rancher Labs and container security company NeuVector.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Enterprise

UiPath had a rocky few years. Rob Enslin wants to turn it around.

Protocol caught up with Enslin, named earlier this year as UiPath’s co-CEO, to discuss why he left Google Cloud, the untapped potential of robotic-process automation, and how he plans to lead alongside founder Daniel Dines.

Rob Enslin, UiPath's co-CEO, chats with Protocol about the company's future.

Photo: UiPath

UiPath has had a shaky history.

The company, which helps companies automate business processes, went public in 2021 at a valuation of more than $30 billion, but now the company’s market capitalization is only around $7 billion. To add insult to injury, UiPath laid off 5% of its staff in June and then lowered its full-year guidance for fiscal year 2023 just months later, tanking its stock by 15%.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Workplace

Figma CPO: We can do more with Adobe

Yuhki Yamashita thinks Figma might tackle video or 3D objects someday.

Figman CPO Yuhki Yamashita told Protocol about Adobe's acquisition of the company.

Photo: Figma

Figma CPO Yuhki Yamashita’s first design gig was at The Harvard Crimson, waiting for writers to file their stories so he could lay them out in Adobe InDesign. Given his interest in computer science, pursuing UX design became the clear move. He worked on Outlook at Microsoft, YouTube at Google, and user experience at Uber, where he was a very early user of Figma. In 2019, he became a VP of product at Figma; this past June, he became CPO.

“Design has been really near and dear to my heart, which is why when this opportunity came along to join Figma and rethink design, it was such an obvious opportunity,” Yamashita said.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Climate

Microsoft lays out its climate advocacy goals

The tech giant has staked out exactly what kind of policies it will support to decarbonize the world and clean up the grid.

Microsoft published two briefs explaining what new climate policies it will advocate for.

Photo by Jeremy Bezanger on Unsplash

The tech industry has no shortage of climate goals, but they’ll be very hard to achieve without the help of sound public policy.

Microsoft published two new briefs on Sept. 22 explaining what policies it will advocate for in the realm of reducing carbon and cleaning up the grid. With policymakers in the U.S. and around the world beginning to weigh more stringent climate policies (or in the U.S.’s case, any serious climate policies at all), the briefs will offer a measuring stick for whether Microsoft is living up to its ideals.

Keep Reading Show less
Brian Kahn

Brian ( @blkahn) is Protocol's climate editor. Previously, he was the managing editor and founding senior writer at Earther, Gizmodo's climate site, where he covered everything from the weather to Big Oil's influence on politics. He also reported for Climate Central and the Wall Street Journal. In the even more distant past, he led sleigh rides to visit a herd of 7,000 elk and boat tours on the deepest lake in the U.S.

Latest Stories
Bulletins