- How important is it for industry analysts to include security analysis in their SaaS research?
- Does non-commercial open source have a fighting chance to be mentioned by industry analysts to their customers?
- How can customers understand analyst transparency when it comes to coverage of non-commercial open source?
James has always been particularly exercised about the fact that OWASP lacks coverage. When he raised this issue with me last year, I responded by posting some questions on the OWASP wiki and the OWASP Linked-In group, as well as several posts on this blog. I'm still waiting for answers.
If there is something in the product offering from any of the large vendors that I don't understand, I can contact one of my analyst relations "minders" and get a reasonably quick answer. If it's a small vendor, I can usually get an answer straight from the CTO. In contrast, my questions to OWASP go into a black hole. One person even suggested that if I wanted to know something about OWASP I needed to start a project. No thanks. (And, to answer Jim's comment below, I don't want to join a mailing list either.)
Industry analysts simply cannot invest that amount of time in chasing non-existent information. If OWASP wishes to be taken seriously by industry analysts, then it needs to put some energy into briefing industry analysts properly, instead of expecting us to root around the OWASP website and complaining when we don't.
Large vendors may sometimes try to influence industry analysts by commissioning work, and many analysts declare this when they deem it relevant. (I think that's what James means by transparency.) But a much more subtle influence can be achieved simply by providing better quality information and making our lives easier.
Update February 2013. James has now returned to the subject Five Mistakes CIOs make in asking analyst firms to create vendor shortlists... (February 2013). See further comments below this post, plus discussion on Twitter OWASP and Industry Analysts (Storify, February 2013).