Forrester survey discovers that virtually no one uses open source (?!?)

Forrester just released a new survey, one that begs the question: Who paid for this rubbish?

I generally like Forrester's work, but this survey flies in the face of every piece of research on open source that I've seen in the last five years...including research from Forrester. Also, as the research itself finds, often its survey respondents are using open source even when they don't know it: Nearly half of those surveyed by Forrester who are using open-source frameworks (e.g., Spring) still claim they are not using open source.

Forrester's newest research finds:

• Seventy percent of decision-makers responded that they don't have interest or have no plans to adopt open-source software;
• Only 23 percent of respondents said expanding their use of open-source software was a priority;
• Security is the main concern around adopting open-source software. Eighty-eight percent of respondents said it was an important or very important concern.

Amazing how open source's greatest strengths are now being used against it. Security? I'm not suggesting that open source is perfect here, but it's one of the primary reasons that people are dumping proprietary software for open source. This is a classic Microsoft spin, and directly contradicts Forrester's own, earlier research that open source offers security advantages, not disadvantages.

Fortunately, if CIOs care to spend even a nanosecond checking Forrester's claims about tepid adoption of open source, there is a wide array of contradictory evidence, including from Forrester:

• Earlier this year, Gartner's Mark Driver noted the following: "By 2012, 80 percent or more of all commercial software will include elements of open-source technology."


• In 2005, Forrester's Michael Goulde found that open-source adoption is exploding across the enterprise, with 74 percent of surveyed enterprises using or planning to use open source. That was in 2005. The number has grown.


• Gartner also found that 90 percent of all SaaS providers will be embedding open source in their offerings by 2010. In other words, even when end-users aren't "buying open source" they'll still be buying into open source.


• In a survey of Red Hat's customers (surely comprising a majority of those surveyed in Forrester's questionable survey above), 86 percent of JBoss users declared it capable of meeting their most demanding workloads.


• IDC reports that Linux server growth outpaces Microsoft's Windows Server growth at 11.6 percent. Surely some of Forrester's surveyed enterprises have heard of Linux?


• 55 percent of the US federal government is found to be using open source, and 71 percent of those surveyed believe their agencies can benefit from open source.


• Apache reports 2007 as its strongest year ever, while analysts peg its market share at 74 percent for web servers.


• InformationWeek polled even Microsoft's customers and found that 54 percent would buy more from Microsoft if it would open up.


• An Actuate survey finds widespread adoption of open source, with even more planning to adopt. Gartner suggests that open source is cannibalizing proprietary software. Yum.


• IDC suggests in 2007 that the Linux ecosystem is worth $18 billion but will grow to $40 billion by 2010. That sounds like (better than) 100 percent growth to me....


• ZDNet discovers that while open source hasn't put Microsoft or anyone else out of business just yet, open source has come to permeate a wide array of open and proprietary products. In other words, even when you're not overtly buying open source, you're still buying open source.


• IDC finds widespread adoption of open source within enterprises.


• 33 percent of Oracle users also deploy open-source databases.


• Firefox hits 18 percent of enterprise desktops. The momentum continues.

And so on. I have other research from Morgan Stanley, Goldman Sachs, IDC, and others that tells much the same story: Open-source adoption is growing at a frenetic pace at every level of the software stack. Security is often cited as one of its chief benefits. It's not that open-source software is by nature secure, but rather that for credible vendors of open source the software's transparency makes it easier to spot and fix vulnerabilities.

Having said this, even in negative, perhaps wholly inaccurate findings, there is still room for open source to improve. If, in fact, enterprises are holding back on open-source adoption due to the reasons below, then this is a revenue opportunity for commercial open-source vendors:

(Credit: Forrester Research)

There is more adoption than Forrester notes. Much more. But perhaps we'd see even more if we did a better job of marketing the security benefits around open source, the cost benefits around open source, the support and TCO benefits around open source, etc.

Back in 2005, Microsoft was paying Forrester for anti-Linux research. I assume that this report, referenced at the top of this post, is more of the same. But even in the midst of FUD there is real data that can make open-source vendors better.

Correction: Forrester got in touch to share the following:

One thing I wanted to clarify because you make a couple references in the post to the study being "paid for" or sponsored by a vendor. The survey was not sponsored - the data came from our Enterprise and SMB Software Survey, North America and Europe, Q3 2007, which was a completely independent Forrester study and one of the largest enterprise/SMB surveys we conduct on an annual basis.

All of which makes the data even more confusing, since it doesn't jibe with any other surveys/research I've seen in the past few years...including from Forrester.

[jimmyed2000]

Matt, it all depends on who takes the survey.

If it is IT guys: they know that open source is being used all over the place and will give you the `truth` about usage of open source.

If it is CIOs: they are often blind to the adoption of open source within their own company, Sun's Schwartz has blogged about at least on example of this. I have also heard of a CIO who thought that his company was getting Tomcat from the 'Apache Company' and was surprised to learn that there was none. CIOs are also more risk adverse and less educated about open source.

It also depends on how you ask the question. If you ask me if expanding my investment in video games for the Wii is a priority for me my answer is no. If you ask me if I expect my investment in video games for the Wii to increase my answer is yes. Its not a priority for me, but I see it as inevitable.

From these results I would predict that the decision-makers taking this survey were mainly CIOs. If this is the case Forrester?s mistake is in surveying the weak link in the open source adoption chain. I say that CIOs are the weak link because they are less educated about open source than the IT community, they are largely unaware how deep and wide open source adoption already is within their organization. They think that they should be making decisions about the adoption of open source but don't realize they are too late. They need to be doing audits and putting governance in place. Otherwise the 'C' in CIO is more likely to mean 'Canute' than 'Chief'.

Forrester's report does highlight a perception issue that open source has amongst certain communities. This provides open source advocates a clear target to shoot at. Upon hearing about Bernard Golden?s upcoming report at OSCON on Open Source in the Enterprise someone asked me if I thought this was old news, generally accepted already, and not worth reporting on. Forrester?s survey show that open source advocates need more facts and reports at their disposal. I am looking forward to his report although none of the people who really need to hear it (CIOs) are likely to be at OSCON.

James Dixon

[TimBowden]

I'd have to agree with James here. My experience is that open source goes from the middle up. Tech level staff will often be quite up to date about the state of open source, and be happy to use it where needed. Senior management often have no idea. Once they are told there is a solution to a business problem and they don't need to pony up buckets of cash, the issue often disappears from their radar. It is only later that they tend to find out about how much foss they are using across the enterprise, and from all reports it often gives them quite a shock. Still, I think the message is slowly getting further up the chain than ever before. Believe it or not, but one of the driving forces seems to be Ubuntu. As the poster child of desktop linux, it seems to have begun driving awareness and acceptance of open source sideways beyond the traditional IT geek savvy crowd. Another more important driver may well turn out to be the ultra mobile PC sector with offerings such as the Eee PC. In this segment it's leaving winXP to eat Linux dust. This is a route to putting the open source question on senior managements desks (literaly) without waiting for the message to percolate up from the tech ranks. It will be interesting to see how this plays out over the next few years.

Tim Bowden

[Savio.Rodrigues]

Matt, I think you should look at the 2 questions they asked respondents ALREADY using opens source like Hibernate or PHP. Nearly 50% of these respondents said, "nope, we're not using OSS". See: http://weblog.infoworld.com/openresource/archives/2008/06/forrester_surve.html

So, this is a perception problem. CIOs (i.e. the likely candidates who responded to the survey) don't know what is being used in their shops.

Don't believe the hype about OSS being "more secure". Yes, having the source available means more eyes can scour the source code for potential holes. However, the leap of faith you must take is that there *are* eyes scouring the code. 99.9999% of the time the source code isn't even downloaded. Also, no two projects are the same, so just because Linux is "secure", doesn't mean all OSS will magically be. There is no magic but for great developers with great experience to draw upon. Some OSS projects have this in spades, others don't....no different for commercial software though.

[Savio.Rodrigues]

also....

The results are what they are. Some CIOS don't know they're using OSS.

OSS vendors will have to convince these CIOs before the check gets signed. It doesn't surprise me that CIOs aren't wholly aware of what their developers (or managers) are using. We experienced this in spades during the early days of Linux.

Instead of dismissing the results, I think it would be more productive to think about ways to educate CIOs that they are in fact using OSS and should get support (like their colleagues who knowingly use OSS said they do -- support is #2 on the list of concerns).

[Matt Asay]

@savio. I don't across-the-board buy the "security through transparency" argument - it really depends on each project and how security response works. But I can tell you from personal experience that for those enterprises that do want to muck in the code (and there are far more than we normally think), they *love* having access to the code to be able to make changes well before their vendors get around to doing so, including on the security side.

[jeffreyhammond]

Hi guys,

As the author of the report I feel compelled to jump in here. To be clear the data is part of an annual independent survey that we field very year to enterprise IT decision makers. I want to stress that I am simply presenting the data from questions as responded to by survey participants. Had I been influenced by some ill will against open source I would have simply presented the initial data from the participants and let it stand. I think if you look at the follow up charts I present there is an alternate conclusion, which is that it looks like IT decision makers DO NOT REALIZE that in many case their developers are using open source languages, frameworks and products. They know Swing but not the license - they know PHP but not the license. This is why I put the data about open source languages and framework use in- to highlight the lack of awareness that decision makers seem to have when it comes to what open source products are already in use in their organizations. I think that open source has a perception and awareness problem, but not necessarily an adoption one - but we'll need to do some follow up work to be sure. Note in my "what is means" section I specifically state: "Decision-makers aren?t aware of their use of open source wrapped in commercial products from IBM, Novell, and Sun." and "Open source frameworks such as Spring and languages such as PHP are better known by name than license model." This quantitative research backs up what I see anecdotally- that many IT decision makers are only beginning to realize that developers have already brought significant amounts of open source in house and are happily using it. Other surveys I have recently done with developers and software architects suggest that even at this late date as many as one out of three organizations (many of them Microsoft shops) still do not have an official corporate policy in place with respect to use of open source.

You can certianly dispute the findings - and my interpretations of them, but I assure you the data was not tampered with or influenced in any way.

Thanks,

Jeffrey