security & risk

Sixty-four percent of global security decision makers recognize that improving their threat intelligence capabilities is a high or critical priority. Nevertheless, companies across many industries fail to develop a strategy for achieving this. Among the many reasons why organizations struggle to develop a threat intelligence capability, two stand out: Developing a mature threat intelligence program […]

I occasionally find people mapping their SOC capabilities to the ATT&CK framework by checking off specific techniques that they have shown they are able to detect with the intent of measuring coverage within their SOC. In this blog post, I hope to clarify why this strategy may be misleading. There Are No Bad Actions, Only […]

Since RSA this year, the drumbeat of Zero Trust across the market has continued to grow louder. Almost daily, the inquiries and conversations around Zero Trust and ZTX are coming in at an ever-increasing rate. That’s a good thing. In truth, most of the inquiries are from end user clients now, vice the vendor side […]

“If You’re Not Paying For It, You’re The Product . . . ” If you have worked in or around tech for the last decade, you have heard — or likely spoken — this irreverent remark about the data economy. While critics are all too willing to give this judgment on the use of consumer […]

At the start of the new year, a meme called the 10-Year Challenge went viral. The premise is simple: Post a photo of yourself in 2009 and a photo of yourself in 2019 to highlight certain changes that may have taken place in that time. Besides the security concerns of social media sites potentially mining […]

In late March, Marsh announced the launch of a program with a number of leading cyberinsurance firms including Allianz, AXA, Beazley, XL, and Zurich to evaluate cybersecurity products and services. Products that meet a minimum standard of criteria receive the designation of “Cyber Catalyst” for their effectiveness in reducing cyber risk. The intent is for […]

Today we released our 2019 security & risk recommendations report. We collected contributions from our colleagues across the Forrester security & risk team to identify the most important actions security leaders should take in 2019. Turns out, things are getting better for S&R pros, but challenges still remain. Security leaders have earned board-level visibility, privacy […]

I get asked two questions at least weekly, in some cases almost daily: Where do we start for Zero Trust? — Fix your IAM and user side of the equation. What is the difference between other frameworks and Zero Trust? — OK, now we can get down to the nuts and bolts on this one. Zero Trust turned 10 years […]

Microsoft has announced support for macOS in its rebranded Microsoft Defender ATP product, taking this product from being an offering that could be considered an add-on for hardening its own operating system to a multiplatform security solution. While this is an early release, it is a clear signal of the investment Microsoft is making to […]

CISOs in Asia Pacific must justify their spending and articulate the business value of often expensive investments in managed security to a largely non-security audience of executives. Currently, this is nearly impossible: Many managed security service providers (MSSPs) continue to go to market with messaging that is technology-centric and blind to the benefits they provide […]

Introducing our new monthly blog series, “The Security Snapshot,” which will curate and highlight key pieces of research from the security and risk (S&R) team. Last week at RSA Conference, vendors and security professionals discussed the newest cybersecurity innovations, the future of the industry, and some much-needed improvements. To start off the conference, Microsoft and […]

Last week was the annual RSA Conference. Estimates are that more than 45,000 security personnel, business professionals, and leaders attended the event, up from 35,000 last year. Regardless of the numbers, it was an epic display of how prevalent cybersecurity has become. As expected, a few buzzwords rang throughout the Moscone Center halls. Artificial intelligence, […]

Over and over, clients tell us they just don’t get enough funding for the kind of privacy programs that they want to create. In fact, many privacy budgets shrank in 2019 after firms were forced to spend more than they expected on GDPR compliance in 2018. But what if we told you that customer-centric privacy […]

It is high time for Forrester to demonstrate Zero Trust in a practical application scenario, our upcoming virtual reference architecture project aims to do just that.

Diplomatic networks carry some of the world’s most sensitive information: communications between world leaders, key technical intellectual property, trade strategies, and military plans. A recent report by antiphishing vendor Area 1 Security reveals that a three-year-long cyberattack led to the successful breach of the European Union’s diplomatic communications network. By focusing on the cybersecurity of the […]

The business risks associated with global climate change are enormously complex and nearly infinite in quantity. Your firm’s climate-related risks, however, are much more manageable (albeit complex and numerous, as well). No two organizations are exposed in exactly the same way. Rising temperatures, sea-level rise, and more frequent and severe extreme weather events have already […]

In my previous blog post on the MITRE ATT&CK evaluations, I developed a scale for rating the individual vendor evaluations and provided source code to help make the results more generally consumable. Since publishing this blog, I’ve been having a number of conversations with clients about the “tainted” modifier in the recent MITRE ATT&CK evaluations, […]

I’ve been extremely excited about the MITRE ATT&CK evaluation since it decided to open it up to vendors earlier this year. The endpoint detection and response (EDR) market represents the direction of endpoint security, yet the state of endpoint efficacy testing has been underwhelming. • Antimalware testing has become a standard part of the endpoint […]

Another Friday, Another Breach Announcement Today, Marriott announced that it uncovered four-plus years of a previously unknown, unexpected, and unauthorized data breach that includes travel details, passport numbers, and credit card data. Five hundred million customers found out this morning when Marriott announced a multiyear breach dating back to 2014. Longstanding defects in Starwood’s database and network […]