security & risk

Each year, Forrester Research and the Disaster Recovery Journal (DRJ) team up to launch a study examining the state of business resiliency. Each year, we focus on a resiliency domain: IT disaster recovery (DR), business continuity (BC), or overall enterprise risk management (ERM). The studies provide BC pros, DR pros, and other risk managers an […]

Forrester VP and Group Director Stephanie Balaouras reviews the infusion of an open source development mentality in IBM Security and the impact on the broader security ecosystem.

Discover why sustainability and climate adaptation planning aren’t the same, and why your firm needs both to succeed.

I am often asked, “Renee, what is integrated risk management (IRM), and how is it different from GRC?” You are neither misinformed nor are you horribly confused. We have been on a seven-year journey together maturing governance, risk management, and compliance (GRC) programs to eventually give you the process, program, and data to get to […]

Today, my inaugural evaluation of the European consulting services provider market published, as I write this blog from the city of Barcelona. Along with “The Forrester Wave™: Cybersecurity Consulting Services In Asia Pacific, Q4 2019,” which published yesterday (see here), this marks the first time that we have explicitly assessed the European security consulting services […]

Bot traffic can eat into profits and sabotage customer experiences. Learn how to play defense.

This year’s NCSAM theme of “Own IT. Secure IT. Protect IT.” is a powerful call to action for ownership and accountability. However, many heeding this call won’t think about how it also extends to the vast and growing network of third-party relationships. Why? For most organizations, third parties complicate cybersecurity risk management.

We, as security practitioners, need to be mindful about what we mean when we say “2FA” or “MFA.” These terms are often used interchangeably. The confusion is understandable, since 2FA is a subset of MFA. However, just like Halloween candy, MFA (including 2FA) comes in many flavors. Let’s unpack these terms and consider the various […]

Are you a tech optimist? I generally tend to be. Yet as I read about new technology, I sometimes find myself thinking, “This is amazing! And terrifying.” As we approach the end of cybersecurity Awareness Month, I’d like to draw attention to the issue of technology-facilitated abuse. Abusers Use Technology To Control And Hold Power […]

Cybersecurity needs to be part of every retailer's holiday strategy. Learn how to protect against one particularly menacing threat.

Cyberthreat intelligence (CTI) is an overcrowded space that is overdue for contraction. In general, we see it filled with smaller vendors with founders who come from an intel background, got enough funding to land a Fortune 100 client (not exclusively, mind you), and have put their logo into every pitch deck they use when going […]

Browser based attacks are particularly frustrating because they directly affect your customers. Learn what attackers are doing and how to minimize the risk.

Get five new resources for cybersecurity threat management in your enterprise.

Even cybersecurity experts can get fooled. Read this cautionary tale of a time when a security and risk expert almost got hacked.

The California Attorney General just Published CCPA rules, and they're clear as mud.

As of September, I’m the new identity and access management (IAM) analyst on Forrester’s security and risk research team. I am grateful to have joined a very talented group of analysts at a company that is fun, intellectually stimulating, and committed to high-quality, objective research. In my role, I will be taking over some of […]

Having just been through an onslaught of work related to the Forrester Wave™ evaluation on Zero Trust eXtended ecosystem platform providers, I think that it’s worthwhile to put some guidance out there that might help folks as they interact with analysts (well, me, mainly, but maybe it will help with others, as well). And a […]

Cybersecurity Awareness Month Is Underway Executives consider cyberattacks the second leading global risk to doing business, per the World Economic Forum’s 2019 Global Risks Report. The US Senate passed a law to help firms suffering from ransomware attacks, and the NSA launched a new Cybersecurity Directorate. With a flurry of activity already underway, it’s going […]

Training alone can’t protect your organization from a phishing attack. Learn how a layered approach that combines technical controls and user education can.