Forrester

One of the oldest security technologies — the venerable enterprise firewall — continues to thrive, as highlighted in the recently published report, The Forrester Wave™: Enterprise Firewall Solutions, Q4 2024. Contrary to expectations that this space might have little left to offer, enterprise firewall vendors have done well to keep this technology relevant for modern cybersecurity needs. They have made significant progress in keeping up with rapid innovations while supporting clients in securing dispersed and hybrid enterprise architectures. While enterprise firewalls continue to be delivered in the same manner, vendors have made the move to offer these capabilities as part of other “platform” initiatives such as Zero Trust edge/secure access service edge (ZTE/SASE) to not only make security enterprise firewalls more accessible to improve their adoption but to also increase value retention, not just for large enterprises but also for small- and medium-sized enterprises. Consolidate, Centralize, And Deliver A Unified Management Experience Clients require a consistent and streamlined method for managing various deployments of enterprise firewall solutions. This involves having a unified UX/UI across physical, virtual, and cloud deployments and recognizing the need to support adjacent efforts like ZTE/SASE. Consequently, leading enterprise firewall solutions now offer integrated and unified management for data center, branch, and edge use cases, which include: As-a-service offerings. Zero Trust network access (ZTNA). Software-defined wide-area networks (SD-WAN). With this unified approach, clients can derive greater value from their enterprise firewall investments, enabling them to address use cases that secure both north-south and east-west traffic regardless of environment. Clients can streamline policies across various enforcement points, strategically creating and orchestrating policies at different levels of the transit path for multiple transient connections without having to navigate multiple administrative consoles. Common policy construct and centralized visibility, enhanced with built-in AI/ML, also improve policy optimization for enhanced incident response. Part Of The Bigger Picture It’s no surprise that the industry continues to push for cloud migration, prompting organizations to evaluate enterprise firewalls to ensure that they meet modern challenges and requirements without adding costs or complexity. The reality is that enterprises will have hybrid topologies for the foreseeable future, consisting of a mix of cloud, virtual, and physical environments, all of which need security. To advance toward a more mature Zero Trust architecture, it’s crucial for organizations to see the big picture and choose the right solutions for the long term. Enterprise firewall vendors have not only enhanced capabilities but also improved consumption models, making these solutions viable for securing cloud workloads, facilitating secure connectivity with integrated SD-WAN and ZTNA, and creating microperimeters. That last use case is a big deal, too, since 61% of global respondents in large enterprises view enterprise firewalls as essential for supporting a microsegmentation strategy, according to Forrester’s most recent Security Survey. The advancements in enterprise firewalls are transforming them from single-purpose tools into adaptable security solutions that can flexibly support an organization’s digital transformation journey. Shared Mission, Shared Outcomes The ZTE/SASE market is rapidly expanding, with many organizations seeing it as the ideal starting point for a Zero Trust architecture journey. And why not? As my colleague Andre Kindness highlights in his blog, this market is both disruptive and transformative. It allows organizations to replace legacy solutions with a consumable product as a service, merging networking and security stacks. But what if you want to keep your firewall investment? Enterprise firewall vendors are addressing this by converging and consolidating their solutions to support and integrate ZTE/SASE. This approach simplifies adoption while preserving the value of existing deployments for organizations with ongoing on-premises needs. Whether the future involves moving to the cloud or not, the mission remains the same: Maintain comprehensive security everywhere, at all times. While the leaders in this space have advanced this strategy, other vendors are not too far behind and are poised to offer cost-effective offerings for smaller enterprises and other organizations. You can read more about my findings and view each vendor’s strengths and weaknesses in the Wave report. Forrester clients, please reach out to schedule guidance sessions or inquiries with me to discuss our findings. If you’re feeling bold, join me at Forrester’s Security & Risk Summit in Baltimore on December 9–11, where I will host two sessions on Zero Trust that include a workshop and a panel discussion for getting your Zero Trust journey to the next level. Hope to see you there! source

We’re excited to announce the inaugural release of a Forrester Wave™ evaluation covering attack surface management (ASM) solutions. We evaluated the 11 most significant ASM vendors in what is currently a rapidly evolving market segment. Forrester covers ASM and periphery markets such as exposure management and vulnerability risk management (VRM), as these segments all contribute to proactive security, supporting use cases of visibility, prioritization, and remediation. For the ASM Wave, we primarily focused on how ASM solutions provides the first essential step for proactive security: visibility. What’s Going On With The Attack Surface Management Market? For the ASM Wave, we evaluated vendors that started off as cyber asset attack surface management (CAASM), external attack surface management (EASM) solutions, or vendors that package ASM as part of their SecOps platform strategy, including those that deliver ASM capabilities via an exposure management offering. All vendors evaluated are aiming to provide comprehensive visibility into assets and attack surfaces to enable customers to prioritize and ultimately remediate risks. The state of attack surface management is volatile and dynamic (see figure below), which we took under consideration in the Wave evaluation. Some key considerations for today’s state of proactive security include the following: CAASM and EASM have merged into a singular ASM to support visibility use cases. CAASM and EASM have always provided visibility, through either an internal (defender) view or external (attacker view). These related use cases provide visibility and are improved when combining both views — which users can obtain now from CAASM, EASM, or ASM integrated within a SecOps platform. As our Wave details, CAASM features can differentiate by extending a breadth of integrations that ingest asset context, and EASMs can differentiate when vendors own and deploy proprietary scanning technology. Standalone EASM looks more like a threat intelligence product. EASM has turned into a capability to be found in a variety of products, most notably in threat intelligence providers that are expanding external pictures of environments — not just externally facing assets but also capabilities such as malicious brand impersonations on social media or mobile app stores, executive monitoring, and third-party/supply chain monitoring. EASM and continuous security testing augment one another. When assets are externally discoverable and accessible, the next strategic step in proactive security — prioritization — is testing them to assess the vulnerabilities. For this reason, continuous security testing companies that offer breach and attack simulation, bug bounty, or penetration testing-as-a-service capabilities have added EASM capabilities. Proactive security vendors need to support more than just visibility or prioritization to extend a platform offering. Since ASM is focused on visibility and continuous security testing supports prioritization, we expect to see ASM and continuous security testing vendors continue to add to one another’s capabilities. Proactive security platform approaches to attack surface management are most prominent. ASM will continue to prevail as a capability in proactive security platforms to provide visibility. Proactive security platforms today extend and will continue to enhance prioritization through features such as exposure management, CISA KEV/EPSS/CVSS or risk scoring (typically found in VRM solutions), or continuous security testing. ASM solutions integrating into a proactive security or SecOps platform with the data that platform already possesses is a crucial differentiator here, because it provides out-of-the-box asset context and stepping stones to exposure management as part of a prioritization strategy.   A Proactive Security Approach Will Future-Proof Vendor Rebranding, Category Shifting, And Your Program Strategy Until, and if, the proactive security market stabilizes around one category, continue to ask yourself how much visibility you have, whether your prioritization strategy is maintaining acceptable risk thresholds, and how well you remediate vulnerabilities. These will always be the core principles you need to fulfill even as market landscapes change. Today, ASM solutions provide visibility externally and internally. This visibility needs to be accessible for your prioritization strategy (whether through exposure management, VRM-provided risk scores, or continuous security testing) and needs to be the source in and out of your remediation tracking (whether through VRM, ITSM, or SIEM). Forrester customers who have questions or concerns about ASM and these other complementary markets should schedule an inquiry or guidance session with me to review how you can ensure that your organization is on the right path for effective proactive security. source

Each year, Forrester and the Disaster Recovery Journal (DRJ) team up to launch a study examining the state of business resilience. We examine different topics in business resilience such as disaster recovery, but this time, it’s all just business resilience. No matter whether your program’s goals are to create business continuity plans and test them, to build operational resilience, or to cross-functionally maintain business operations despite disruptions, this survey is for you! The last survey focused on business continuity, and many of the numbers didn’t significantly change from 2018, including: The median number of full-time equivalents supporting the business continuity management program was three, which is the same as 2021 and 2018. Fifty-one percent of respondents reported updating their business continuity plans once per year in 2023, down from 54% in 2021. In our 2023 survey, executive sponsorship stayed high at 96%, after the leap in 2021 to 94% from a consistent 88% in both 2018 and 2014. Remote access was the most common strategy for workforce continuity even in 2008 (86%), hit a peak in 2018 (88%), and sat at 82% in 2023. But worldwide operational resilience regulations, such as the EU’s Digital Operational Resilience Act and Bank of England’s Prudential Regulation Authority’s statement of policy on operational resilience, are either already in effect or will be shortly. They are both subtly and not so subtly changing the way we think about resilience. Want to know how this has changed the business resilience landscape? We do, too! If you are a business resilience decision-maker or influencer at your organization, please take 20 minutes to complete the survey here. Once the survey is complete, the DRJ will have a summary of the results on its site. For Forrester clients, the survey results will be examined in depth in reports that will publish in the next few quarters. All the results are anonymous. If you’d like to receive a complimentary Forrester report (The State Of Business Continuity, 2024), you can submit your email address and we won’t use it for any other purpose. Take the survey, receive a free report, and help us and the DRJ get a pulse on business resilience! source

AI agents represent the next iteration of artificial intelligence: not just learning from data but making decisions and acting autonomously. source

If you’re a retailer or consumer brand, by now you’ve likely been prepping for this important quarter for quite a while. The 2024 edition of our annual report, A Retailer’s Guide To The 2024 Holiday Season, is here to help you navigate the coming months across the end-of-year holidays. To learn from the last holiday season, we partnered with Bizrate Insights to examine when and how US consumers shopped for end-of-year holidays in 2023. And with insights from many of our fellow Forrester analysts, we also provide expert advice for you across marketing, customer care, tech, and more. To start, a few data points about the 2023 holiday season (see our report for more!): Thirty-eight percent of US online adults began their 2023 holiday shopping in October or earlier (source: Forrester). About one in five waited until December to start shopping. Still, almost three-quarters of online adults who shopped for the winter holidays continued shopping through December (source: Bizrate Insights). About two in five US consumers surveyed said that they made at least three-quarters of their 2023 holiday purchases online (source: Bizrate Insights). Two-thirds of US online consumers used a mobile phone to shop online on Thanksgiving weekend in 2023 — mainly to make purchases, browse and research products, check prices, and read ratings and reviews (source: Bizrate Insights).   So how should you prep for the upcoming shopping season? Just a few of the areas that our 2024 guide delves into include why and how to: Invest in and sharpen your marketing tactics. Get ready for another busy season, starting right now and including Thanksgiving weekend and Cyber Monday/Week. See what we observed last year in terms of offers. Remember to run promotions that customers actually want — and learn how to revamp your email program to rise above the rest. Wondering what to do about your loyalty program, social platforms, and your retail media proficiency? We’ve got you covered. Help your busy customers with the value-add info they most need. Tune your commerce search and product discovery to give customers smart suggestions, as they more often shop for others and less so for themselves, and learn how to step up your imagery, product reviews, checkout, and payments experiences to smooth their path — and your overall user experience to boost their confidence. Prepare your customer care and associate teams to best help customers. You’ll need to manage to a broad spectrum of veteran and seasonal hires, so make sure that all of them are equally well versed in any policy changes: what’s changed, where it’s published, and how to explain it to busy customers. Provide your team information about products, loyalty tiers, and anything else that customers will expect them to understand about the brand. There’s much more — please see our research here. And be on the lookout in the coming weeks for even more consumer insights about the end-of-year shopping season, as well as our annual US online holiday sales forecast. If you’re a Forrester client, please schedule a guidance session or inquiry with one of us and/or our Forrester analyst colleagues for their area of expertise. source

Talk about change! As we approach the two-year anniversary of the announcement of OpenAI’s launch of GPT-3.5, conversational AI has been reinvented to incorporate generative AI (genAI) to take advantage of the many ways that this technology can make self-service applications smarter. Previously, the conversational AI tools used to create chatbots and intelligent virtual agents (IVAs) required specific training for every interaction, including identifying the many ways someone might ask any question that the system was set up to handle. Conversations had to flow in a very specific order, as the systems were very limited in their ability to switch between topics without a great deal of very specific training and guidelines. It took a lot of work to build applications that were often disappointing to users. GenAI significantly shortens the development time for applications while creating much better user experiences, replacing stilted and awkward conversations with comfortable, almost human interactions. This has a revolutionary impact on the chatbots and IVAs built with conversational AI systems that utilize generative AI. New chatbots can provide much more information to customers and deliver it in a comfortable, conversational manner. These are early days for genAI-driven conversational AI solutions, but early results are impressive and the potential is off the charts. My latest report, The State Of Conversational AI, looks at where conversational AI is today in this crazy, fast-moving market moment. While the report looks at conversational AI across several areas, most readers of my blogs are focused on customer service, so I’ll spin this blog in that direction. Here are some of the key findings in the report that customer service leaders should pay attention to as they consider adding conversational AI to their contact center. Prioritize Customer Experience Over Cost Savings While the cost benefits of automation are undeniable, focusing solely on cost reduction can undermine customer loyalty. The report emphasizes the importance of balancing efficiency with customer satisfaction. When customers can use self-service to get quick answers to simple questions and agents are available to help tackle the hard stuff, everyone wins. Implement Robust Guardrails For Safe AI Interactions Safety and reliability are paramount when deploying conversational AI. The report highlights the need for guardrails such as retrieval-augmented generation and finely tuned large language models to ensure that AI interactions are secure and trustworthy. This enables applications such as “infrequently asked questions,” where knowledge bases, or even a set of PDFs, can provide answers to many customer questions without needing to predefine them. This creates solutions that are fast to build, useful for customers, and reasonably safe from hallucinations, since all answers must come from a specific data source. Drive Positive Customer Experiences With Transaction Workflows Self-service applications that answer customer questions are helpful, but without the ability to connect to back-end systems, a chatbot or IVA is of limited value. If you can’t check on the status of an order, schedule an appointment, or make a purchase, automation will fall short in customers’ eyes. Effective management of transaction workflows is essential to deliver positive customer experiences. The state of conversational AI is at a pivotal juncture, offering unprecedented opportunities for customer service and customer experience leaders. By embracing generative AI, prioritizing customer experience, implementing robust safety measures, future-proofing self-service offerings, and managing transaction workflows effectively, organizations can unlock the full potential of conversational AI. source

Amazon has wrapped up its October 2024 Prime Big Deal Days event — a shopping bonanza that effectively kicked off the end-of-year shopping season. Much like in 2023, we reviewed 116 brands and retailers to see what they did — and didn’t — offer during the same time (note: we update the mix of brands from year to year). Some of our key findings include: Sixty-four of the brands we reviewed participated in the fall event. The majority ran some form of discount or promotion, and 20 of those held a sitewide sale. Twelve brands offered free shipping, four of which offered the perk for a limited time only. Some brands that did not participate offered their shoppers alternatives — for example, Dyson offered an in-store hardware trade-in event. Members-only promotions are evident. Brands are rewarding their members and loyalty account holders — nine participating retailers offered a members-only perk during this event. Perks included offers such as free standard shipping without a minimum purchase amount, additional loyalty points, sweepstakes, and extra discounts. Department store retailer Macy’s reserved no-minimum-spend free shipping only for its credit card holders. Marketing messaging focused on “prime” and “fall.” Brands used a broad range of sale themes on their websites this week. Sixteen of the 116 retailers evaluated stuck to a traditional “Prime” theme with “48-hours only” or “two days only” messaging on their home pages. Other retailers leaned into the season, with six brands using specific “fall season” sale messaging. With end-of-year holiday shopping officially underway, stay tuned for more holiday coverage and insights as part of Forrester’s 2024 Holiday Prep Series. Forrester clients who would like to discuss the 2024 holiday season and your business — please schedule an inquiry or guidance session with us!   (coauthored with Delilah Gonzalez, senior research associate) source

In an era when people have started doing everything on their phone, is your bank’s mobile app evolving at the pace of customer expectations? Our latest Digital Experience Review™ of Indian mobile banking apps reveals a landscape ripe with innovation yet marked by notable gaps in customer experience. In 2024, Forrester reviewed and evaluated six key players to identify best practices and their usability, effectiveness, and customer experience. The Forrester Digital Experience Review™: Indian Mobile Banking Apps, Q3 2024, highlights the leaders, uncovers the current state of mobile banking experiences, and looks at notable trends that are emerging in the market. Some Indian Mobile Banking Apps Show Rays Of Innovation Our assessment of mobile banking apps unveils IDFC First Bank as the leader with a feature-rich platform. It not only caters to traditional banking needs but goes a step further by enhancing financial wellness and literacy. ICICI Bank follows, delivering an intuitive user experience and robust security measures. IDFC First Bank’s approach to offering personalized financial insights is a prime example of how banks can deliver excellent personalization. ICICI Bank’s engaging Discover section is another similar example. Most other banks, however, have yet to offer truly differentiated mobile experiences that are inclusive, engaging, and assuring. Now Is The Time To Double Down On The Effort The era of “one size fits all” is over. Customers now expect services tailored to their unique needs and financial aspirations. To meet these expectations, banks must go beyond traditional transactional services. Also, they must implement robust security measures in response to escalating digital fraud and improve their conversational banking offerings, such as chatbots. Current chatbots only troubleshoot, direct customers toward a service, or answer questions. Banks must evolve these bots to handle complex conversations and tasks themselves. This will offer customers a more personalized experience. Additionally, embracing financial inclusion as a key differentiator that enables banks to reach a broader, more diverse customer base. While offering multilingual support and improving accessibility are positive steps, banks must continue to explore innovative ways to make their services more inclusive. Moreover, continuous innovation and actively incorporating customer feedback are crucial for refining these services. Thus, banks that prioritize these elements will excel in delivering exceptional customer experiences, setting a new standard in the financial industry. If you’re a Forrester client, you can explore these findings in detail by downloading the report, The Forrester Digital Experience Review™: Indian Mobile Banking Apps, Q3 2024. And if you’d like to discuss this topic further or understand how your mobile app measures up, please reach out through an inquiry or guidance session. source

Application threat modeling has gotten a bad rap over the years. Security leaders looking to implement application threat modeling with their product teams must contend with stakeholders who see it as nothing more than a compliance checkbox and previous iterations that were overly formalized and heavyweight. As security pros sort through the conflicting frameworks and approaches to find an application threat modeling approach that is effective, efficient, and repeatable, they must also unpack their own biases about what makes a good threat model. While researching my latest report, Build A Business Case For Application Threat Modeling, I spoke with security practitioners who helped clarify and debunk some of the most common misconceptions around application threat modeling. Here are three of them: Myth: You must use a threat modeling framework. STRIDE and DREAD are the best-known threat modeling frameworks, with PASTA, VAST, LINDDUN, and others less well known — but familiarity does not equal adoption. Most of the people we interviewed did not use any of the standard frameworks, instead preferring whiteboarding, discussion, decision trees, or a more lightweight conversation based around understanding how a specific application functions. Even the authors of the “Threat Modeling Manifesto” declined to recommend a framework, describing their guidance as “methodology-agnostic.” Frameworks can have their uses, however, such as when your threat modeling initiative is led by less experienced security personnel or by developers who are new to security; in that case, a formal framework will provide guidance and structure. But don’t shoehorn in a framework. You can meet the goals of threat modeling without one. Myth: You must conduct threat modeling differently for different types of applications. Whether you are modeling a monolithic application, a set of APIs, an internet-of-things device, an application deployed in the cloud, or an application deployed on-premises, the security practitioners we spoke with agreed that the threat modeling structure and process is the same. That’s good news for security leaders, who can apply a single threat modeling approach across all product teams. The most important questions asked during threat modeling — What does the product do? What data does it handle? What can go wrong? What can we do about it? — are architecture-, form factor-, and deployment-agnostic. The answers to those questions will vary depending on application type, but that doesn’t change how you conduct the threat modeling exercise. Myth: If the threat model doesn’t identify every threat, the process is flawed. If you don’t set expectations around threat modeling’s goal, perfect can become the enemy of good. As with many security tools and processes, there can be an absolutist expectation that threat modeling will find every possible threat that will ever exist. The practitioners we spoke with stressed that threat modeling is about making the product better. Instead of labeling threat modeling a failure if it doesn’t find everything, use threat modeling as a “defense in depth” layer that helps identify and mitigate key security concerns early in the product lifecycle. For more on this subject, please check out my latest report, Build A Business Case For Application Threat Modeling, or set up an inquiry or guidance session to discuss further. Also, if you will be attending Forrester’s Security & Risk Summit, please join me for my session, “‘The Not-So-Premature Burial’: Rethinking Application Threat Modeling” which is part of the Cloud & Application Security track at the summit. source

Skills form the basis for developing and defending new value propositions. Hence, being able to attract and retain top talent is a strategic priority. Having access to the right skills is business-critical, yet Forrester surveys underline that a majority of organizations are struggling with skills shortages. The employer brand can help with that; it influences a candidate’s decision to join, and stay with, an organization. Thus, the employer brand, representing the identity and reputation of an organization as an employer, plays a valuable role in closing skills gaps. Moreover, the employer brand and how it’s experienced by employees is an important factor for the quality of employee engagement after the hire. Our latest research helps business leaders align employee value proposition (EVP) and employer brand. Your employer brand is your public perception and reputation in the market, needed for attracting and retaining skills. When an organization’s words match employees’ lived experiences at work, recruitment and retention rates improve. Employer branding can be a differentiator to attract ideal candidates and skills to your organization. Your EVP, meanwhile, is the narrative that informs employees and candidates of what your organization can uniquely offer as an employer and what it expects in return. Nonauthentic promises and wishful thinking undermine your EVP — employees see through them and there’s then risk for growing friction between employer and employee expectations. Our report, What Your Company Means To Your Workforce Matters For Your Talent Strategy’s Success, helps business leaders understand how to synchronize the EVP and the employer brand to overcome skills shortages, among other things. Our research includes best practices for facilitating this alignment and: Identifies the key components that contribute to a compelling employer brand. Evaluates the effectiveness of the employer value proposition for employer branding. Examines the role of the employer brand in shaping the overall employee experience. Outlines steps to align EVP and employer brand. source