Forrester

Two weeks ago, Figma, a company with some of the most significant impact in the world of design over the last decade, went public. Remember the pre-Figma state of design? Designers worked independently in design files, meticulously documented their designs for developers, then struggled to facilitate the necessary but tedious process of getting feedback from a diverse set of stakeholders. Figma uprooted the design workflow with real-time collaboration and increased the speed at which teams can go from idea to product. Figma’s successful IPO came as design takes on a more strategic role in business and AI becomes more central in customers’ experiences. We’ve dug into the evolving scope and practices of design and see encouraging signs of progress. At the same time, persistent challenges still hinder design teams’ effectiveness. We just published key insights from our latest data in our new report, The State Of Design. Here’s a few insights: Many design teams are growing and adding AI roles and skills. Half of design teams we surveyed are growing, and AI experience designers top the list of roles they plan to add in the next 12 months. Respondents to our survey also told us that expertise in AI-based tools is a key focus when developing existing team members, with 35% noting that this is a critical skill for designers to acquire. This focus on building and acquiring design expertise is encouraging given the critical role design needs to play in helping organizations design AI-powered experiences responsibly. Over half of design teams still struggle with fundamentals such as following a shared framework and practicing accessible design. The most concerning finding from our survey is that 57% of respondents say they either don’t have a shared framework for design, have one but don’t follow it, or follow it inconsistently. This challenge is even more common in companies outside the software industry. Our data also revealed that many organizations with executive-backed commitments to accessibility lack essential practices for creating accessible experiences. Fewer than half conduct accessibility reviews of design concepts or make accessibility a formal requirement on projects. Documenting and consistently applying a shared design process and applying accessible design practices are critical elements of maturing a design function. Most design teams now measure the impact of their work for at least some projects. Telling the story of design’s influence on business outcomes has been a perennial struggle for design teams, but our data shows significant signs of progress. Forty-eight percent of respondents said their design team measures the impact of design efforts on product, experience, or business outcomes for some projects/initiatives while 41% do this for all projects/initiatives. Get In Touch Those are just a few of the many insights from our survey. Forrester clients who want a deeper dive into this data can read our full report, The State Of Design. Then, if you’d like to ask us questions or discuss how to progress design at your organization you can set up a conversation with us. You can also follow or connect with us (Gina, AJ, and Senem) on LinkedIn. source

CIOs routinely face a frustrating dilemma that drives them to ask the question: Am I truly spending the company’s money as effectively as possible? On one hand, there is relentless demand for delivering the latest shiny thing faster than your competition, while on the other hand, you’re struggling to keep the ship afloat amid market volatility, regulatory changes, and internal organizational pressures. Another question that keeps many leaders awake at night is deceptively simple yet profoundly complex: How can organizations deliver strategic outcomes while maintaining an effective operating model? The answer lies in strategic portfolio management (SPM), a discipline that’s transforming how forward-thinking organizations approach their most critical decisions. The Strategic Portfolio Management Revolution Strategic portfolio management isn’t just another business buzzword; it’s a comprehensive approach that enables leaders to identify the optimal mix of investments to meet their goals without falling into the twin traps of risky speculation or inefficient overspending. Think of it as your organization’s GPS, helping you navigate the complex terrain of competing priorities and limited resources. The transformation from traditional portfolio management to strategic portfolio management represents a fundamental shift in how organizations think about value creation. Instead of managing disconnected projects in silos, SPM creates a unified framework for identifying, prioritizing, and delivering continuous value while keeping costs under control. The Hidden Challenges Sabotaging Your Success Before diving into solutions, it’s crucial to understand the four critical challenges that plague most organizations: Organizational Silos That Create Planning Chaos. When different departments plan in isolation, the result is a fragmented approach that misses opportunities for collaboration and creates competition for priorities. The Ownership Vacuum. Without clear accountability structures, initiatives drift without direction, timelines stretch indefinitely, costs can spiral out of control, and results remain mediocre at best. Value-Definition Confusion. When teams can’t agree on what “value” means or how different initiatives relate to broader objectives, decision-making becomes arbitrary and political rather than strategic. Poor Tooling Leading To Poor Decisions. Inadequate tools lead to inaccurate data, which inevitably results in flawed decision-making that can cost organizations millions in misdirected investments. The Strategic Advantage Of Integration The real power of strategic portfolio management emerges when it’s integrated with your broader strategic planning processes. By connecting SPM with strategic roadmaps, organizations gain unprecedented visibility into the total cost of demand across their portfolio. This integration enables leaders to optimize their hybrid project and IT operating models, ensuring that resources are allocated to the highest-value opportunities. Moreover, when done correctly, SPM provides the metrics that truly matter — measurements that demonstrate tangible value to stakeholders and guide future investment decisions. Your Roadmap To Value-Driven Portfolio Excellence Transforming your portfolio management approach requires a systematic methodology. Here’s the proven six-step framework that leading organizations use to build value-driven portfolios: Step 1: Define Standard Value Definitions. Create an organizationwide consensus on how value is defined and measured across different types of initiatives. Call out politically motivated agendas if needed by spotlighting value as the driver of investment decisions. Step 2: Assess The Current Portfolio And Identify Gaps. Conduct a comprehensive audit of your existing portfolio to understand current performance, identify redundancies, and realign the portfolio. Step 3: Define The Portfolio Roadmap. Develop a strategic roadmap that aligns portfolio investments with long-term organizational objectives. Step 4: Design A Metrics Program And Coach For Adoption. Implement measurement systems and provide training to ensure successful adoption across the organization. Step 5: Set A Regular Cadence For Performance. When the CIO says to cut 10% from the budget, what do you do? Without regular communication and collaborative decision-making, roadblocks rise and block the flow of value. Establish routine performance reviews that maintain momentum and enable proactive adjustments. Step 6: Institute Regular Review And Optimization Schedules. Create systematic processes for continuous improvement and portfolio optimization. Your Next Move The organizations that will thrive in tomorrow’s uncertain environment are those that master the art and science of strategic portfolio management today. The question isn’t whether you can afford to implement these practices — it’s whether you can afford not to do so. The tightrope that today’s tech executives walk doesn’t have to be a lonely, perilous journey. With the proper strategic portfolio management framework, that tightrope becomes a bridge to sustainable success, connecting where you are today with where you need to be tomorrow. The time for transformation is now. Your portfolio — and your organization’s future — depends on the choices you make today. Learn More If you want to learn more about SPM, check out our upcoming Technology & Innovation Summit North America November 2–5 in Austin. I’ll be presenting a session called “Do More With Less Leveraging Strategic Portfolio Management” as part of the technology strategy and enterprise Architecture track at the event that will help shed more light on the benefits of SPM. Hope to see you in Austin! source

As the global economy braces for slower trade growth and geopolitical tensions, the software industry is defying economic headwinds with robust expansion. According to Forrester’s Global Commercial Software Forecast, 2025 To 2029, software infrastructure growth is set to achieve a strong compound annual growth rate (CAGR) of 13.3% while application software growth will see a more subdued 9.5% CAGR. Key drivers, trends, and opportunities within the commercial software market include: Security software is seeing the fastest growth. Forrester’s research highlights investments in cloud security, identity and access management, and security operations. The market capitalization of Palo Alto Networks and Fortinet across 2023 and 2024 greatly exceeded their average revenues. As cyberthreats grow more complex, security spending remains a cornerstone of infrastructure investment. There’s strong database demand driven by AI, data storage, and governance. Spending for off-the-shelf AI software will be four times greater in 2030 than in 2024 largely due to increasing demands around data governance. MongoDB’s revenues from its Atlas database more than doubled during the past two years, and there is strong growth for Snowflake due to its consumption-based pricing model. Databricks’ Lakehouse architecture and AI governance capabilities are transforming how businesses handle structured and unstructured data. Tech operations management is seeing the fastest growth in application software. ServiceNow, Atlassian, and Datadog are redefining tech operations management with AI-powered tools. ServiceNow’s AI Agent Orchestrator harmonizes teams of AI agents, while Atlassian Intelligence helps users navigate organizational data more efficiently. In 2024, Datadog more than doubled the number of customers who spent more than $1 million in annual recurring revenues. There are new AI-driven opportunities. OpenAI expects its revenues to triple in 2025 and to see an astounding 33% CAGR through 2029 to reach $125 billion in revenues, and Microsoft’s AI business reached a $13 billion annual run rate in 2024. This past January, ServiceNow launched an AI-enabled CRM offering that includes CRM agents, data, and workflows. HubSpot differentiated its CRM through the 2024 launch of Breeze Copilot and Breeze customer and content agents along with AI features that provide campaign summaries, call sentiment analysis, engagement scoring, and analysis of buyer intent. Zendesk plans to automate 50% of customer engagements by 2027 through the use of autonomous agents. Despite strong commercial software spending growth, the economic slowdown requires enterprises to tighten software spend controls through regular audits of software use, more consolidation of software functionality to reduce redundancy, more use of open source, and more negotiations with software vendors to reduce price hikes — notably to take advantage of the decline in value of the US dollar. Forrester’s forecast shows commercial software spend will reach $1.7 trillion by 2029 and maintain double-digit growth. Have any thoughts? Contact me, Michael O’Grady. Forrester clients can schedule a Forrester guidance session for more insights and to explore the narratives within this forecast. source

The digital landscape in ASEAN is undergoing a profound transformation, driven by a potent cocktail of digital sovereignty imperatives and shifting global geopolitics. For years, conventional wisdom in enterprise cloud adoption revolved around multicloud — leveraging several providers for redundancy, cost optimization, and avoiding vendor lock-in, or merely by accident. What we’re now observing in Southeast Asia, however, is a more nuanced and strategically driven “diverse cloud” approach that directly addresses concerns around US foreign policy uncertainty and the imperative for localized data control. The result? A fascinating trend where local cloud providers, US hyperscalers (AWS, Azure, GCP), and Chinese powerhouses (Alibaba Cloud, Tencent Cloud, Huawei Cloud) are all finding a place in the regional digital ecosystem. This isn’t just about technical merit; it’s about strategic alignment and risk mitigation. Chinese Cloud Leaders: Strategic “Go Global” Ambitions Starting With APAC Perhaps one of the most telling indicators of this shift is the renewed vigor of Chinese cloud service providers in the APAC region. On one hand, the economic slowdown in the domestic market and the globalization needs of Chinese firms like PDD and BYD are driving them to accelerate their global operations. On the other hand, they are also rebalancing their regional investments to address ongoing geopolitical frictions. While Alibaba Cloud ceased operations in Australia and India in 2024, all Chinese cloud leaders such as Alibaba Cloud, Tencent Cloud, and Huawei Cloud have renewed their strategic initiatives in APAC with ASEAN nations center stage. Their unique proposition — a hyperscaler with deep roots in a non-Western superpower — resonates strongly with ASEAN countries seeking alternatives and balance. Their investments in new data centers, partnerships with local telcos, and tailored industry solutions underscore this renewed commitment. They are positioning themselves not just as a technology provider but as a strategic partner in achieving digital autonomy. Country-Specific Strategies: A Patchwork Of Pragmatism While the overarching theme is diversification, the specific manifestations vary across ASEAN: Indonesia is actively promoting local cloud providers while also engaging with foreign hyperscalers. Its focus is often on data residency and ensuring that critical citizen data remains within Indonesian borders. We’re seeing hybrid models proliferate, with sensitive data hosted locally, while less critical workloads leverage global providers. Vietnam’s “made in Vietnam 2025” initiative extends to digital infrastructure, with a push for domestic technology development, but this approach also sees the Vietnamese welcoming investment from major global players, fostering competition, and ensuring access to cutting-edge cloud services. The strategy often involves requiring foreign providers to partner with local entities or establish significant local presence. Malaysia is actively pursuing a “Cloud First Strategy” policy, with an emphasis on security and data governance. Keen to leverage the benefits of cloud computing while maintaining control over the country’s digital destiny, this translates to a preference for providers that can demonstrate strong security credentials and a willingness to comply with local regulations. Even Singapore, a traditionally more open market, is emphasizing resilience and diversification in its digital infrastructure strategy. While a hub for many global hyperscalers, there’s an increased focus on ensuring redundancy and exploring options that might offer greater control in a fragmented geopolitical landscape. Beyond Multicloud: The Geopolitical Imperative And The AI Factor This “diverse cloud” approach is more than just an IT strategy; it’s a geopolitical imperative. ASEAN nations are acutely aware of their unique position in a contested global arena. By diversifying their cloud infrastructure across a range of providers — local, US, and Chinese — they are asserting their digital sovereignty, mitigating risks, and ensuring that their digital future remains firmly in their own hands. Crucially, we expect this strategic pattern to proliferate in different forms, particularly as the global race for AI supremacy heats up. Consider: The UAE, with its ambitious “National AI Strategy,” is a prime example of a nation looking to build a robust, AI-native digital government. While partnering with US hyperscalers, the UAE is also heavily investing in sovereign cloud capabilities and fostering homegrown AI champions such as G42. This isn’t about shunning global players but rather maintaining sovereignty over the foundational AI infrastructure that will power the UAE’s future. Similarly, the European Union, long a proponent of digital sovereignty through even ill-fated initiatives like Gaia-X, is increasingly recognizing that its ambitious AI Act and strategy require a strong, sovereign cloud foundation. With a significant portion of data still residing on non-EU clouds, there’s a concerted effort to foster European cloud providers and ensure that critical AI workloads and data remain within EU jurisdiction, subject to EU law. Beyond compliance, it’s about strategic autonomy in an AI-driven world, where control over data and infrastructure directly translates to economic competitiveness and national security. For enterprises operating in these dynamic regions, understanding this nuanced approach is paramount. It’s no longer just about optimizing costs or achieving technical agility. It’s about building a cloud strategy that is resilient not only to technological failures but also to geopolitical tremors, especially as AI permeates every layer of the digital stack. The “diverse cloud” is here to stay, and it’s reshaping the digital landscape of Southeast Asia and beyond in profound ways. source

Every year, as planning season rolls around, marketers brace themselves — not for the creative brainstorms or the strategic debates but for the budgeting grind. For many, marketing planning isn’t energizing; it’s anxiety-inducing. And it’s not hard to see why. Unlike planning in finance or operations, marketing planning isn’t something most professionals learn in school. There’s no textbook or course on how to build a marketing budget that aligns with business goals, supports cross-functional collaboration, and adapts to change. Instead, marketers often inherit last year’s plan (usually a spreadsheet and a lengthy slide deck), incorporate new targets, and hope for the best. This kick-the-can approach is especially common in organizations where event sponsorships dominate the budget. Because event vendors push renewals while marketers are still onsite, teams get locked into next year’s spend before they’ve even reviewed this year’s performance. Add in product launches and other recurring activities, and the plan starts to look more like a calendar of obligations than a strategic roadmap. Then comes the second wave of stress: the CFO’s deadline. Sales and marketing are both given a date to submit their budget proposals, often with little time — and even less collaboration between them. The result? Parallel plans that may not align and a marketing budget that reflects prior commitments and half-done planning instead of a strategically aligned plan that’s coordinated with your vision and with the sales and product teams. I remember my first exposure to marketing planning and the CFO’s budget deadline. I was working for a major computer manufacturer, and my boss pulled me in to prepare a response to the CFO’s call for budget. We looked at all events, partner activities, and product launches in the current year, reorganized it a bit to account for next year’s calendar, added 10% negotiation padding, and wrote up our proposal. We managed to get away with doing it this way, but it got me thinking that there must be a better way. Planning Season Doesn’t Have To Be A Futile Fire Drill The key to reducing anxiety isn’t just better tools — it starts with a better mindset. Planning should be a strategic exercise, not a reactive one. That means starting earlier and having a strategy, aligning cross-functionally both within marketing and with sales and product teams, and using frameworks that connect marketing investments to business outcomes. Three practices make a big difference: 1. Use The Marketing Plan On A Page Forrester’s B2B marketing plan on a page (client-only access) is a simple but powerful tool for capturing business objectives and selecting marketing’s approach to address them. It prioritizes effort and guides the definition of specific performance goals. This sets the foundation for deciding what marketing is going to execute and how much to invest. (If you’re not yet a Forrester client, you can find a plan-on-a-page overview here.) This also avoids reliving last year’s event calendar. It provides the strategic footing upon which to anchor your campaigns, programs, shared services, and other initiatives. If you want to see how the plan on a page works in practice, Brett Kahnke and I will be walking through it in detail during a webinar later this month. 2. Use The Strategic Budget Allocation Model The Strategic Budget Allocation Model takes a top-down approach to build marketing budgets aligned with business objectives and mapped to integrated campaigns. This model breaks the marketing budget into logical components — programs, personnel, and technology — and distinguishes between in-campaign and out-of-campaign investments. It’s designed to help marketers allocate budget based on strategic goals, not historical inertia. By organizing the budget around what marketing is trying to achieve (rather than who owns what pieces of the budget), the model enables clearer ROI measurement, better collaboration, and faster planning cycles. It’s not just a budgeting tool — it’s a way to make marketing more intentional and adaptable. 3. Establish A Quarterly Planning Council Instead of treating planning as a once-a-year scramble, create a rhythm. A quarterly planning council — made up of marketing, sales, and product stakeholders — can review plans, assess alignment, and make adjustments based on performance and shifting priorities. A good planning council should include representatives from each major marketing subfunction, meet regularly with a clear agenda, and focus on strategic alignment rather than tactical updates. This council doesn’t just improve coordination; it builds trust. When marketing, sales, and product are aligned on goals and investments, it’s easier to justify budget, pivot when needed, and demonstrate impact. Plan With Confidence Marketing planning will always involve complexity. But it doesn’t have to involve chaos or induce anxiety. By adopting a strategic planning model and building a regular cadence for collaboration, marketers can turn planning season from a source of anxiety into a source of clarity. If planning season has you feeling overwhelmed, now’s the time to rethink your approach. Start with strategy, build alignment, and make planning a source of confidence. Stop kicking the can down the road — and start building plans that move the business forward. Learn more about and register for our complimentary webinar, Retool Your B2B Marketing Budgeting For 2026 Success, on Wednesday, August 27. If you are a Forrester client, please feel free to reach out to schedule a guidance session and discuss how to apply these best practices in your organization. source

Governments increasingly recognize that connected intelligence is the key to unlocking more responsive, efficient, and impactful public services. By integrating data across platforms and organizations, they can 1) build a holistic view of individuals — enabling capabilities such as customer 360 to personalize services, anticipate needs, and reduce friction regardless of the digital touchpoint or organization they are interacting with and 2) power up AI initiatives to help drive productivity and delivery on mission goals. But the use cases are countless: delivering smarter answers to keep pilots and crews out of harm’s way, coordinating emergency response across jurisdictions, optimizing aircraft carrier movements, or even streamlining everyday services like mattress pickups and permit requests. These diverse use cases share a common foundation: mature data management and governance. Forrester’s Connected Intelligence Framework helps organizations activate this potential by aligning partners, practices, and platforms across eight essential activities, from sourcing and preparing data to deploying and evaluating AI systems. With embedded data governance, the framework also reduces the risk of fragmentation and inefficiency, ensuring that every insight is trustworthy and actionable. Why It’s Harder For Government Leaders Governments face a unique set of data governance challenges that stem from strict regulatory requirements, complex mission structures, constrained budgets, and the need to balance security with innovation. Addressing these issues is essential not only for compliance but also for enabling scalable, trustworthy AI systems. Some of the most pressing data governance hurdles that organizations face include: Secure data access through privacy and compliance. Federal organizations handle sensitive data across clearance levels and mission-critical platforms. Without proper classification, the risk of leaks and noncompliance rises. Role-based or attribute-based access controls, data obfuscation, and consent management enable secure, compliant sharing across stakeholders. Break down silos with integration and interoperability. Legacy systems and fragmented teams slow data flow across organizations, hindering AI adoption and decision-making. Organizations should prioritize open standards and integration frameworks to enable seamless data exchange. Meet regulatory requirements with compliant cloud storage. Organizations must store data within US borders on FedRAMP-authorized platforms. Scaling AI while meeting these mandates is challenging, but government-specific cloud offerings from AWS, Azure, and other services help balance compliance and performance. Boost data usability with metadata and context. Without clear metadata, data is hard to interpret, trust, or reuse — limiting AI effectiveness. Investing in catalogs, glossaries, and stewardship builds shared understanding and improves data literacy. Modernize governance for agility and scale. Centralized or siloed governance models limit innovation and cross-domain collaboration. A federated model with a data product mindset empowers teams while maintaining oversight — enabling both flexibility and control. A Smarter Path Forward To address these challenges, federal organizations should start by aligning their governance efforts with top objectives. As maturity increases, data governance is embedded into daily workflows and the cost-benefit pyramid inverts, shifting from high setup costs to scalable, sustained value. We recommend building four foundational governance pillars: Policies and procedures: to ensure compliance and operationalize governance. Government organizations must navigate complex regulatory landscapes while managing sensitive data across missions. Clear policies and procedures — such as role-based access controls, data classification standards, and audit protocols — help operationalize governance and ensure compliance with mandates like FISMA and FedRAMP. For example, the Department of Veterans Affairs uses automated policy enforcement to manage health data access across care teams and contractors. Start by mapping regulatory requirements to data policies, defining a RACI matrix to define responsibilities, and automating policy enforcement through workflows and audits. Catalogs and lineages: to enhance discovery, transparency, and trust. Government groups often struggle to locate and understand their data assets across siloed systems. Implementing robust data catalogs and lineage tracking enables teams to discover, trace, and trust data sources — critical for initiatives like predictive analytics in public health or fraud detection in benefits programs. The CDC, for instance, uses metadata catalogs to unify disease surveillance data across states and labs. Implement a catalog or augment an existing one to build a semantic layer, ensure lineage captures end-to-end data flow, and automate root cause analysis using lineage and semantics. Privacy and security: to enable safe data democratization. Balancing data access with privacy and security is essential for democratizing insights across organizations. Techniques like data masking, encryption, and differential privacy allow broader use of sensitive data without compromising safety. The DoD applies attribute-based access controls to share mission-critical intelligence across branches while protecting classified information. Governments can invest in attribute-based access controls and data obfuscation mechanisms to safeguard sensitive data and conduct privacy impact assessments to evaluate the risk. Collaboration and sharing: to accelerate innovation and cross-agency insights. Connected intelligence thrives on collaboration. Organizations must break down silos to share data across jurisdictions, enabling smarter decisions — from coordinating wildfire response to streamlining permit approvals. FEMA’s integrated data-sharing platform, for example, allows local, state, and federal responders to access real-time disaster data for faster, more coordinated action. Facilitate this using inter-agency data-sharing agreements, federated governance models, and shared platforms with real-time access and audit capabilities. Forrester’s Connected Intelligence Framework offers a roadmap to help government leaders unify data and AI efforts. Forrester clients that want to explore how their organization can modernize its data governance and accelerate AI readiness can connect with our analysts or access our latest research. If you’re planning to attend our upcoming Technology & Innovation Summit North America in November, be sure to check out my session entitled “Governance By Design Fuels Trusted AI.” source

As I move into my second six months of using AI daily, I’m convinced that its most overlooked role isn’t writing content (or even code) but creating tools. We all know how generative AI has shaken up software development, writing code at scale and collapsing cycle times. And, further: AI lets individuals — not just well-funded teams — build analytical and decision-support tools that were once the province of specialized analysts or expensive consultancies. A few years ago, if you wanted a system dynamics model tied to real organizational data, you hired a quant team or signed a six-figure contract. Today, with an AI assistant and some Python scaffolding, you can have a prototype running by Monday. Open-source ecosystems such as PySD, Neo4j, and Jupyter have matured, and Model Context Protocol (MCP) is ready for at least local, sandboxed POC use. What used to take a team of PhDs is now practical for a single motivated professional. From Idea To Prototype In Hours Confession: I’m an intellectual dilettante. Over the years, I’ve brushed against a lot of analytical traditions: system dynamics for nonlinear, feedback-driven systems, Monte Carlo for uncertainty modeling, factor and cluster analysis in statistical research. That last one is worth mentioning, as factor analysis was key to how DevOps was validated. Dr. Nicole Forsgren and her colleagues used it to cut through noise and identify what really drove software delivery performance. I’ve admired that rigor for years without being in a position to apply it myself — until now. What once required deep specialization is now something I can attempt, the next time I have possession of some raw survey data. My broad awareness, once a liability, feels like an advantage because AI fills the execution gap. For years, I’ve suspected that technical debt (and other IT management dynamics) could be modeled with stock-and-flow approaches. At one point years back I even bought the systems dynamics tool iThink (a variant of Stella). Its thousand pages of documentation now sit accusingly on my subwoofer. This week, I asked Claude about that idea. A couple of hours later, we had a rough model expressing my hypothesis. It wasn’t a shortcut; it didn’t eliminate thinking. It did collapse the timeline from “idea in my head” to “working prototype” from weeks (including wrestling with learning new tools), to hours focused on iterating the core problem. Another recent example: I had to analyze Enterprise Architecture Awards submissions. I don’t trust AI summarization across long docs. No matter how I prompt it, the results never match the choices I would make and there are always thoroughness issues. So instead of asking AI to draft a blog, I gave it a different job: Write Python to parse the responses, highlight those aligned with my themes, and propose which examples might merit further anlaysis. I had much greater confidence about the thoroughness. It felt like working with my own postdoc, one who never gets tired. This is what excites me. AI isn’t just a writer — it’s a toolsmith. Beyond Prompt Obsession Most AI conversations today orbit around prompting: context engineering, prompt engineering, call it what you like. It matters. But prompts without pipelines produce shallow wins. The bigger opportunity is in workflows. AI can read PDFs, pull data from spreadsheets, or spin up a Jupyter notebook that benchmarks scenarios. Even something as simple as asking Claude to generate Python that creates a spreadsheet with complex formulae feels like discovering a new superpower. I asked AI (as one does) for a list of techniques that might be newly accessible to interested professionals. It gave me this: Optimization Techniques – Linear programming, mixed-integer programming, constraint programming, multi-objective optimization. Queuing Theory and Network Models – Service capacity planning, congestion analysis, interconnected queue networks. Markov Chains and Stochastic Processes – Reliability modeling, transition prediction, hidden Markov models. Simulation Frameworks – Discrete event simulation, agent-based modeling, hybrid simulations. Graph and Network Analytics – Bottleneck analysis, community detection, influence metrics. Game Theory and Decision Analysis – Competitive dynamics, equilibrium modeling, probabilistic decision trees. Statistical Forecasting & Time Series Models – State space models, vector autoregression, survival analysis. Reliability and Risk Modeling – Fault tree analysis, reliability block diagrams, Bayesian networks. Multi-Criteria Decision Analysis (MCDA) – Analytic hierarchy process, multi-criteria ranking methods. Simulation–Optimization Hybrids – Combining modeling and optimization for complex systems. I’ve been building a personal knowledge graphs. Commercial AI services like ChatGPT will never build a massive graph of “all the things.” That’s not economical for them — and honestly, you wouldn’t want them to. Always remember an LLM’s “deep research” is nothing more than a speedy Googlized lit review, competently synthesized and enhanced with whatever the LLM “knows” from sources it read — perhaps with dubious legality, and those kinds of IP holes are being rapidly shut down. As content creators respond to the accelerating, AI-driven destruction of the Internet business model I’ll predict that LLMs tomorrow will have less and less truly current information embedded in their training. And of course the LLM in any case is an imperfect parrot (hence GraphRAG). You, on the other had, can start building your own graph, and you can include information that will never exist on the open internet, giving you a differentiated point of view. I downloaded Neo4j Community Edition and started small. Now my proof of concept has 15,000 nodes and 50,000 edges. When I feed unstructured text to Claude, it performs entity recognition and suggests what belongs in the graph.  I review, curate, and refine iteratively with Claude who does the final data entry. We’re working on proper graph data science approaches – embeddings (which turned out not be that useful in my case), interest, relationship strength, affinity analysis. The first analytic reports across the full graph were eye opening. Yes, there’s an occasionally maddening learning curve. But once the graph exists, every new insight compounds in value. It feels like building a second brain. Of course, these new capabilities bring responsibilities. If you’re using a model to influence

Recognizing that legacy security awareness & training (SA&T) solutions weren’t effectively changing behavior or instilling a security culture, Forrester announced its vision for human risk management (HRM) as a new approach to override SA&T’s shortcomings in 2022. We changed the market name in 2024, formally defining HRM, and evaluated vendor solutions for HRM, encouraging organizations to leave SA&T behind and adopt a new way of doing things. It caught on. Eighteen months after publishing that vision blog, HRM has blossomed into a distinct, expanding market, attracting the interest and budget of many organizations. This blog unpacks the evolution of HRM in the 18 months since that bold, yet necessary, move. A Primer: What Is HRM Again? In a nutshell, HRM is a profound change of mindset, strategy, process, and technology that approaches human-related breaches in a new way. HRM quantifies human risk based on a set of inputs about a person: identity data, security behaviors and events, digital footprint and exposure, and security awareness. Understanding an individual’s risk context allows you to manage risk by providing personalized guidance at the right time, updating policies or issuing workflows to security and other teams. HRM Has Moved From Concept To Reality The thought leadership calling for a disruption to SA&T, combined with shiny new HRM solutions and programs that look and feel nothing like the SA&T of the past, has driven HRM from the sole domain of innovative organizations and is fast approaching adoption by the early majority. At Forrester, we have experienced a seismic shift not only in the volume but also in the types of HRM requests for guidance from our clients, as per the table below. While the market is still in the domain of early adopters, this phase won’t last for long. I expect the majority of organizations to adopt HRM by late 2026.   How Are Vendors Approaching This Transition? In the early days, it felt like Forrester received daily briefings from new startups that were approaching the SA&T market in line with Forrester’s vision of the future of SA&T. Many of these vendors raised funding in 2022 and 2023. Our first evaluation of the space, The Forrester Wave™: Human Risk Management Solutions, Q3 2024, uncovered legacy vendors with varied approaches to this disruption. They resisted the change due to their broad misunderstanding of HRM’s true definition or were clinging to the familiar and easy-to-sell status quo of SA&T. In 2025, however, resistance is fading, disruption and innovation have happened, and HRM capabilities are now on most vendors’ roadmaps, with vendors focusing on executing their product roadmaps and enabling HRM adoption. The last 18 months have seen a more stable and pragmatic market that features the following dynamics: Funding activity waned in 2024, with very few vendors raising new funding and one new vendor, Fable Security, launching in July 2025. Vendors expanded capabilities to combine HRM with other solutions through M&A. For example, legacy secure email gateway vendors acquired HRM startups and legacy SA&T vendors acquired cloud-native, API-enabled email security vendors. Legacy SA&T vendors continue to define HRM to suit their strengths and roadmaps, resulting in murky messaging to would-be customers. HRM now appears in most SA&T vendors’ branding, and most of them possess true HRM capabilities but focus sales efforts on legacy SA&T capabilities. Many vendors are working on training and enabling their sales and customer teams to drive adoption. CybSafe recently announced the version 4.0 release of SebDB (security behavior database), its open-source research initiative that now maps security behaviors to risk outcomes, threat actor tactics, intervention strategies, and security frameworks such as MITRE ATT&CK and NIST’s Cybersecurity Framework. Where Is AI In All Of This? While AI has the potential to dramatically change the way organizations manage risk caused by (and directed at) humans, and while all vendors are “AI-enabled” in one shape or form, not all AI use cases are created equal. We’ve observed the following about how HRM vendors (especially HRM tools) are using AI: Many vendors’ AI use cases focus on creating more and better content. More, however, is not always better. The most important and disruptive — yet underutilized — use case for AI in HRM is to enable capabilities such as measuring behavior and risk and creating interventions that adapt to meet users where they are. Many generative AI implementations cater to chatbot features, which seem more like novelties rather than valuable tools for customers. Some vendors such as Living Security, CultureAI, and Proofpoint are providing real-time visibility into how humans interact with genAI tools. To date, however, Forrester clients are still not asking many meaningful questions about the use of AI in HRM tools. It’s Time To Move From Talk To Adoption HRM is no longer a buzzword. The market and the hype have stabilized. Debates about whether or not HRM is just rebranded SA&T or a necessary step forward have faded. Now, all this talk has been replaced with the desperate need for practical action. To help you on your way to action, I’ll be presenting a session at the upcoming Security & Risk Summit in Austin in November, entitled “Shift From Talk To Action: Chart Your Human Risk Management Roadmap.” In the session, I will share guidance on how to build an HRM roadmap, the technologies needed, building a business case for and resourcing these programs, and demonstrating true value beyond training completion. This session is part of the broader strategy and leadership track at the event; to learn more, check out the agenda.   source

When I joined Forrester in 2022 to cover vulnerability management, I was fortunate to have a front-row seat to the multiple changes happening in this market. These changes included: Large SecOps and technology companies such as CrowdStrike and Microsoft entering the vulnerability management market to compete with incumbents like Qualys, Rapid7, and Tenable. Vulnerability risk management solutions incorporating external attack surface discovery and attack path mapping to enhance vulnerability risk scores. Attack surface management solutions emerging to provide more comprehensive visibility to round out vulnerability management strategies. Adoption of continuous security testing solutions, such as breach and attack simulation and penetration testing as a service, remaining tepid and trending toward more mature enterprises, with siloed results not tying directly back into the vulnerability management program. The introduction of the exposure management category in late 2022 with Tenable’s announcement of exposure management. As I tried to make sense of these shifts, I saw that the future for these markets was ripe with opportunity. But instead of trying to jam all these changes into some new category, I found more utility in breaking them up into their specific applications and use cases. These use cases became core to what I now call modern proactive security programs. Proactive security can be boiled down to three principles: visibility, prioritization, and remediation. These were the three principles 10 and 20 years ago as well as the principles of today, and they will always be the principles of future programs. So while other analyst firms watching these changes preferred to tie them to new categories, acronyms, and hype cycles (such as continuous threat exposure management, or CTEM), I thought it was much more helpful to address what is happening in the market and how these proactive principles of visibility, prioritization, and remediation can be applied to specific use cases. And although CTEM, proactive security, and continuous security testing were everywhere at Black Hat last week, some newly created category could dominate the show floor next year. The Quiet Crisis In Remediation Only one of these three principles ruled the Black Hat show floor last week: prioritization, with dozens of vendors highlighting continuous security testing and exposure management and unicorns such as Wiz announcing their exposure management solution. While solutions like these are helpful for organizations looking to fine-tune their prioritization strategy, the terms “AI-infused,” “continuous,” “autonomous,” and “automation” have a massive, hushed implication: the potential for prioritization to further bog down the neglected proactive principle of remediation. If we’re going to leverage AI to mature prioritization strategies in exposure management and continuous security testing, then it’s also necessary to leverage AI to help us remediate so that we can actually address these prioritizations. We also need to prepare for more widespread attack surfaces due to AI and the lower barrier of entry that it has. If we’re ever going to truly be proactive, we must get faster at remediation. Agentic AI presents opportunities here but is not a silver bullet. We’re still several months, or years, away from full-blown remediation automation, but AI does present some opportunities to help augment the remediation response process by identifying optimal remediations that accumulate through exorbitant vulnerability findings, recommending more tactical response actions, and identifying appropriate remediation owners. Proactive Security Will Live On Visibility, prioritization, and remediation will always be the foundation of your proactive program, but orgs still struggle to optimize all three principles in an integrated fashion. Now is the time to prepare your security teams for the future of proactive security by: Future-proofing budgeting cycles by renaming your vulnerability management budget to proactive security. Proactive security is not just your vulnerability management budget. It encompasses attack surface management, cloud-native application protection platform, and all the offensive security testing you do throughout the year. Rename your budget to align future products and services with what is needed for your visibility, prioritization, and remediation. Planning for AI to finally make a difference in the most neglected principle: remediation. Security teams are good at finding problems. We’re better than we give ourselves credit for. And our prioritization strategies are much better today than they were three years ago. We’re not just using Common Vulnerability Scoring System anymore; we’re finding better ways to use vectors, threat intelligence, attack paths, and validation through testing. All of these improved prioritizations make no difference if we don’t fix the identified and validated exposures. This is why remediation was a core focus of our recently published Forrester Wave™ on unified vulnerability management. Learn More At Security & Risk Summit Want to learn more? I’ll be unpacking a lot more about proactive security during my keynote, “Proactive Security From Fantasy To Framework,” at Forrester’s upcoming Security & Risk Summit in November in Austin. We’ll dissect proactive myths vs. realities and dive deeper into the next frontier of proactive security: proactive response. Check out the full agenda, and hope to see you in Austin! source

The promise of AI-centric service desks has moved from theoretical blueprint to operational reality. After extensive research with early adopters across multiple industries, the results reveal a complex landscape where gains are marred with implementation challenges that many organizations didn’t anticipate. While the AI revolution may promise immediate and dramatic results, early adopters paint a more cautious picture of slower progress with measurable and achievable productivity gains, but a need to further demonstrate value to executives. Early Outcomes Emerge From AI Adoption The most successful AI-centric service desk implementations demonstrate clear productivity improvements, though not always where organizations expected them. One global technology company reported:  … over 50% gains in productivity for chat summarization, as an example … 75–80% of the volume primarily based on chats … about 30,000 chats every month. Their virtual agent now resolves 65% of initial customer contacts without human intervention, fundamentally changing their staffing requirements. Consistency is achieved while also dramatically improving the productivity of agents. A financial services organization took a calculated risk by reducing its frontline team from 30 to 12 agents while maintaining service levels through AI-powered automation. Users never noticed the reduction in human staff. Still, this success required substantial upfront investment in knowledge base development and months of fine-tuning before the AI could handle the volume effectively: The staff went down to 12 from 30. We took a big risk in the beginning, but we felt it was a calculated risk, and we could augment that drop with the bot. Perhaps most impressively, one retail organization automated one-third of its 57,000 annual service requests, eliminating human intervention for 20,000 routine tasks while maintaining proper approval workflows: We averaged 57,000 requests last year for service … one-third of all those requests that came through were automated. These organizations prove that AI service desk implementations can deliver on their promises, but success requires strategic planning and realistic timelines. Knowledge Quality Determines AI Success The foundation of every successful AI implementation proved to be robust, user-friendly knowledge bases. Organizations discovered that AI effectiveness directly correlates with the quality and volume of available knowledge articles, a requirement that caught many off guard since existing knowledge bases were often written for internal IT staff, not end users. One IT leader who successfully implemented AI chat capabilities highlighted knowledge as a key to their success: We had our internal knowledge base for IT, but it was never really exposed to users. This was the first time we actually had to make it user-friendly. Their organization set monthly targets for knowledge article creation, focusing specifically on the highest-volume ticket categories to maximize AI effectiveness. The barrier isn’t technological; it is content creation. Organizations find themselves in a race to generate sufficient knowledge base articles before their AI implementations can show a meaningful impact. Those who invested heavily in this foundation work saw early, faster returns; those who treated it as an afterthought struggled with AI effectiveness for months. New Skill Development Is A Necessity Contrary to predictions of dramatic staff reductions, successful AI implementations led to workforce reallocation rather than elimination. Organizations found their staff handling more complex issues while AI managed routine inquiries, elevating the role of service desk professionals and requiring higher technical proficiency across all levels. One infrastructure leader noted: Our support staff had to learn automation skills — not how to use something automated but how to build automation into their everyday work. Skill development is an unexpected but necessary investment, requiring organizations to either train existing staff or hire new talent with development capabilities. The most successful organizations treated AI implementation as a career development opportunity. Staff who previously handled routine password resets now focus on root-cause analysis, process improvement, and advanced troubleshooting. This evolution requires significant investment in training and development, but organizations report higher job satisfaction and retention rates. Looking Forward Early adopters offer clear guidance for organizations planning AI service desk implementations: invest heavily in knowledge base development before deploying AI capabilities, prepare for significant staff development requirements, and expect evolutionary rather than revolutionary change. The most successful implementations showed steady improvement over 6–12 months rather than immediate transformation. The AI-centric service desk blueprint is sound, but successful execution requires patience, investment, and realistic expectations. Early adopters have proven the concept while providing the roadmap for sustainable implementation at scale. As these technologies mature and more organizations share their experiences, we can expect implementation best practices to evolve and success rates to improve. What challenges has your organization faced in AI service desk implementation, and what unexpected benefits have you discovered along the way? Read the report: The Forrester Guide To The AI-Centric Service Desk. Let’s Connect Have questions? That’s fantastic — let’s connect and continue the conversation! Please reach out to me through social media or request a guidance session. Follow my blogs and research at Forrester.com. source