Forrester

AWS Summit New York City is a smaller cousin to the re:Invent mega-conference scheduled for the late fall in Las Vegas, so most big announcements tend to wait until that event, but agentic AI won’t wait, despite its relatively modest take-up to date. AWS’s key announcement was Bedrock AgentCore, intended to redress a perceived market imbalance between AWS and its primary competitors in the agentic AI space. In classic AWS fashion, it is pursuing a developer-friendly, partner-dependent vision for agentic AI leveraging key global systems integrator (GSI) partners. AWS has also announced the ability to perform customization of Amazon Nova foundation models with SageMaker AI across stages of model training. AWS furthermore announced a number of promotional offerings, including the AWS AI League for upskilling and credits for its Free Tier program for users of its AI solutions. Leading GSI partners were heavily involved in AWS’s analyst program. While AWS presented its own use of agentic capabilities in its own business, one of the key messages from the event — not just from AWS but from its GSI partners — is that agentic is not for everyone (or everything). Yet to not pursue it, despite its incomplete and imperfect nature, leads to risks of falling behind. Additional announcements of interest: Amazon S3 Vectors, a new cloud-based object store providing native support for storing and querying vectors, a significant offering for the generative AI era. New capabilities for Amazon SageMaker, including Amazon QuickSight integration for dashboard creation, governance, and sharing. New capabilities for Amazon S3 unstructured data integration, intended for cataloging documents and media files, and automatic data onboarding for Lakehouse. The goal: eliminating data silos by unifying structured and unstructured data management visualization and governance. Acceleration of safe software releases with new built-in blue/green deployments in Amazon ECS. Amazon EKS support for very large AI/ML workloads, with support for 100,000 nodes per cluster. These offerings may appear to be incremental at a moment when one blockbuster genAI announcement about model advances is quickly followed by another. But for AWS customers, they are key elements in enabling adoption and rollout of genAI workloads, leveraging their data gravity within AWS and services already in place to create new genAI options. For additional public cloud insights, read Forrester’s report, Buyer’s Guide: Public Cloud Platforms, 2025. source

The struggle to balance single- and multisourcing decisions is pervasive. Because service engagement decisions are fragmented across the organization and made at the portfolio level — not the enterprise level — companies are constantly at odds. IT is often focused on consolidation while business functions establish new relationships. This creates a strategic disconnect. We need a new management model that can unify these efforts and optimize our provider ecosystem for maximum business value rather than just chasing a single-vendor ideal. The current wind is blowing in the direction of consolidation, but consolidation is a means, not an end. While many organizations are being driven by consolidation, many enterprises approach it as a reactive, cost-cutting measure. The true challenge isn’t just reducing the number of partners but rather establishing a strategic framework that informs these decisions. In one case, a Forrester client has consolidated more than a dozen active global systems integrators (GSI) engagements into a single uber-relationship with a single service provider. While this simplified their portfolio, it also led to a significant pitfall: They were pressured into an engagement that was logical on paper but not the best fit in context. This “single uber-relationship” is unusual. GSIs are pursuing consolidation opportunities as a discrete category of service, but a single partner left standing is a risky goal. We discuss the dynamics of this shift in the recent report, Stop Struggling With Single Vs. Multiple Service Provider Decisions. The Expanding AI Ecosystem Requires A New Approach To Service Integration A big change is coming. While the goal may be to consolidate, the reality is that a multiprovider ecosystem is here to stay. Multiple players are part of the expanding AI ecosystem, including global system integrators, hyperscalers, resellers, and telcos but also nontraditional players such as model builders and chipmakers. The challenges are integration and coordination. The process to create a more streamlined, effective, and strategically aligned partner ecosystem is the best outcome and not consolidation, which is the end goal that some of these players may play a highly critical role in solutioning but perhaps only for limited periods of time. The introduction of new types of entities like model builders also raises the question of familiarity: How will they behave as commercial partners? This brings us to a discussion about service integration and management, traditionally referred to as SIAM. SIAM has been used primarily as a means to knit different service “towers” together using mechanisms such as the operating level agreement from ITIL. Numerous suppliers, including Accenture, Capgemini, Deloitte, HCLTech, Kyndryl, and Scopism, are working on reinvigorating SIAM to fit the emerging requirements: Instead of getting mired in the operational “incident, problem, change” loop, they’re using SIAM as a way to pursue business advantage by informing service provider engagement decisions. It will not be easy to make this shift on an industrywide basis, but forward-thinking enterprises can use it as a means to enforce simplification in enterprise portfolios and support business priorities through optimal partner selection. SIAM is sometimes derided by ITIL skeptics, who are prepared to throw out the SIAM baby with the ITIL bathwater. They have a point given SIAM’s mixed record as a commercial proposition. But the new agentic AI ecosystem will require a new approach to service integration, as well as making explicit preconditions and qualifications for participation. The advent of agentic AI is also likely to accelerate the shift from horizontal to more vertical outsourcing models, in which case multiple GSIs are likely to coexist as suppliers of agentic solutions (this is less so for horizontal services such as applications management). If you are a Forrester client, set up a guidance session with me to help your organization address this shift. source

CRM marketing services may be a mouthful, but this market encompasses a broad range of capabilities: combining data, customer insights, and technology to infuse first-party data across the customer lifecycle. As brands strive to deliver data-driven campaigns and personalized experiences, B2C CRM marketing services have responded in kind, expanding from direct mail and email marketing to digital experience, loyalty, commerce, and paid media services. As you’d expect from a market this broad, not all service providers are alike. My new report, The Customer Relationship Management Marketing Services Landscape, Q3 2025, looks at key players in this space, whether agencies, consultancies, or systems integrators. As companies continue to prioritize direct relationships and strategies built on first-party data, these service providers can help with key strategic and execution decisions. Marketers can use these service providers to: Infuse first-party data across the customer lifecycle to drive business outcomes. In addition to acquisition and retention marketing, CRM marketing services also strive to fuel e-commerce and other digital experiences to win and retain customers. Connect data to activation by aligning data and tech to customer journeys. CRM marketing services help close the gap between data and execution by providing analytical expertise to identify meaningful trends and insights, as well as technical expertise to break down channel silos and integration hurdles. Right-size messaging to meet customer needs. By integrating data and tech across a brand’s communications portfolio, CRM marketing service providers can work with brands on communicating more effectively. Before launching into CRM marketing services, B2C marketers must first align on a definition of CRM. Don’t think about it as a single channel or technology; rather, think about the role it plays in orchestrating marketing campaigns and shaping customer interactions to impact the broader customer experience. From there, read the report to pick a service provider that aligns with your needs and your priority areas of expansion, whether that’s paid media, loyalty, tech implementations, or something else. For an even deeper dive, set up a guidance session with me to learn more about the market and the service provider landscape. source

Big tech economic impact headlines are engineered for attention. Apple recently announced a staggering US$600 billion investment in US manufacturing over four years — complete with fanfare around domestic chip and glass production. But dig deeper, and you’ll find most of the activity was already planned, funded, or happening. It’s more repositioning than reinvention, as Business Insider and others have pointed out. Closer to home, we see the same playbook from hyperscalers across APAC when it comes to major infrastructure plays. AWS, Google, and Microsoft frequently announce local region investments tied to promises of billions in GDP uplift, job creation, and workforce development. These are strategic moves, yes. They’re also branding exercises. The recent announcements as part of AWS’s new data center region launch in New Zealand are another example: NZ$7.5 billion in investment, NZ$10.8 billion in GDP impact, 50,000 people trained, 1,000 jobs created. As I noted in a recent article by iStart, “these headline GDP claims often become rallying cries for market share rather than anything designed to prove the delivery of real or measurable outcomes.” Don’t misquote me — it’s not just Apple or AWS; name a vendor, and I’ll find you an example. Microsoft’s US$2 billion-plus pledge in Malaysia, Google’s US$1 billion investment in Japan, and Oracle’s planned US$14 billion cloud push in Saudi Arabia all follow the same pattern: headline-grabbing numbers, vague timelines, and economic impact projections that rarely face scrutiny after the press release has been archived. Economic Impact Studies: All Promise, No Proof At the core of these big claims are economic impact study (EIS) tools built on input-output models originally developed in the 1930s. They work by applying multipliers to direct spending (for example, construction or wages) to estimate wider economic benefits. But these models often assume: No supply constraints. No price changes. Perfect conversion of spend into local value. That’s not how economies actually work. Academic reviews by institutions such as Cornell University show that EIS often overestimates benefits by 30–60%, especially when they include indirect effects like supplier activity or worker spending without separating what’s truly new from what would have happened anyway. Or sadly, this can even occur through plain old poor estimation. Worse, these studies are rarely revisited. There’s no formal tracking of whether the jobs, GDP, or upskilling ever materialize. The model looks forward but never backward. Computable General Equilibrium: Better Economics But Not Built For Speed There is a more sophisticated alternative: computable general equilibrium (CGE) models. These simulate how changes ripple across the economy over time, adjusting for prices, capacity limits, and behavior. Public sector analysts use CGE for evaluating major policy changes or environmental impacts. CGE isn’t without its own issues, however: It’s slow, expensive, and opaque. Its complexity makes it inaccessible to most tech and business leaders. It can be shaped by hard-to-audit assumptions. In one comparative study of disaster impacts in Italy, CGE, input-output, and hybrid models delivered up to a sevenfold difference in estimated economic loss. The message? The model you choose shapes the story you tell. Why Forrester’s TEI Is The Better Middle Ground At Forrester, we take a different approach with the Total Economic Impact™ (TEI) methodology. Our methodology: Starts with real customer data. Interviews, cost baselines, and quantified use cases form the foundation. Adjusts for risk. Every benefit is discounted based on likelihood and implementation risk. Focuses on what matters to your decision-makers. ROI, net present value, and payback matter — not hypothetical GDP boosts. Is tailored to your context. TEI doesn’t assume national impact; it shows value based on your workloads, staffing, and strategic goals. Put simply, the Forrester TEI models what’s real, not what’s hoped. And yes, you can and should measure the actual results. For our clients, we will be at your side and by your side when the actuals roll in. Don’t Be Seduced By The GDP Halo There’s nothing wrong with companies investing in digital infrastructure or governments welcoming it. Still, let’s not confuse those investments with a universal good. A new cloud region may unlock value — but not for every organization and not at any cost. My advice? Organizations evaluating these investments shouldn’t rely solely on sweeping economic claims or fall for the idea that jumping into an onshore cloud automatically contributes to some imagined national benefit. Instead, assess the value based on your own cost structures, workloads, and strategic priorities. By all means, make it a total economic impact! Just make sure it serves you and your outcomes. Macroeconomic splash statements? More often than not, they serve the branding and demand generation needs of the firms that sponsor them. And the headlines that follow? They’re just the sugar coating. source

It’s hard for marketers to keep track of the tools and platforms designed to help brands understand their consumers. As the demand for a more holistic view of the consumer and speed to insight grows, so does the scope of the platforms that support these needs. One notable shift has been the transformation of social listening platforms (SLPs). Back in 2020, we published a Forrester Wave™ evaluation on social listening platforms. We observed at that time that “SLPs are looking to escape the bounds of social media entirely, many with visions of becoming broader consumer intelligence technology (or some iteration thereof).” Five years later, that call has proven true as access to data signals and conversations beyond traditional social listening platforms has opened to brands. But SLPs aren’t going away: Forrester finds that 81% of B2C marketing decision-makers use an SLP or consumer intelligence tool. At the same time, 79% believe that social listening platforms should be called a broader name. That’s why we’re announcing the launch of a consumer intelligence platforms landscape report. We define consumer intelligence platforms as: Platforms that derive real-time insights and reporting from data sources outside of their company (e.g., social media, web, or consumer data) using proprietary analysis techniques to enable consumer-driven decisions. Historically, these tools have been used for brand monitoring and competitive intelligence. But Forrester’s research shows an expansion of use cases, including trend identification and forecasting, media monitoring, and voice-of-the-customer research — spanning beyond just monitoring and analyzing and going into predicting. Ultimately, the primary benefit of these platforms is clear: to help brands better understand their consumers. Stay tuned for the landscape to publish in Q4 of 2025. We’ll explore the key players, capabilities, and use cases shaping consumer intelligence. source

Windows 10 is retiring this year, and we’ve already discussed how business leaders should be moving off that platform to meet compliance goals and reduce the risks of running an unsupported OS. We previously talked about how, until recently, there didn’t seem to be compelling reasons to move to Windows 11. The push to upgrade was simply to maintain compliance and support, which would explain the delays from many IT and security leaders in completing the migration. But within the last year, Microsoft has introduced new features that are only available in Windows 11 that show value for IT and security operations, the latest being tied to the Windows Resiliency initiative. The “blue screen of death” (BSOD) arrived with Windows NT 3.1 in 1993 and since then, anyone who’s spent any amount of time in Microsoft Windows has likely been blessed with its appearance. Every OS has crash handling functions, be it Novell NetWare’s abend or Linux’s kernel panic, but the BSOD is iconic. It’s taken on many faces over the years, but we all know what it means.   The information provided in the BSOD could be valuable to the skilled IT support analyst and methods like the “last known good configuration” boot option offered some relief. But in many cases, the BSOD lacked the depth needed to restore the OS to clean operations. The latest set of planned changes for Windows 11 include the theme “BSOD is dead, long live BSOD” — as we say goodbye to a blue screen and welcome a black screen. Of course, this just feels more ominous, as a black screen is creepy and the latest color choice for the blue screen was rather soothing. But feelings aside, there will also be options as part of the Windows Recovery Environment called “quick machine recovery,” which will allow IT admins to deploy remediation functions across the enterprise in the event of widespread issues. Some functions will also come to the Home editions, which will be helpful to businesses that allow BYOD to provide guidance to employees on how to get back to normal after something goes wrong. Following along with these changes is a “nudge” to remove endpoint security operations from the kernel space while still allowing the endpoint protection vendors the ability to monitor and defend the core functions of the operating system. Microsoft has previously said it doesn’t intend to lock approved security vendors out of kernel operations, but many of the vendors in the endpoint security space like what Microsoft is doing to balance kernel access needs with reducing the impact of faults that lead to the dreaded BSOD. This move will not guarantee that kernel faults won’t happen, as no software is perfect and every OS has its failure mode, but each step that reduces the likelihood is a step in the right direction. Like we said in our report from this past May, Say Goodbye To Windows 10 To Reduce Your Cyber Risk, if your organization is staying with Windows as your default desktop operating system, you need to move to Windows 11. Staying on Windows 10 only increases your risk of compromise and as much as you may have liked the OS, it’s time to let it go. We said back in 2022 that Windows 11 was going to get new functions that showed value and while it may have taken a while for these functions to materialize, it’s better to be positive and embrace the changes that can improve the user experience and the security posture at the same time. source

AWS Summit New York City is a smaller cousin to the re:Invent mega-conference scheduled for the late fall in Las Vegas, so most big announcements tend to wait until that event, but agentic AI won’t wait, despite its relatively modest take-up to date. AWS’s key announcement was Bedrock AgentCore, intended to redress a perceived market imbalance between AWS and its primary competitors in the agentic AI space. In classic AWS fashion, it is pursuing a developer-friendly, partner-dependent vision for agentic AI leveraging key global systems integrator (GSI) partners. AWS has also announced the ability to perform customization of Amazon Nova foundation models with SageMaker AI across stages of model training. AWS furthermore announced a number of promotional offerings, including the AWS AI League for upskilling and credits for its Free Tier program for users of its AI solutions. Leading GSI partners were heavily involved in AWS’s analyst program. While AWS presented its own use of agentic capabilities in its own business, one of the key messages from the event — not just from AWS but from its GSI partners — is that agentic is not for everyone (or everything). Yet to not pursue it, despite its incomplete and imperfect nature, leads to risks of falling behind. Additional announcements of interest: Amazon S3 Vectors, a new cloud-based object store providing native support for storing and querying vectors, a significant offering for the generative AI era. New capabilities for Amazon SageMaker, including Amazon QuickSight integration for dashboard creation, governance, and sharing. New capabilities for Amazon S3 unstructured data integration, intended for cataloging documents and media files, and automatic data onboarding for Lakehouse. The goal: eliminating data silos by unifying structured and unstructured data management visualization and governance. Acceleration of safe software releases with new built-in blue/green deployments in Amazon ECS. Amazon EKS support for very large AI/ML workloads, with support for 100,000 nodes per cluster. These offerings may appear to be incremental at a moment when one blockbuster genAI announcement about model advances is quickly followed by another. But for AWS customers, they are key elements in enabling adoption and rollout of genAI workloads, leveraging their data gravity within AWS and services already in place to create new genAI options. For additional public cloud insights, read Forrester’s report, Buyer’s Guide: Public Cloud Platforms, 2025. source

2025 marks the 28th year of Black Hat, and although it remains on the edgier side of corporate-focused cybersecurity conferences, it sometimes feels like the event is considering completely ditching its hoodie in favor of a collared shirt. While even a cursory glance at the briefings agenda will confirm that offensive security is still the conference’s heart and soul, the general sprawl — the enormous sponsor presence both in and outside the conference, an investor summit, and even the bafflingly large merch booth — had the effect of creating a vibe that’s much more in line with other security conferences. There were also other common threads with recent industry events, as well as some surprises. AI Was The Belle Of The Ball (Again) AI agents and agentic (or more specifically “agentish”) messaging dominated the event and virtually every vendor booth. Just as AI agents and agentic are nascent technologies, so too is the accompanying messaging and functionality. What we saw in the Business Hall was both a continuation of the broader themes from RSAC and some new issues. Agents still primarily automate tasks, not entire workflows. Despite at least a half-dozen booths — some of them very large — proclaiming the “first AI-powered SOC,” current agent capabilities only alleviate some steps from a given process or workflow but do not complete those processes or workflows (yet). For security leaders, this results in two warnings to heed: The removal of tactical steps is a boon, but the decisions expected by people receiving the information is more consequential, not less. The extent to which a program is automated is a good proxy for how useful these agents will be. Security programs with low rates of integration and automation will get very little benefit from agents. High integration and automation programs will. Buyers are focusing on more than the improvements that AI promises. In multiple conversations, people expressed concerns about how to work with vendors that have adopted AI-first strategies, especially around the potential impact of AI features on pricing and billing. Vendors are hoping that AI will paper over their self-inflicted wounds. More than one vendor bragged about launching an “agent to summarize alerts” (the alerts that the vendor’s solution creates). These are alerts that the vendor could just improve. Asking why an agent was necessary when the vendor could just improve the alerts resulted in circular reasoning not unlike the hilarious “Couldn’t you just make ten louder?” “But this goes to eleven … ” scene from “Spinal Tap.” Vendors are barely beginning to think about securing intent. In our AEGIS framework, we describe securing intent as an important new domain for cybersecurity due to the nondeterministic nature of AI agents and the dynamic paths they may use to complete their objectives. There was at least one vendor demonstrating an “intent classifier.” While it doesn’t yet distinguish between benign and malicious intent, it represents an important first step in leveraging intent as a detection surface. Application security (AppSec) is also caught in the AI paradox. There are simultaneous warnings of the risks of AI-generated code, large language models (LLMs), and Model Context Protocol (MCP) servers and tools. While integrating the same technology to help solutions such as static application security testing overcome slow scans, high false-positive rates and complicated security jargon make these inaccessible to most developers. Cybersecurity Staffing Shortage? What Cybersecurity Staffing Shortage? There’s another lurking change brought about by AI that may not get much attention … but it should. In recent years, vendors (and governments) used both RSAC and Black Hat as opportunities to recruit. This year, that was entirely missing. It’s a tacit acknowledgement that the cybersecurity job market is much, much softer than certification bodies and institutions of higher education would have you believe — something that deserves more attention than it will receive. Efficiency Was A Recurring Theme In Vendor Messaging (Again) In some cases, it was hard to distinguish whether the marketing gimmicks were intended to pitch a local attraction or something cybersecurity-related. Is HyperX a new detection and response tool or an event venue? Is “disrupting your reality” a tagline for a new deepfake detection company in Startup City or the Blue Man Group? Is Grave Digger here to promote an upcoming monster truck rally or to crush legacy security automation platforms? Is “ingest anything” something one does at Vegas’ famous buffets or the flagship capability in a data pipeline product? Is the “thing” standing by the wall one of CrowdStrike’s new threat actor statues, a hired cosplayer taking a break, or just a prop for the hotel bar? In those more extreme cases, it was ambiguous, but for the most part, other messages were more clear-cut: XDR vendors are leaning into SIEM. Vendors such as CrowdStrike, Palo Alto Networks, and SentinelOne, which have historically put extended detection and response (XDR) front and center, were all leading with security information and event management (SIEM) messaging at the event, among their other focus areas. Given how competitive the XDR market is, combined with how rife for opportunities the SIEM market is, this adjustment makes sense. The market is definitely transitioning to considering XDR vendors as bigger players in security analytics, as shown in the latest Forrester Wave™ on security analytics platforms. Exposure management and continuous security testing were prevalent. There’s a certain irony in pitching tools that automate precisely the things that attendees come to Black Hat to learn, but the reality is that the scale and complexity of most IT environments demands both automation and a tighter feedback loop. The taxonomy of these solutions was all over the place, with varied names like “autonomous red teaming” and “automated pentesting.” We didn’t see breach and attack simulation (BAS) mentioned, with BAS vendors now favoring messaging towards proactive security and cyber threat exposure management (CTEM, which is just a long way to say proactive security). Remember that the use case for continuous security testing tools is ultimately validation of exposures — proving that detected vulnerabilities

Cyber regulations continue to multiply, with cyber regulations being enacted or modified in the UK, EU, South Africa, and the US, just to name a few over the past 18–24 months. Cybersecurity policy is one of the few genuine areas of cross-party political agreement in many countries globally, so it is getting significantly more political attention lately than it ever has before. As is common with regulations more broadly, cyber and risk practitioners use the highly sophisticated governance, risk, and compliance (GRC) platform Microsoft Excel and manual legal and regulatory research to keep on top of it all. Cyber regulations, however, all have different requirements in these jurisdictions, creating “purgatory” for the average cybersecurity professional. For example, in the area of incident response and notification, an organization that is subject to the EU’s NIS2 and GDPR have two different incident classifications to track and monitor (essential services notifications and personal data), both with different definitions, impact scenarios, penalty regimes for noncompliance, and different regulatory reporting points (depending on which EU member state that you’re in), just to name a few points of difference. Scaling that up to a global enterprise, cyber and risk professionals need to make choices about how they comply with cyber regulations that conflict with each other. Manual approaches to tracking, assessing the impact of new regulations, and gathering evidence to provide assurance over compliance is now an impossible ask for our Excel spreadsheet. For cyber professionals wondering what sins they committed in a prior life to deserve this fate, some promising approaches from the world of regtech are at hand. Recent acquisitions and capability building by GRC platform providers are changing the picture. Cyber professionals rolling their eyes at yet another obligatory mention of AI need to give this use case a closer look. Clients working with some of these providers have demonstrated with their enterprise risk management programs that it is possible to use generative AI to transform how you track and monitor compliance. These solutions are being used to scan the legislative landscape to identify applicable legislation, track its development and regulatory sentiment, and assess and produce gap analysis of your firm’s compliance posture. This approach, influenced by how financial firms use regulatory intelligence solutions and risk intelligence solutions, can help the cybersecurity industry better understand how we manage an increasingly complex regulatory landscape. To find out more about how you can escape regulatory purgatory and build this emerging capability into your GRC program, check out my session at our upcoming Security & Risk Summit in Austin, Texas, on November 5–7 entitled “Navigate The Conflicting Regulatory Landscape.” In the session, which is part of the broader risk and compliance track, we’ll discuss how using regulatory technology solutions to complement existing GRC technologies can help you navigate regulatory complexity. We’ll also look at how to develop risk intelligence capabilities to assess regulatory changes and determine their impact. To learn more about this session and the other sessions in the track, check out the full agenda. I look forward to seeing you in Austin to discuss this topic more in person. source

The US Department of Defense’s Zero Trust Portfolio Management Office (PfMO) will officially become part of the DoD enterprise and will be led by a newly created Chief Zero Trust Officer. The changes are detailed in a new directive-type memo that describes the new organizational structure as well as roles and responsibilities. The office will be responsible for coordinating, synchronizing, and accelerating the adoption of Zero Trust across each of the services and major commands within the DoD. Although the ultimate responsibility for Zero Trust initiatives and investment remains with the DoD CIO and other Zero Trust-related governance structures are mostly unchanged, the Chief Zero Trust Officer will provide strategic guidance, direct alignment efforts, and make recommendations for resource and funding priorities. The Upside Of DoD’s Double-Down On Zero Trust Given the changes to various elements of the overall US federal cybersecurity strategy — and the resulting uncertainty, including the scrutiny of existing Zero Trust implementation strategies across other departments — it’s good news that the DoD is staying the course. The establishment of the office and the creation of a senior executive service-level position to lead it illustrates that when the stakes are high(-est), Zero Trust remains the best model “to impede malicious threat actors in cyberspace.” The benefits of further formalizing Zero Trust with this new structure include: Shipping the org chart. Conway’s law is usually invoked as a critique, but in this instance, it could instead be a catalyst to help the DoD achieve its ideal outcome: Zero Trust everywhere. By creating an organizational unit with a sweeping purview that reports directly to the CIO, the DoD has further codified Zero Trust as an integral part of how it will approach the department’s business of information technology and cybersecurity. Ideally, this centralization and oversight should keep the overall strategy cohesive and eliminate siloed implementations, especially between different DoD components. Creating an interface for the rest of the federal government. As the DoD soldiers on (pun intended) with Zero Trust, the Office of Management and Budget (OMB) is taking a beat to consider “Zero Trust 2.0” for Federal Civilian Executive Branch (FCEB) agencies. Even though the remit of the Chief Zero Trust Officer is confined to the DoD, one important authority granted is interfacing with OMB and FCEB agencies. Given the changes in priorities and staffing at the Cybersecurity and Infrastructure Security Agency (CISA), there is an opportunity for the DoD Zero Trust PfMO to take up the mantle of Zero Trust leadership within the government writ large. This coordination should create a channel for the distribution of Zero Trust guidance and lessons learned that are — literally — battle-tested. Although departments outside of the DoD and Intelligence Community (IC) may not have the same rigorous requirements, they are still targeted by adversarial foreign governments, and DoD implementations should provide a foundation that can be adapted for other environments in the same way that the Defense Information Systems Agency’s Security Technical Implementation Guides often are. A Portfolio Isn’t Without Pitfalls It might be easy to treat this announcement as unqualified endorsement for Zero Trust in the US government. After all, if the DoD is betting on Zero Trust as its preeminent cybersecurity strategy in a time when great power competition increasingly manifests in the digital sphere, shouldn’t that mean it’s the right bet for all of us? And if the overall strategy is the right bet, doesn’t it make sense to use the same operational and tactical approach? Like so many things in cybersecurity, the answer is “it depends.” How effective this new office turns out to be and whether the private sector should attempt to replicate this specific Zero Trust governance structure are still open questions. For security leaders contemplating a similar approach in their organizations, there are reasons for caution, including: Compliance theater. One potential downside of creating an office whose sole purpose is to scrutinize a wide range of projects for their “Zero Trustworthiness” is that Zero Trust will become performative rather than substantive. Project sponsors and leaders may become overly focused on checkboxes that ostensibly comply with stated Zero Trust goals and objectives but don’t meaningfully implement the principles. That approach may satisfy a gatekeeper so that projects can proceed, but with all due respect to GRC teams everywhere, compliance does not always directly translate to improved security. Turnover turbulence. The existence of a position is not the same as a person in the position. And a person appointed to a position is not the same as a person with a long tenure in a position. Cybersecurity roles are known for high turnover rates, and leadership changes affect consistency and disrupt momentum. The role of Chief Zero Trust Officer is no different than many other senior federal positions; executing on a vision and successfully managing the portfolio will require a certain amount of longevity. An unexpected vacancy can leave the rest of the team scrambling to make sense of an unfamiliar topic or thrashing after a change in direction. Governance alternatives. Despite how it’s often described — a product, a platform, or a buzzword that should be ignored and forgotten — Zero Trust is best thought of as an architectural philosophy. Like any philosophy, there may be a founder or a champion. But philosophies can also emerge more organically through the work of like-minded individuals in response to prevailing conditions. Zero Trust is a set of tenets for how to think about how things should be built and a set of broad techniques that can be applied during the construction. But even with a common philosophical starting point, the resulting designs and structures will necessarily be different due to the needs and constraints of particular situations. There are stark differences between the needs of military or military-adjacent organizations and the private sector. The threats are different. The stakes are different. The budget, organizational structures, and incentives are different. Perhaps most importantly, the tolerance for friction in the user experience is different. The variety