Forrester

I recently attended Identiverse in Las Vegas. This was my first time back at Identiverse since conference founder Ping Identity sold the conference in 2021. As identity related initiatives continue to dominate Forrester clients’ top priorities and initiatives, I felt impelled to share my perspectives and insights. Here are my five major conclusions and recommendations for security leaders from the conference: Protecting NHIs is as critical as securing AI. My expectation at Identiverse was agentic AI would be everywhere. While there was ample AI and agentic content, it was overshadowed by non-human identities (NHI) content. While my colleague Geoff Cairns and I prefer machine identities over NHI, I am using NHI in this blog for simplicity’s sake. From the opening NHI workshop to the NHI Pavilion on the exhibit floor to other breakout sessions, you couldn’t escape NHI at Identiverse! This hype is driven by two factors: 1) the rapid increase in the number of NHIs (e.g., service accounts, API keys, secrets, and certificates and now ephemeral cloud workloads, and agentic) and 2) the increase in attacks against NHIs because of their elevated, often excessive, privileges. Many vendors are quickly working to address NHIs and organizations need to prioritize this and look to analytics and automation for governing NHIs going forward. Interrogate vendor IAM product roadmaps for Shared Signals Framework support. Identiverse has always had a strong alignment with content around important identity standards, both established and emerging. Despite identity access management (IAM) being 20-plus years old, new standards are emerging to take their place alongside established standards like SAML and OIDC. While it’s always hard to handicap which standards are going to gain critical mass, the fact that there’s a healthy vendor base committed to advancing initiatives like the Shared Signals Framework and are working on standards, such as CAEP and IPSIE Working Group from the OpenID Foundation, shows that these new frameworks and standards are gaining momentum and will influence IAM product roadmaps and cybersecurity adjacencies throughout 2025–2026. Hit pause on DDID if you primarily operate in the US. Distributed digital identity (DDID) has been a promising identity innovation for several years; and while there was some interesting sessions on verifiable credentials, I would characterize DDID interest at Identiverse as tepid (especially when compared to NHI and AI). This is unfortunate given the potential that DDID can deliver. The lower interest also likely reflects how DDID remains subject to the vagaries of the US political environment. Indeed, the recently revised White House Executive Order on cybersecurity confirms a deemphasis in DDID. While some pockets of DDID momentum may remain at the state and local level, Federal level DDID efforts will remain on hold for time being. IAM practitioners should look to Europe and other regions outside of US to track DDID developments. Reinforce your workforce IDV capabilities. While customer identity verification (IDV) has received ample attention and investment in the last five years, growing concerns around attacks, such as the North Korean remote IT worker scam, is driving enterprise focus (and vendor investment) into workforce IDV. Several speakers noted they had been victimized by this attack, which only confirms that with remote interviewing and onboarding becoming the norm, the hiring journey has become an attack path. The interest in workforce IDV is also often engaging new internal buyers or influencers, like the HR or legal team, which are different buyers than traditional IDV customers. Remember that cloud is king in IAM, but on-prem IAM still casts a long shadow. It’s expected that tech conferences will be cloud-first and cloud-centric in messaging and content, but this doesn’t mean that every organization has migrated their IAM stack 100% to the cloud. I am still struck by the slow pace of cloud migrations for orgs that deployed IAM pre-2010. Many of these deployments are so embedded into the organization’s workflow that a simple lift-and-shift cloud migration isn’t practical. This means many orgs (and IAM vendors) will need to prepare themselves to operate in a hybrid world where certain select on-prem apps will need to coexist with cloud-based offerings. Let’s Connect Have questions? Forrester clients should reach out to me to request a guidance session to discuss these topic further. source

I’ve just finished reviewing the product announcements from this year’s Cvent Connect, and there was a lot to digest. AI was the big story with the launch of CventIQ – a suite of integrated AI capabilities across the entire Cvent eco-system. Rather than present Cvent IQ as a standalone product the team looked at it through the lens of four strategic themes: empowering the field, delivering high-impact attendee experiences, increasing user efficiencies, and managing the event lifecycle. Here’s my take on each of those areas: Empowering the field. Cvent officially rolling out Cvent Essentials to help field teams execute smaller local events more consistently and do more with the data they’re generating. This is timely – Forrester data shows that 59% of organizations plan to run more of these smaller field events over the next 12 months. Cvent Essentials will also be part of Events+ (together with Cvent webinar), encouraging clients to move to more centrally managed event programs. While the Essentials announcement makes sense, it will be interesting to see how Cvent positions Splash within its portfolio and how it differentiates it from Essentials. High impact attendee experiences. Cvent made two standout announcements here. They will apply CventIQ to their global contact profile to identify “discovered interests” and use dynamic audience segments to deliver more personalized attendee experiences. This aligns with the Forrester 2025 Event Trends survey, which found that 79% of event leaders are prioritizing personalization this year (a 4% year-on-year increase). They also announced a personalized AI assistant agent, powered by a hierarchy of connected agents. These agents include an event expert, brand ambassador, content curator, and network navigator. The array of different agents was slightly confusing, although attendees aren’t exposed to this. It will be interesting to see what uptake Cvent get. Forrester data shows that only 22% of event planners and marketers either currently offer, or plan to offer attendee assistance via an AI powered chatbot over the next 12 months. Increase user efficiencies. Cvent announced improvements in AI driven productivity including content development, attendee modification management, and (most interestingly), event reporting and insights. The most notable announcements around reporting and insights were natural language report generation, improved session analysis, enhanced cross-event analytics, and predictive registration analytics (later this year). Cvent had been trailing in this area, but these updates close the gap. While this is good news for many organizations, leading enterprises will still prefer to extract and manipulate event data outside of their event platform. Managing the event lifecycle. Here Cvent focused on expanding support for tier one events and three announcements stood out. Clients will be able to promote events via LinkedIn using existing audience segments – a smart move. Secondly, in addition to air travel, Cvent now supports attendee rail bookings. While only 38% of event leaders cite reducing the environmental impact of their events as a priority, younger attendees increasingly value this, and this is another welcome addition. Finally, Cvent announced a ‘data bridge’ offering real time access to event data with flexibility in terms of what data synchs to where. Doing more with event data has been identified as a top priority in the Forester Event Trends survey for the past two years so this is exciting, and I’d have liked the team to spend longer digging into this. Forrester clients interested in learning more about event technology can read our latest Forrester Wave on All-In-One Event Management Platforms, Q4 2024 or schedule a guidance session with me. source

In the fall, we announced that B2B buyer adoption of generative AI was outpacing expectations, with 89% of buyers using genAI in their buying process. Six months later, B2B providers are starting to see the impact in their metrics and facing urgent questions from their executive teams. After dozens of conversations with providers, agencies, and technology platforms, the zero-click future is becoming clearer — AI-powered search will have a dramatic impact on revenue metrics, but many marketing fundamentals will remain the same or become more important. What’s The Impact Of Zero-Click Search On Organic Traffic? While many B2B publishers have seen a dramatic drop in traffic, providers are seeing only a modest decline. The composition of organic traffic is shifting, however. Historically, Google keyword search accounted for well over 90% of organic B2B traffic. We expect to see AI-powered search drive 20% of organic traffic by the end of the year. From a small base, the growth is staggering. This traffic will be higher-quality than keyword traffic, with lower bounce rates, higher engagement, and higher conversion rates. The biggest impact, though, isn’t to organic traffic but to information consumption. Net buyer engagement with B2B purchase information will grow dramatically as buyers realize the power and efficiency of AI-powered search. What Does Zero-Click Search Mean For My Revenue Engine? The scariest impact of zero-click search will be the lack of visibility. In the long run, zero-click search will remove barriers to purchase. In the near term, however, more activity will take place off of providers’ websites. Providers will need to evolve the role of their website from a traffic generation and lead harvesting engine to an information syndication engine. Their most important audience will continue to be buyers, but they should expect buyers’ agents (retrieval-augmented search agents from players such as Google, Microsoft, ChatGPT, and Perplexity) to be a close second. With fewer, better-informed prospects coming to their site and converting at higher rates, providers looking to grow will need to reinvest in the fundamentals — developing their reputation among buyers prior to a formal purchasing process. For an overview of how to engage buyers through AI-powered search, see my new report on Messaging For A Zero-Click World. source

What will it take for you to call Finance? This is my first blog post at Forrester. And as Forrester’s new IT financial management analyst, I’m sharing my greatest success story from the past 10 years in finance roles supporting enterprise IT. It’s when I got a call from IT. IT professionals have better things to do than get in the weeds with Finance. But as enterprises have become more focused on the ROI of their IT investments, Finance and IT have become inextricably linked. This makes for strange bedfellows. A CIO’s job is to deliver AI uses cases, protect the company from security breaches, manage data integrity and so on. CIOs don’t want to be bothered with accruals and capitalization. Where these two worlds meet is when it comes to defining the value that IT adds to the enterprise. Tools like cost-benefit analysis, Total Economic Impact® and TCO have enabled IT to attach a number to the contribution it makes to the enterprise in terms everyone across the enterprise can understand. In many companies, the practice of defining the value-add of IT starts with the biggest, most “strategic” investments. But what’s happened in my experience is, if done successfully – if IT and Finance are able to successfully partner and tell the value story for the company’s most important IT investments in a language that all understand – then the partnership goes viral and becomes part of the culture of both organizations. Which brings me back to my story. I had just successfully partnered with IT to get Exec Committee support for a $50M CRM transformation investment. On the heels of that success, I got a call. Not from the CIO, not from anyone else in the C-Suite, but from a project manager who had heard about the work Finance and IT had done for the CRM investment. He wanted to know if there was a simplified financial analysis he could use to support a $500K middleware decision between Vendor A and Vendor B. And that’s when I knew we had something – when both IT and Finance saw the value in working together, not just at the C-level, but across all levels. So I come back to my original question – what will it take for you to call Finance? Because to me, that is the key to IT financial management. The partnership between two areas that don’t always speak the same language, but which together have an amazing value story to communicate across the entire organization. This is going to be fun! If you want to learn more about IT Financial Management, submit a request for an inquiry or guidance session here. Follow our research at the Forrester website by clicking Greg Zorella. source

Infosecurity Europe celebrated its 30th anniversary at its 2025 edition in London, with 338 exhibitors and over 13,000 attendees. After the high-energy, hyper-branded chaos of RSA Conference in San Francisco, the contrast couldn’t have been starker. For one, there were no goats and puppies to distract from the real agenda — earning the honor for never having petting zoos on site during its 30-year existence. We also noticed the following noteworthy trends: A modest, direct, and forward-looking event floor, agenda, and theme were on show. Where RSA overwhelms with scale, spectacle, and sensory overload, Infosecurity stays true to its European character: modest in presentation, straightforward in messages. This year’s show floor was notable with the absence of many established cybersecurity brands replaced with smaller vendors, including a welcome return of many more early-stage startups than we have seen in prior years. The conference centered on the theme, “Building a Safer Cyber World,” a forward-looking call for smarter collaboration, technological integration, and adaptive defense strategies. The agenda reflected the growing urgency around protecting critical infrastructure in a volatile and geopolitically influenced cyber landscape. Cybersecurity is intrinsically linked to national resilience. Multiple sessions and conversations with visitors and vendors stressed the convergence of threats, geopolitics, and critical infrastructure. Foreign technology dependence emerged as a recurring concern. Paul Chichester — the National Cyber Security Centre’s director of operations — highlighted that nationally significant attacks doubled in the past year. Rory Stewart further honed in on how the erosion of the rules-based global order is leading to unpredictable cyber escalations. The message from the floor: Geopolitics and digital sovereignty are essential for your cybersecurity strategy. UX in cybersecurity matters. There was an underlying recognition of the importance of UX that became evident through the product demos, the conversations with multiple media platforms, and the insights shared during the Forrester roundtable at the conference. The discussions explored how cybersecurity would sorely benefit from simplification, the use of modern UX design principles, and elevating the importance of analyst experience in order to reduce cognitive burden on both cybersecurity professionals and end users. There’s a continued emphasis on professional development and diversity. Progress on diversity in cybersecurity has frankly been slow, with women representing only 18% and ethnic minorities accounting for 29% of the total workforce, according to the latest ISC2 data. Still, this year’s programming had a few refreshing angles that stood out, focusing on building human-centered skills. Abadesi Osunsade, founder of Hustle Crew, delivered a powerful talk titled “Taking Up Space: How to Lead the Charge in Cybersecurity,” urging attendees to embrace individuality as a strength. Rik Ferguson, VP of security intelligence at Forescout, addressed the importance of active allyship to drive meaningful change within organizations, including his own experience of being an ally. As with all matters relating to hiring, retaining, and advancing women in cybersecurity, substantive and authentic actions that create real change is what matters, and we look forward to the conference focusing more on these outcomes in future events. Forrester clients who wish to dive deeper into our perspectives on Infosecurity Europe 2025 can book a guidance session with either of us. source

Success in business doesn’t come with a manual — especially in today’s fast-evolving world. But you’re not alone. Countless executives have faced the same challenges you’re navigating, from crafting winning strategies to investing in cutting-edge technologies and attracting the customers who matter most. The difference? They partnered with Forrester. Through a unique continuous guidance model that blends research, consulting, and live events, we ensure you stay ahead of every curve. Equipped with the latest trends, innovations, and data, our tailored interactions empower you to act swiftly and decisively. With insights drawn from surveying over 500,000 consumers, executives, and tech leaders annually, Forrester consultants and analysts are unrivaled in understanding the challenges you face. Whatever hurdles you encounter, we’ve seen them — and solved them. source

The Forrester Wave™: DevOps Platforms, Q2 2025, is live. Hey, Weren’t These Called ISDPs? When I took over the Wave from Chris Condo, I admit that I looked for an excuse to change the name. “Integrated software delivery platforms” didn’t have the word DevOps in the title, which made searching harder for clients. I didn’t hear people using it. And, well, I’ve got a long-held bias against acronyms longer than three letters. It’s Forrester, so we didn’t want to change the name without doing some research. A quick poll on LinkedIn justified my intuition, so we did a further search of vendor websites based on our landscape report admission criteria. What do the vendors that sell the products call them? We focused on keywords and learned that, of 41 samples, four vendors had “deploy” or “deliver” in their product category name and 14 had something else (“lifecycle,” “CI,” “IaC,” or another term), while 23 of 41 used DevOps. Nobody was using “ISDP.” It’s clear: ISDP is out, and DevOps platforms are in. Narrowing down the field led to some careful choices. In the end, we had 11 participants that we felt everyone should know about: Amazon Web Services, Atlassian, CircleCI, CloudBees, GitLab, Google Cloud, Harness, IBM, Microsoft, Octopus Deploy, and Red Hat. They were each ranked on 26 criteria. What Are The Trends? Despite claims that “DevOps is dead,” the truth is that DevOps is everywhere. Platform teams use DevOps principles to ensure that application teams deliver reliable and high-quality software. The idea of a single DevOps platform, rather than a collection of best-of-breed tools stitched together by individual application teams, has grown with the concept of platform as product. Platform engineers today seek to solve the problems that application developers face, and the average application developer doesn’t want to set up a pipeline or maintain tool integrations. It doesn’t hurt that consolidating can also bring quantity discounts to an organization. As enterprises in particular look to standardize, we see a few trends: DevOps is DevSecOps. Security is a mandatory part of DevOps. In fact, it’s just as fundamental as CI and CD. So we excluded any platform that didn’t provide some forms of security tooling. Leaders had security out of the box and had already thought about artifact management, secrets scanning, SAST, root cause analysis, and automatic remediation. AI is booming — but it’s not all well integrated. Pretty much every vendor has AI features, either now or on their roadmap. The standout vendors integrate AI throughout their product in thoughtful ways that reduce contributor effort and make the routine seem magical. Others checked the AI checkbox but required significant copying and pasting of prompts and results — adding to developer toil rather than relieving it. GitHub Actions is becoming a de facto standard. For continuous integration in particular, competitors seem to be converging toward a slightly modified version of GitHub Actions. It’s not a select-all/copy/paste, but in some cases, it’s close — a copy/paste with a few extra lines in the YAML. What Should You Look For? Forrester’s transparent methodology, where we detail the process behind the full criteria, scale explanations, and scores, allows us to offer an interactive experience to help inform the choices that our clients make about their providers. Forrester clients can visit this page when logged in and select “Help me find a vendor” to select what you and your organization value most in a DevOps platform. We then provide a ranked list aligned to your priorities. As you compile a shortlist or consider a renewal: Don’t just count features. A checklist is a good place to start, but don’t stop there. The point of a DevOps platform is to make your SDLC run easier. Does it do that on day zero, when you first need to get the platform up and running? Does it do it on day two, after you’re live and in production? Does the platform play nicely with its competitors? Odds are good that you have build systems that you’re not going to throw out tomorrow, so working well with frenemies is critical for a DevOps platform. Think about multiple personas. DevOps platforms need to satisfy developers and operations people, but there are others who end up using them. Is the DevOps platform easy to use for testers? What about managers and PMs wanting to keep an eye on project status? Does the platform build alignment between individual contributors and the business initiatives that are the reasons why they do the work? Go below the troposphere. You’re probably pushing a lot of software to public clouds, but you’ve got other software to deliver, as well. How well does a DevOps platform work if you’re bringing changes to a mainframe, publishing to an app store, or testing a brand-new IoT device? With this Wave, we investigated how the platforms help those who don’t have their heads completely in the cloud. Forrester clients can check out the full report here for more detail: The Forrester Wave™: DevOps Platforms, Q2 2025. And clients seeking to implement — or replace — a DevOps platform can schedule an inquiry or guidance session with me for additional insights. source

As the chill of winter quietly settles over Sydney, I find warmth not just in my hands wrapped around a steaming mug of coffee but also from an unassuming treat bursting with rich and complex flavors of caramelized vanilla and rum. And this treat is none other than the humble canelé. If you’ve ever tried making canelé by yourself, you’ll know how notoriously difficult it is to get right. Often, the crust fails to form properly or the interior ends up overcooked or rubbery. Achieving perfection requires a delicate balance of technique, precision, quality ingredients, and experience — the same recipe for success that digital or customer experience (CX) leaders need to ensure that customers enjoy exceptional digital experiences. Unfortunately, many leaders across various organizations don’t yet understand the nuanced balance required for success. To create the perfect canelé (or outcome), factors such as oven temperature, mold preparation, batter consistency, baking time, and ingredient ratios all matter. Similarly, if your organization aims to increase customer lifetime value, what metrics should you track to ensure the right balance? In our research, we found that many leaders track digital experience (DX) metrics in isolation. This approach often results in struggles to drive key business outcomes and continuously improve customer experiences.   Mature firms, however, take a different approach. They relentlessly connect DX metrics to business and customer outcomes, combining quantitative and qualitative data to uncover deeper insights into the behaviors that drive these outcomes. More importantly, they follow a disciplined methodology to ensure that they are tracking the right DX metrics that lead to meaningful customer and business impacts. Join me for my keynote session, “How To Measure Digital Experiences,” at CX Summit APAC in Sydney to understand: The four types of datasets to collect. How to link DX measurement to business and customer outcomes. The role of emerging tech in DX measurement. If you haven’t already registered for our event, click here to register. Hope to see you there! (Photo credit: Pixabay) source

Marketers have leveraged programmatic loyalty for decades to identify their best customers and deliver a differentiated brand experience. And members have experienced everything from simple digital punch cards to highly sophisticated enterprise loyalty programs that attempt to anticipate their purchasing needs and recognize their loyalty with personalized experiences and offers. This wide spectrum of experiences reflects where a brand is in their loyalty journey. Though the punch card may seem like a simplistic loyalty tactic from the past, it can serve as a foundational step in a journey to achieve objectives such as awareness, growth, or operational scaling. Basic loyalty mechanics also help companies collect valuable customer data and develop customer insights that serve as the jumping-off point for innovation and iteration. As brands evolve their programs, they build modern loyalty strategies that address new objectives including incrementality, share of wallet, and emotional engagement. Forrester’s 2024 data shows that 77% of US online adults agree that they like to engage with loyalty programs even when they’re not purchasing. To win the competition for consumers’ attention, modern loyalty programs balance the base desire for financial incentives with the increased expectation for unique experiences and special treatment. They build on the characteristics and practices of traditional loyalty programs across five categories: structure, communications, experience, engagement, and mindset.   To shift from a traditional loyalty strategy to a modern loyalty approach, check out our recently published report, How To Modernize Your Loyalty Program, in which we explore the following topics: Common pitfalls of a transactionally focused strategy. Traditional loyalty programs that focus primarily on the transactional member journey risk driving loyalty to members’ wallets with little to no loyalty to the brand. We look at four key elements that limit the long-term impact from a traditional loyalty approach that fails to evolve over time. How modern loyalty benefits from a diversified engagement strategy. Building on the core elements of traditional loyalty, modern loyalty activates five engagement strategies to build a diversified loyalty experience. This approach leverages program structure to drive accrual, voice-of-the-customer insights, personalized experiences, proactive engagements, and an enterprisewide loyalty strategy to maximize value and customer lifetime loyalty. How to develop a modern loyalty approach. Traditional loyalty strategies that optimize CRM and provide compelling financial benefits are foundational to a modern approach. In this report, we explore how brands augment those elements with a focus on behavior change, customer feedback, the power of soft benefits, personalizing the brand experience, and how a corporate culture of loyalty can make the difference. Questions? We’d love to help you with your loyalty initiatives. Connect with us by scheduling a guidance session. source

CRQ solutions are on a mission to transform security and risk operations. The goal: a future where risk is measurable, actionable, and tightly integrated into business strategy. Some solutions emphasize picking up where legacy governance, risk, and compliance (GRC) implementations fall short and provide data-driven risk reporting, continuous monitoring, and third-party risk assessment. Others emphasize improving tactical cyber risk operations such as exposure management, threat modeling, and risk-informed remediation. Increasingly, CRQ solutions are extending across both dimensions — marking a new era of cyber risk management technologies. What’s Changed Since The First CRQ Evaluation? Overall, CRQ solutions today look very different from solutions two years ago, and they cover entirely new territory than they did when they were first introduced. Not only do they address more use cases than before, but more vendors have also entered the market. Key highlights include: CRQ is about managing risk, not just quantifying it. While the category title emphasizes “quantification,” this is expressly done to differentiate CRQ’s analytical approach from traditional, qualitative methods that unfortunately dominate GRC and security disciplines. Quantification becomes the engine to normalize risk data, prioritize actions, and enable trade-off decisions. Several vendors have expanded into adjacent markets and now offer CRQ-powered capability for vulnerability and exposure management, threat intelligence, third-party risk, cyber insurance, application security, control monitoring, and compliance assessments. Intelligence and integrations lower CRQ’s level of effort. CRQ critics point to the methodology and proclaim risk is either too complex to model (it’s not) or requires too much data to trust the outputs (it doesn’t). Vendors have invested in commercial and public risk data and begun augmenting these insights with tailored benchmarks to provide defensible outputs out-of-the-box to get practitioners started. Integrations across common security tools add increased precision by better enumerating the attack surface and continuous monitoring changes. Third-party risk management (TPRM) is one of CRQ’s fastest growing use cases. Despite being a top cause of breach, third-party risk often gets the short end of the stick due to competing risk priorities. CRQ vendors are increasingly providing dedicated TPRM offerings to counter this problem by quantifying exposure to and from third parties. Differentiated vendors also provide the ability to streamline third-party questionnaire assessments, either natively or through integrations. Buyers favor CRQ approaches aligned to industry standards. Differentiated vendors evade the “black box” perception by demonstrating transparent CRQ methodologies and detail-rich user experiences. Most vendors (seven out of 10) in our assessment base their CRQ models on recognized standards — most commonly FAIR — while three use proprietary models. Buyers will occasionally see vendors criticize FAIR, but keep in mind that this is usually a marketing move against other vendors who use FAIR rather than true faults in the FAIR methodology itself. Modern CRQ Solutions Stand On Three Pillars CRQ solutions differentiate themselves in three key capabilities — analytics, insights, and automation. Analytics power proactive defense. CRQ leverages advanced analytics for risk forecasting, predictive modeling, and scenario analysis making it possible to anticipate threats before they materialize. Insights connect risk to business value. By translating technical risk into real-time contextualized business impact, CRQ platforms empower leaders to understand loss scenarios and make informed decisions that matter to the bottom line. Automation drives efficiency and scale. Seamless API integrations, automated data ingestion, and continuous control monitoring mean organizations can keep pace with operational changes and regulatory demands without manual overhead. The Forrester Wave™: Cyber Risk Quantification Solutions, Q2 2025 is now live! Clients can use this report for more insights on the market and the 10 vendors that matter most. Tailor the evaluation to your own needs by using the “Compare vendors” button on the webpage. And schedule an inquiry or guidance session with me for additional insights. source