Forrester

In 2024, the digital behavior of Australian consumers is more dynamic and multifaceted than ever. My latest reports—The Digital Moments Map and The Digital Connections Tracker for Australia —offer a compelling look into how Australians engage with digital experiences across tasks, interaction modes, channels, and devices. These insights are essential for brands aiming to stay relevant in an increasingly fragmented digital ecosystem that competes for customers’ shrinking and selective attention span. 1. Context Is King: Understanding Your Customers’ Digital Moments The Digital Moments Map: Australia reveals that Australians don’t just use digital tools—they tailor their usage based on the task at hand. Whether it’s shopping, chatting, or controlling smart devices, users choose the most effective interaction mode for the moment (see the graphics below). For instance: Control tasks, like managing smart home devices, are seeing a rise in voice interactions that may soon challenge graphic user interface (GUI) as the top choice. Consumption tasks, like streaming media or checking a bank balance, are predominantly GUI based, but chat interactions are gaining traction (ChatGPT, anyone?). Communication tasks, involving written and spoken back-and-forth exchanges like customer support, are increasingly happening through chat interfaces, but voice interactions stubbornly remain significant by use volumes – not preference (see the graphic below). Commerce tasks, like online shopping and digital payments, mostly lean toward GUI, especially on mobile apps, without notable alternatives on the horizon. This task-based approach highlights the need for brands to design experiences that are both context-aware and preference-oriented. (This graphic shows the user proclivities as they progress from Awareness to Preference) 2. Digital Connections Are Complex: Finding The Right Mix And Balance Is Key The Digital Connections Tracker: Australia paints a picture of a highly connected population in Australia that is using a growing number of devices, channels, and platforms—often simultaneously. The average consumer might browse a product on a tablet, compare prices on a smartphone, and complete the purchase on a desktop. This multi-device, multi-channel, multi-platform behavior means that consistency and continuity across digital touchpoints are no longer optional—they’re expected. Brands must ensure that their digital experiences are seamless, regardless of where or how the user connects (see the graphic below). (This graphic shows the different options users may utilize to engage and interact with brands digitally) Implications For Digital Strategy Together, these reports underscore a critical shift: digital experience (DX) strategies must evolve from being product- and channel-centric to being context aware (understand the digital moments) and channel- and device-agnostic. Here’s what that means for organizations: Design for flexibility: Ensure your digital interfaces adapt to fit the context of tasks your customers need to perform, according to their comfort level and preferences. Invest in interoperability: Make sure your platforms and channels work together to provide a unified digital experience with minimal compromise for the consumers. Leverage data smartly: Use behavioral insights, focused more so on attitudes than past usage, to anticipate user needs and boost digital engagement and interactions. As digital behaviors continue to evolve – differently in every market and in every population segment – the brands that will thrive are those that understand not just where their customers are, but why they’re there and what they’re trying to do. Forrester’s foundational research on Digital Moments and Digital Connections offer a blueprint and roadmap for navigating this complexity and investing in technologies and digital experience design with clarity and purpose. Want to learn more and understand the data from this research? Schedule a Guidance Session or inquiry with me! source

While enterprise AI spending remains relatively modest today, the potential for overspending is significant. Most organizations are still experimenting, with only a few production-ready use cases. But that’s about to change. Over the next two to three years, AI investment is expected to grow exponentially as enterprises scale their efforts to operationalize AI. One major cost driver is the shift to large-scale generative AI (genAI) models, which require up to 100 times more compute than traditional AI models. And compute is just one lever. GenAI costs span both traditional infrastructure — like data, databases, storage, and networking — and AI-specific workloads such as model selection, token usage, training, and inferencing. These new cost levers add complexity, but they’re only part of the equation. GenAI Isn’t Traditional Software Developing genAI and agentic AI systems is fundamentally different from traditional software development. These systems are probabilistic — meaning outputs can vary even with the same input. In black-box AI services, pricing structures can change without notice or transparency. Margins are dynamic and unpredictable, making cost management — and forecasting — especially challenging. Still, every AI use case includes standard levers that can be tuned to optimize spend and manage the delicate balance between cost, performance, and risk. Understanding AI Cost Categories AI costs generally fall into two categories: Direct costs. These include models, data, and infrastructure — the core technologies needed to build and run AI solutions. Operational costs. These cover the overhead of running AI at scale, such as governance, business transformation, and skills development. Each category involves trade-offs. Here are a few key levers for consideration: Choosing the right model is the quickest way to balance performance and cost. Mature organizations regularly evaluate and swap models, as model quantity and processing profiles can significantly impact expenses. Data is often the largest cost driver, with AI workloads doubling storage needs. Agentic systems generate vast logs and metadata. Optimize by using efficient formats, compression, tiered storage, and eliminating redundant or abandoned data. Infrastructure choices affect both costs and performance. Cloud offers flexibility and access to GPUs but comes with less predictable costs, and on-premises provides predictability but high up-front investment. Workload placement should also factor in latency, performance, and data sovereignty. The Bottom Line As genAI adoption scales, so will costs — often exponentially. GenAI introduces new cost levers and operational complexities that differ fundamentally from traditional software. Staying ahead requires continuous fine-tuning of your AI cost levers: models, data, infrastructure, and operations. Want to learn more? Check out our report, AI Cost Optimization: The Why, What, And How. Need tailored guidance? Speak with our analysts: Michele Goetz (AI/data), Tracy Woo (FinOps), or Charlie Dai (AI cloud). source

I’ve been closely following the evolution of AI infrastructure for a while now. Honestly, the pace at which things are changing is both thrilling and a little overwhelming. If you’re in tech — or even adjacent to it — you’ve probably noticed how rapidly conversations around compute, GPUs, and scalability have gone from “optional innovation” to “mission-critical.” The artificial intelligence revolution isn’t just about algorithms — it’s also fundamentally reshaping the IT infrastructure that powers our digital world. Having worked closely with AI infrastructure decision-makers across Fortune 500 companies, I’ve seen how their AI aspirations are motivating cloud providers to expand their physical and digital boundaries, far bigger than scaling compute. Here’s the three major impacts that I’m seeing. Silicon Is The New Infrastructure Imperative I’ve watched with interest as hyperscalers shift from being chip buyers to chip makers. AWS has pledged over $100 billion through 2025 toward AI-centric infrastructure — investing in custom silicon (Trainium and Inferentia), high-throughput networking, and sustainable data campuses. Microsoft is committing $80 billion with its Maia chips, while Google targets $75 billion with its TPU. These aren’t generic data centers — they’re purpose-built facilities optimized for AI workloads. Collectively, hyperscalers are investing over $300 billion to build the next generation of AI-ready data centers. While chips investments are about performance, they’re also about controlling supply and reducing dependence on vendors such as NVIDIA, whose GPUs remain scarce. This trend has deep geopolitical implications. Substations Are Needed To Responsibly Power AI AI data centers consume power orders of magnitude more than traditional facilities. Schneider Electric projects 150-gigawatt capacity now through 2030 to power these AI data centers. I’ve seen how this massive demand is straining electrical grids and forcing utilities to rapidly expand capacity. Cloud providers are becoming major energy buyers, signing agreements for nuclear, wind, and solar energy. Cooling requirements are equally challenging. Dense chip concentrations generate enormous heat, requiring sophisticated systems. This has sparked innovation such as liquid cooling. Environmental implications remain significant. While providers invest in renewables, AI’s energy scale raises sustainability questions, driving innovation in energy-efficient architectures and advanced nuclear technologies. Sovereignty Drives The AI Arms Race Sovereignty has two aspects: 1) nation states building their own AI facilities to define and control their own destiny with little to no impact from geopolitical influence and b) cloud providers developing facilities for businesses in several regions to address profound geopolitical implications. With increasing trade barriers and sanctions, countries are now treating semiconductor manufacturing as a matter of national security and recognize AI infrastructure as critical to that security as well as competitiveness. We are seeing regional AI infrastructure blocs emerge. For example, the UK’s AI mission is to be an “AI maker, not an AI taker,” and I’ve seen governments increasingly prioritize “sovereign AI.” Hyperscalers and AI specialists such as Nebius are building facilities to address this demand. A Strategic Choice For Enterprises From my perspective, CIOs and enterprise architects must now view AI infrastructure as a core business capability. Choosing the right partners, selecting deployment regions, and securing computing capacity will shape competitive advantage for years. This is kind of an arms race — one defined by who owns the silicon, controls the substations, and enables sovereign deployment. The cloud giants aren’t just scaling up — they’re building the foundations for the next era of innovation. Enterprises that understand and act on this reality will be far better positioned in the age of AI. I am in the process of publishing a few research reports on the AI infrastructure market. If you’re a Forrester client exploring this or have thoughts/questions on this topic and want to discuss it further, please submit an inquiry request. source

Software is no longer just code written by a team of enterprise developers — it’s a complex, interconnected supply chain. And like any supply chain, the weakest link makes the entire chain vulnerable. From open-source dependencies to build tools, container images, and AI models, every component and every handoff in the process introduces downside risk. Yet most organizations still treat software security as a final checkpoint rather than a continuous, strategic imperative that starts at software selection and runs through software decommissioning. It’s time to change that. Five Takeaways For Security Leaders The path to securing the software supply chain will not be easy. To get going, consider that: Software is a supply chain, so treat it like one. Just as manufacturers map and secure their physical supply chains, software leaders must do the same. IT asset management and software asset management systems are good places to start understanding your software landscape. Visibility into every component — from direct dependencies to fourth-tier libraries — is essential. Without it, you’re flying blind. Open source continues to be powerful but even more risky. With 97% of applications using open source (according to Black Duck’s 2025 Open Source Security and Risk Analysis report) and 70% of critical vulnerabilities stemming from third-party code (according to Veracode’s 2025 State of Software Security report), dependency management is nonnegotiable. And it’s not just vulnerabilities that creep in but malicious packages, where attackers find ways to trick developers and automated build systems to download legitimate-looking libraries embedded with malicious code using techniques such as typosquatting, dependency confusion, and slopsquatting. Malicious packages are on the rise — up 156% year over year (according to Sonatype’s 2024 State of the Software Supply Chain report). Know what’s in your code. Know your role and whether you need to secure by design, by deployment, and/or by demand. Your role defines your responsibility (see the figure below). Producers must build secure software from the start. Operators must deploy and maintain it securely. Choosers must demand proof-of-security best practices before purchase. Most organizations play all three roles — and must act accordingly. SBOMs are no longer just nice to have. A software bill of materials (SBOM) isn’t just a compliance checkbox — it’s a strategic asset. Producers must generate them, operators must monitor them, and choosers must demand them. SBOMs enable transparency, vulnerability tracking, license obligation visibility, a window into operational risk, and faster incident response. There’s no silver bullet, but there is a winning strategy. No single tool, process, or team can secure your software supply chain. Instead, take a proactive approach to safeguarding software throughout its acquisition, usage, development, maintenance, operation, and offboarding to prevent security flaws and attacks. You must involve a cross-section of stakeholders from procurement to risk management, information security to legal, and IT to software development. Securing the software supply chain is a team sport!   Software supply chain breaches are costly. They erode customer trust, damage the brand, trigger lawsuits, result in lost revenue, and lead to higher insurance premiums. But they’re also preventable. Start by defining your role, demanding transparency, and embedding security at every stage of the lifecycle. Want to dive deeper into securing your software supply chain? Read The Future Of Software Supply Chain Security and schedule a guidance session or inquiry with me. source

Software is no longer just code written by a team of enterprise developers — it’s a complex, interconnected supply chain. And like any supply chain, the weakest link makes the entire chain vulnerable. From open-source dependencies to build tools, container images, and AI models, every component and every handoff in the process introduces downside risk. Yet most organizations still treat software security as a final checkpoint rather than a continuous, strategic imperative that starts at software selection and runs through software decommissioning. It’s time to change that. Five Takeaways For Security Leaders The path to securing the software supply chain will not be easy. To get going, consider that: Software is a supply chain, so treat it like one. Just as manufacturers map and secure their physical supply chains, software leaders must do the same. IT asset management and software asset management systems are good places to start understanding your software landscape. Visibility into every component — from direct dependencies to fourth-tier libraries — is essential. Without it, you’re flying blind. Open source continues to be powerful but even more risky. With 97% of applications using open source (according to Black Duck’s 2025 Open Source Security and Risk Analysis report) and 70% of critical vulnerabilities stemming from third-party code (according to Veracode’s 2025 State of Software Security report), dependency management is nonnegotiable. And it’s not just vulnerabilities that creep in but malicious packages, where attackers find ways to trick developers and automated build systems to download legitimate-looking libraries embedded with malicious code using techniques such as typosquatting, dependency confusion, and slopsquatting. Malicious packages are on the rise — up 156% year over year (according to Sonatype’s 2024 State of the Software Supply Chain report). Know what’s in your code. Know your role and whether you need to secure by design, by deployment, and/or by demand. Your role defines your responsibility (see the figure below). Producers must build secure software from the start. Operators must deploy and maintain it securely. Choosers must demand proof-of-security best practices before purchase. Most organizations play all three roles — and must act accordingly. SBOMs are no longer just nice to have. A software bill of materials (SBOM) isn’t just a compliance checkbox — it’s a strategic asset. Producers must generate them, operators must monitor them, and choosers must demand them. SBOMs enable transparency, vulnerability tracking, license obligation visibility, a window into operational risk, and faster incident response. There’s no silver bullet, but there is a winning strategy. No single tool, process, or team can secure your software supply chain. Instead, take a proactive approach to safeguarding software throughout its acquisition, usage, development, maintenance, operation, and offboarding to prevent security flaws and attacks. You must involve a cross-section of stakeholders from procurement to risk management, information security to legal, and IT to software development. Securing the software supply chain is a team sport!   Software supply chain breaches are costly. They erode customer trust, damage the brand, trigger lawsuits, result in lost revenue, and lead to higher insurance premiums. But they’re also preventable. Start by defining your role, demanding transparency, and embedding security at every stage of the lifecycle. Want to dive deeper into securing your software supply chain? Read The Future Of Software Supply Chain Security and schedule a guidance session or inquiry with me. source

The (mostly) new Medallia executive team showed up to its inaugural Experience World Tour 2025 in London with a bullish vision for an AI-fueled, predictive CX management platform that puts the insights that frontline employees need directly into their hands. The question is less so about whether Medallia can build out its vision (it probably can) and more about whether clients are ready for it (they probably aren’t). Some strong use cases from large, complex, and reassuringly European organizations such as Decathlon, DHL, Jaguar Land Rover, Three, and Volkswagen Group highlighted what determined CX teams can achieve by building beyond feedback and insights to put a platform like Medallia at the heart of their CX efforts. But the feel I got from most conversations I had with users is that the level of executive support, proactivity, investment, and certainty of business case needed to hit those mainstage highs is still aspirational for most CX teams. In terms of Medallia’s vision, three messages stood out: A drive to action. Medallia’s rallying cry of “data to insight to action” resonates with our own predictions and continued advice. CX teams must move beyond being passive insights providers to help solve problems that result in driving revenue, saving money, or reducing risk. And they need to be able to measure the results in terms that the C-suite can understand. A clearly articulated AI strategy. Medallia CPO Fabrice Martin showcased a range of existing and future roadmap AI tools that all aim to drive simplicity and put actionable insights into the hands of business owners like contact center agents, store and regional managers, and product development teams. It all fits together and aims to solve problems, rather than just be AI for AI’s sake. A bias toward predictive CX. The mantra of “stop looking backwards at lagging metrics and start building predictive models to head off issues” came across in Medallia’s roadmap and case studies such as those from Generali’s business in Australia. But thoughtfully, none of this was positioned as “easy.” The need for robust data governance, carefully built algorithms, and strong governance was apparent. No one positioned AI as magic, more as an accelerator. Emotion Is The Golden Thread But happily for me, having spent three days last week at Forrester’s own CX Summit EMEA championing the importance of emotion as the key driver of CX quality, the same story came out here. Julia Murphy, head of CX at Three, talked about evoking emotion in storytelling around key customer moments to build executive support. Gabriela Vargas from Decathlon shared how certain approaches — such as offering video chat appointments to explain complex products like exercise bikes or a thoughtful rewards program that offers perks like coaching sessions or nutrition advice to customers who they can identify as marathon runners — cement emotional engagement in digital experiences. If anything was missing, it was a reminder of the importance of journeys. Customers’ experiences come to life through journeys. Journeys help us understand, and focus on, customer goals. They illuminate the “why” of why customers come to us. The focus of the day was firmly on fixing problems, removing detractors, and even anticipating who might become a detractor — fixing broken moments. Journeys help us see moments in context, and more specifically, future-state journeys propel us beyond just fixing problems and into a divergent space of innovation — designing new things, the world of “what if.” So yes, proactively fix the issues, but CX teams: I beg you, don’t forget to dream. source

Powerful AI tools are now widely available, and many are free or low-cost. This makes it easier for more people to use AI, but it also means that the usual safety checks by governments — such as those done by central IT departments — can be skipped. As a result, the risks are spread out and harder to control. A recent EY survey discovered that 51% of public-sector employees use an AI tool on a daily basis. In the same survey, 59% of state and local government respondents indicated that their agency made a tool available, compared to 72% at the federal level. But adoption comes with its set of issues and doesn’t eliminate the use of “shadow AI,” even when authorized tools are available. The first issue: the procurement workarounds for low-cost AI tools. In many cases, we can think of generative AI purchases as micro transactions. It’s $20 bucks per month here, $30 per month there … and all of a sudden, the new tools fly under traditional budget authorization levels. In some state governments, that’s as low as $5,000 overall. A director procuring generative AI for a small team wouldn’t come close to levels where it would show up on procurement’s radar. Without delving too deeply into the minutiae of procurement policies at the state level, California allows purchases between $100 to $4,999 for IT transactions, as do other states including Pennsylvania and New York. The second issue: the painful processes in government. Employees often use AI tools to get around strict IT rules, slow purchasing, and long security reviews, as they’re trying to work more efficiently and deliver services that citizens rely on. But government systems hold large amounts of sensitive data, making the unapproved use of AI especially risky. These unofficial tools don’t have the monitoring, alerts, or reporting features that approved tools offer, which makes it harder to track and manage potential threats. The third issue: embedded (hard-to-avoid) generative AI. As AI becomes seamlessly integrated into everyday software — often designed to feel like personal apps — it blurs the line for employees between approved and unapproved use. Many government workers may not realize that using AI features such as grammar checkers or report editors could expose sensitive data to unvetted third-party services. These tools often bypass governance policies, and even unintentional use can lead to serious data breaches — especially in high-risk environments like government. And of course, the use of “shadow AI” creates new risks, as well, including: 1) data breaches; 2) data exposure; and 3) data sovereignty issues (remember DeepSeek?). And those are just a few of the cyber issues. Governance problems include: 1) noncompliance with regulatory requirements; 2) operational issues with fragmented tool adoption; and 3) issues with ethics and bias. Security and technology leaders need to enable use of generative AI while also mitigating these risks as much as possible. We recommend the following steps: Increase visibility as much as possible. Use CASB, DLP, EDR, and NAV tools to discover AI use across the environment. Use these tools to monitor, analyze, and, most importantly, report on the trends to peer leaders. Use blocking judiciously (if at all), because if you remember the shadow IT lessons of the past, you know that blocking things just drives use further underground and you lose insight into what’s happening. Inventory AI applications. Based on data from the tools mentioned above and working across various departments, work to discover where AI is being used and what it’s being used for. Adapt your review processes. Create a lightweight review process that accelerates approvals for smaller purchases. Roll out a third-party security review process that’s faster and easier for employees and contractors. Establish clear policies. Include use cases, approved tools, examples, and prompts. Use these policies to do more than articulate what’s approved. Use them to educate on how to use technology, as well. Train the workforce on what’s permitted and why. Explain to teams why policies exist and the related risks, and use these sessions to further explain how to best take advantage of these tools. Show different configuration capabilities, example prompts, and success stories. Enabling the use of AI results in better outcomes for all involved. This is an excellent chance for security and technology leaders in government to encourage innovation of technology and process. Need tailored guidance? Schedule an inquiry session to speak with me at [email protected]. source

Many firms have spent the last decade chasing digital transformation — layering on new touchpoints, piloting chatbots, and slogging through complex automation. Yet customers still encounter friction at nearly every turn. Why? Because the results of these efforts was an arcane web of websites, apps, interactive voice response systems, and databases. That’s starting to change. Emerging technologies in 2025 aren’t only being accelerated by breakthroughs in AI — they’re converging to enable something new: seamless, adaptive customer experiences. These are the kind we’ve imagined for years: personalized offers before a need is expressed; context-aware agents that suggest answers instead of menus; and in-store, in-app, and in-conversation interactions that just flow. But unlocking that future takes more than tech — it takes foresight. AI Is The New Interface To Your Brand As we wrote in Dear AI, Please Change The World Already, AI is quickly becoming the new interface to your brand. Customers won’t judge you on your stack — they’ll judge you on how well you use AI to make experiences easy and meaningful. That’s why the firms poised to lead aren’t just adopting AI. They’re aligning customer experience (CX), marketing, tech, and security teams to deliver something greater: frictionless experiences built on a foundation of trust. From Tech Hype To Tangible Progress Skepticism is justified. Many CX pros have seen too many flashy demos lead nowhere; today’s emerging technologies are different, however. Generative AI has ignited acceleration across a wider ecosystem: agentic AI that reasons, edge intelligence that adapts in real time, and humanoid robots that can connect with us. This convergence marks a shift from complexity to new interfaces at the experience level and agents underneath that eliminate organizational friction. Trust Is What Makes It Work Here’s the catch: Seamless experiences can’t happen without customer trust. Personalization without permission feels invasive; automation without explanation breeds anxiety; and AI that acts without accountability can damage relationships. To make these technologies work, you need a foundation of trust — robust security, ethical design, clear governance — embedded from the start. And that requires true collaboration across digital, CX, tech, and risk teams. Want A Preview Of What’s Coming? If you’re a CX, marketing, or digital business leader aiming to use emerging tech not just as a tool but as a differentiator, my session “Emerging Technology Dissolves The Barriers Between You And Your Customer” is for you. At Forrester’s CX Summit North America, I’ll share: The top 10 emerging technologies transforming CX. How to apply Forrester’s benefit horizons to align timing with investment. Practical examples of using AI and automation to remove friction at key customer moments. No tech jargon, no dashboard dumps — just the insight you need to lead with foresight. Ready To See What’s Possible? Join me and other thought leaders at Forrester’s CX Summit North America. The future of CX isn’t just intuitive — it’s imminent. And the firms that prepare today will lead tomorrow. source

Thirty-two percent of public-sector leaders say that they will invest more in government shared services in 2025, according to Forrester data. The stakes are high: Efficiency, cost-effectiveness, innovation, and agility all hinge on selecting the right model. But can a shared services model really deliver all these benefits, or is a service provider approach more effective? In practice, these models are often blurred, and many government entities find themselves struggling to maintain balance between centralization and flexibility. Just ask the 61% of public-sector technology leaders who told us that IT shared services in their organizations need to improve! In its ideal form, shared services represent a centralization strategy: one that reduces redundancy, standardizes processes, and enables cost savings across multiple agencies. By consolidating core operations such as finance, HR, or IT services into a single, efficient unit, governments aim to streamline processes and cut down on waste. But without rigorous management, shared services can devolve into a service provider model, losing sight of their core mission and sacrificing the efficiencies they were designed to deliver. The Challenge: Service Provider Behaviors In Shared Services A key factor in the failure of shared services is when government entities lose sight of their primary objective: internal efficiency. When centralized units begin treating individual departments as external clients, offering tailored solutions to each, they risk slipping into a service provider mindset. The problem with this shift is twofold: It undermines the intended cost efficiency and introduces significant complexity. This was evident in Australia’s Department of Human Services (DHS), where a promising centralization effort deteriorated into fragmented execution. By giving in to individual departmental demands, DHS lost the cohesion and rigor essential for shared services success, leading to disjointed systems, integration failures, and mounting costs. Similarly, Shared Services Canada was created to streamline IT and administrative services for the federal government, but its struggles to keep pace with technological advances, and communication breakdowns, have turned it into a fragmented service provider, plagued by complexity and inefficiencies. A Different Path: When A Service Provider Model Succeeds A service provider model can offer more flexibility. By focusing on the specific needs of each agency when a model customizes its offerings, diverse needs are met with high-quality, specialized solutions. It works best when agility is paramount and when the government agency in question needs to innovate or respond rapidly to changing requirements. Singapore’s GovTech, which has become a key player in the country’s digital transformation, is a good example. Its focus on customized services has enabled it to drive significant modernization, delivering innovative, scalable solutions that align with the evolving needs of the Singapore agencies while staying nimble enough to support multiple clients. Similarly, as part of the Department of Homeland Security, the US’s Cybersecurity and Infrastructure Security Agency (CISA) operates a shared services center under the Cybersecurity Quality Service Management Office program. Providing standardized cybersecurity services to federal agencies, this initiative bolsters security posture while maintaining high levels of compliance. CISA’s ability to adapt and provide tailored cybersecurity services to different departments demonstrates how a service provider model can work effectively in complex environments. Choosing Between A Shared Service Or Service Provider Model As governments consider adopting these models, it’s essential to understand the core attributes that drive success. To prioritize the success of each model: Use shared services for cost efficiency and standardization. Here, the focus is on centralization of key administrative functions while ensuring operational efficiency. This means a laser focus on standardization across agencies to limit redundancy and maintain cost efficiencies. A clear governance structure with accountability for all participating agencies is needed for alignment and to minimize fragmentation. Maintaining a focus on shared goals rather than departmental differentiation is critical, with strong cross-agency collaboration reinforcing this model. Create service providers for complex needs requiring agility and innovation. Here, the objective is customization of services tailored to the unique needs of each agency. High levels of flexibility allow agencies to adapt to evolving demands and technological advancements, with service-level agreements providing clear, measurable outcomes and client satisfaction. An emphasis on innovation and cutting-edge solutions that support the evolving needs of government agencies is the hallmark of an effective service. Stick To Your Operating Principles Understanding the difference between shared services and service providers is crucial for effective implementation of these common machinery-of-government patterns. This means ensuring that, whichever approach is chosen, clear operating principles are established and communicated to both the customers and employees. These principles should embody the value that customers can expect to derive from the products and services offered. Specifically: In the case of shared services, this means supporting enabling IT investment that focuses on stabilizing, operating, and protecting service delivery, plus consistently meeting commitments, which creates trust internally and externally. For service providers, this means (with the former focused on streamlining processes, delivering insights, and optimizing mission outcomes and the latter focused on breakthrough innovation) replacing instincts with insights and inspiring new ways to achieve outcomes with emerging technology. Often in collaboration with the agency’s own IT function, service providers will also support investments during cocreation activity — where existing and emerging technologies are made widely available to civil servants to help them creatively tackle complex social and environmental challenges. Success lies in recognizing the right model for the right customer goals — and staying committed to them. I’d love to hear how your agency engages with these models. Forrester clients can schedule a guidance session to discuss how to improve use of these models. (This blog post was written in collaboration with Chiara Bragato, senior research associate, as part of Forrester’s research and continuous guidance for public-sector and government leaders.) source

For risk professionals, leading through 2025’s volatility has been like living in an “Alice in Wonderland” unreality. Risk teams have never been more important as a function to guide their businesses through challenges such as geopolitical risk events, trade disruption, economic volatility, and regulatory disruption. Hopefully, this work doesn’t resemble the chasing of Lewis Carroll’s famous White Rabbit. Our latest report, The State Of Enterprise Risk Management, 2025, showcases a variety of data insights and graphics on industrywide and programmatic shifts impacting enterprise risk management (ERM) programs and how risk decision-makers are responding to them. Our data reveals that: Cyberattacks and tech dependency bring enterprise resilience to the fore. The UnitedHealth Group breach and the global disruption triggered by the CrowdStrike software update were good reminders about the critical role that technology plays across our society. It’s thus unsurprising that 40% of local and 38% of multinational ERM leaders cited cyberattack velocity as a top risk driver. In addition, 36% of multinationals and 28% of local firms flagged overreliance on tech as a major risk. Risk leaders must map their software supply chains and ensure that their resilience simulations cater to a range of tech failures — not just cyberbreaches. AI and third-party risks remain heightened. While financial, trade, and geopolitical risks are dominating boardroom conversations, the real shift is happening under the radar. Tech vendors are embedding generative AI into core systems and ERM teams are struggling to get involved early enough in the process to build appropriate guardrails in from the beginning. Third-party risks are not receiving as much attention as they require despite increasing cyberattacks and systems failures linked to third-party suppliers, such as the recent spate of cyberattacks in the UK retail sector. Risk pros must prioritize communicating the ROI and value of investing in and maturing both AI risk and third-party risk management programs. Critical risk events are more likely when ERM is not a boardroom concern. Nearly 75% of enterprises experienced at least one critical risk event in the past year, and cyberattacks and IT failures account for most critical events globally. Firms without board-level ERM visibility were 20% more likely to suffer six or more critical events. Risk pros need to focus on both getting ERM taken seriously by the board but also getting the board to help drive the right risk culture across the organization. Risk management budgets are increasing — but are not meeting the moment that we are in. Most ERM budgets are only increasing by 1–4%, barely keeping up with inflation. Only 4% of firms expect a greater than 10% increase. Many ERM programs still struggle to prove ROI or align with business goals, leaving many to question the value beyond ticking regulatory compliance requirements. Chief risk officers need to show how ERM drives business value — not just compliance — to get the funding required to make better-quality risk management decisions. Identifying emerging risks sets ERM programs apart. Forrester clients have been telling us consistently that they want their risk function to implement the right guardrails to allow the business to confidently and quickly take on risks. Organizations remember being caught out by ChatGPT and other emerging technologies and want to transform the engagement and perception of their teams. From our data, only 37% of risk decision-makers reported identifying emerging risks as their primary measure of success. Forrester clients wanting to discuss further can book a guidance session or inquiry to discuss the research further with any of the authors. source