Forrester

This past year, I was describing what a “twofer” was to my colleague Jinan Budge in Australia. I casually dropped this term for getting two things for the price of one during a conversation. In addition to talking about how weird lingo can be, it also led to me proposing that what we were talking about was actually a “threefer” — getting three things for the price of one. I can’t seem to let the idea of the threefer go when it comes to environmental sustainability efforts. Forrester’s original framing of the green market revolution explicitly made the point that sustainability efforts can be good business, showing the twofer effect: A combination of macroforces will create a tipping point, after which companies will no longer view environmental sustainability as primarily an ethical responsibility with added benefits to brand and modest cost savings but as a financial and regulatory obligation that they can’t ignore and, more importantly, an unprecedented business opportunity. There’s also a hidden threefer effect, however, because sustainability efforts also achieve business strategy goals. Earth Day 2025’s theme is “Our Power, Our Planet” and calls for unification around renewable energy. Using energy transfer as an example, the threefer you get is to: Meet sustainability goals. Sixty-seven percent of business and technology professionals report that improving environmental sustainability is a business objective over the next 12 months. Of those respondents, 34% said that reducing the organization’s scope 1 and scope 2 carbon footprint was an action the organization is taking to improve environmental sustainability. Maybe you’ve done a t-shirt analysis of all your sustainability efforts — e.g., those that are easy, difficult, and hard to achieve. Transferring energy to renewable energy sources is typically in the easy-to-achieve bucket and has big returns on meeting sustainability goals for reducing scope 2. In fact, 28% of infrastructure hardware decision-makers reported that green energy procurement/investments in renewable energy credits provided the most impact for sustainability/carbon footprint reduction for their organization. Achieve better financial results. We predicted that operational efficiencies and financial benefits will eclipse regulations as key drivers this year. Energy transfer can do exactly that. Benchmark the cost of energy today and then go shopping. Additionally, investigate policies for demand-side management to get an extra boost in cost management. Reach business strategy goals. Resilience has risen as a board-level topic since the COVID-19 pandemic. Businesses need to adapt to climate change to ensure uninterrupted delivery to customers as much as possible. Twenty-nine percent of global business continuity decision-makers reported that power and fuel shortages/scarcity/outages make it more difficult for their organization to deliver on its vision and brand promise, no matter the crisis. One of the ways to overcome this is to get closer to energy independence. Getting your sources of energy production more local (how much can your company produce?) and/or secure renewable sources will boost your business’s resilience strategy goals. Want to take advantage of this threefer? Read more about sustainability, the green market revolution, and/or schedule a guidance session. Happy Earth Day 2025! source

OpenAI announced that it will require organizations to complete an identity verification (IDV) process to verify their organization’s identity before being allowed to access the latest OpenAI models. Identity verification will likely require developers to digitally verify themselves using government-issued photo ID from permitted countries and prove their affiliation with their organization. Forrester expects that the reasons for OpenAI’s decision include: The ability to block malicious or rogue country-based developers from APIs to models. Tying developers to only one client organization, ensuring that one developer accesses OpenAI models only on behalf of one organization (this helps with vetting organizations). Better enforcement of rate limitations to models. Protecting OpenAI models from IP theft. A need to correlate true identities to prompts and model responses that slip through genAI guardrails (e.g., asking for instructions on how to commit acts of terrorism). This is especially important as large language models (LLMs) expand from text-focused input-output to new modalities (audio, image, video). OpenAI’s decision parallels a larger market trend about linking online, digital identities to real-world ones. Included in this trend are age verification (gaming, gambling, adult content websites) requirements, regulatory compliance with know-your-customer/anti-money-laundering regulations, and nonrepudiation of user transactions. Firms using OpenAI should define an internal governance (onboarding and offboarding) process for permissioning access to genAI/LLM models, including OpenAI. Shadow genAI access puts the firm’s and its customers’ intellectual property at risk of disclosure via these models. Further, Forrester recommends that end user organizations leverage multichannel-capable (web, mobile app, contact center, in-person), low-user-friction but powerful identity verification solutions. source

While we receive many client inquiries on best practices for innovation management, there have been four recurring categories of inquiries lately that dominate our client conversations. Do we still need an innovation team? Clients want to validate their organizational innovation setups against best practices. While most of our clients are operating centralized innovation teams, their mandates vary from technology foresight and experimentation to innovation facilitation and delivery. The best setup for you depends on your organization’s innovation maturity and therefore must adapt as your innovation practice evolves, from centralized do-it-all teams to vanishing formal structures as innovation is embedded in everybody’s job and mind. Read more about innovation setups here. Should we build innovations or empower innovators? The answer aligns with your innovation team’s ambition or strategy. Temporarily, it can make sense to start with an innovation team that not only ideates but also delivers proofs of concept, pilots, and products based on these ideas. But in the long run, innovation teams should instead facilitate the process, empower other ideators and innovators, and help nourish the right attitude and mindset across staff to enable others to innovate. Here are more tips around innovation ambitions and mandates. What are specific tips and tricks for setting up an innovation lab? Many of our clients are either in the process of setting up a physical (rarely a digital) innovation lab or they’re considering shifting the focus of an existing innovation lab for better performance. Questions related to this include whether to position the lab more so as a safe zone for experimentation or a technology showroom, how to staff it, how to make and keep it attractive, and who the target audiences should be. If you want to learn more about innovation labs, here is our best practice report. How are others leveraging genAI to become more innovative? The misconception still exists that emerging technology adoption equals innovation, which is not true. While it is essential to continuously research and experiment with emerging technologies such as generative AI to understand potential benefits, costs, risks, and prerequisites for your organization, technology experimentation is not innovative, per se. Turning learnings from technology experiments into solutions to existing problems or elevating products and services through new technologies, however, is truly innovative. Therefore, we recommend generative AI experimentation to learn how the technology can help your organization. At the same time, you must identify improvement areas or challenges that could benefit from generative AI. If there isn’t a match, don’t apply the technology. As matches vary by industry, process, culture, and/or organizational readiness, it doesn’t help to just copy what others are doing. Read this report to understand how to assign innovation contribution areas for generative AI. If you want to discuss these or any other questions about innovation management best practices, book an inquiry or guidance session with me or one of my colleagues. source

We often hear comments and questions from customer experience and digital business leaders such as, “We designed and built this product, but not many people use it — and we don’t know why” or “We have a chatbot, but customers are not using it, so how can we drive engagement?” These issues often arise because the solution is not good enough to solve the customer’s problem — or it’s not even solving the right problem. Plus, people interact with companies and use their products in ways that change depending on their circumstances and the task at hand in that moment, and companies lack the data to understand these shifting behaviors. For example, while driving, a person might prefer using their phone’s virtual assistant to play their favorite podcast. But when commuting on a train, they might prefer using the app’s graphical user interface (GUI) so they don’t disturb other passengers. Design Experiences Knowing Where And How People Connect — And Why To effectively guide your digital experience (DX) strategy, you need to know which interaction modes (e.g., GUI, voice, chat, etc.) people use for various tasks (e.g., control, communication, commerce, etc.) and through how many devices, channels, and platforms they connect. We’ve just published the first (newly renamed) reports in our annual series to help you make these DX decisions: The Digital Connections Tracker. The Digital Connections Tracker assesses how many devices, channels, and platforms people use, by region/market, based on an annual Forrester survey. It helps you answer questions like, “How many devices, channels, and platforms are people using on average this year in our region?” The insights help you decide things such as whether your marketing campaign is targeting the right number of channels. We’ve just published The Digital Connections Tracker, 2024: US — stay tuned for reports for each of Australia, Canada, metro China, France, Germany, metro India, Italy, Spain, and the UK. The Digital Moments Map. The Digital Moments Map assesses people’s behaviors and attitudes toward 16 different combinations of interaction modes and task types based on an annual Forrester survey. This helps you answer questions like, “What percentage of people in a certain region/market prefer to use voice for control tasks such as adjusting a smart thermostat?” Similar to the Digital Connections Tracker, The Digital Moments Map, 2024: US is the first of 10 market-specific reports in this series. Let’s Connect Forrester offers clients custom guidance and data. You can schedule a guidance session to speak with us about the models and data, as well as request custom data cuts by country, year, age group, income band, and more. We would like to thank former Forrester analysts Julie Ask, who set the foundation and led many prior editions of reports in this series, and David Truog, who made substantial contributions to this edition by updating the format and expanding its scope. We also acknowledge the support of our talented researchers, research associates, and Forrester’s analytics team, who have all contributed to the richness of this series. source

In the red corner, weighing in with independent scalability and distributed complexity: microservices! In the blue corner, the reigning legacy champion, with its infamous deployment challenges: the monolith! For years, architects and technology executives have watched this architectural cage match with bated breath. Technology forums buzzed with trash talk from both sides. Conference speakers built careers championing one approach while demonizing the other. Vendors sold middleware solutions promising to crown you champion — if only you’d pick their preferred fighter. But what if we told you that this entire spectacle was all just a waste of time? The truth? Your organization shouldn’t pick a single winner in this so-called battle. You need different solutions tailored to specific contexts. Reality Check: The Tale Of The Tape The industry landscape is littered with both cautionary tales and success stories that illustrate architectural tension. Consider how Segment, the customer data platform, famously documented its journey from monolith to microservices and then partially back again. The engineering team initially split Segment’s platform into over 100 microservices in pursuit of scalability, only to face what they called “death by a thousand microservices.” The team eventually consolidated back to a more balanced approach after experiencing mounting operational complexity and debugging challenges that outweighed the benefits. On the flip side, many established enterprises cling to aging monoliths long past their expiration dates. When retail giant Target began its digital transformation, it realized that its monolithic architecture couldn’t deliver the agility needed to compete with Amazon. Its pragmatic phased approach to modernization — selectively decomposing components while maintaining core systems — helped Target achieve an impressive digital turnaround without falling into either extreme of the architectural spectrum. The lesson from both scenarios? Architectural decisions driven by trends rather than business context frequently lead organizations astray. Architecture is about weighing trade-offs, not adhering to dogma. Dropping The Gloves: Three Principles For Practical Architecture Decisions Respect context over dogma. The most successful organizations that we advise approach architecture as a spectrum of options, not a binary choice. They understand that different components of their system have different needs. Features that change frequently might benefit from isolation and independent deployment, while stable functions might remain tightly integrated. Evolve incrementally, not revolutionarily. Revolutionary architectural changes make for exciting conference talks but disastrous implementation stories. Progressive, measurable evolution toward targeted outcomes consistently outperforms “big bang” transformations. The best architectures grow organically to address specific pain points, not theoretical ideals. Measure what matters to the business. The ultimate victor in any architectural decision should be determined by measurable business outcomes, not technical elegance. Does the change increase deployment frequency? Reduce time-to-market? Improve reliability? Lower operational costs? Architecture should serve the business, not the other way around. The Real Champion: Architectural Pragmatism As we enter a new era of digital acceleration, the organizations pulling ahead aren’t arguing about monoliths versus microservices. They’re pragmatically applying architectural patterns where they make sense, modernizing incrementally where they see concrete benefits, and staying focused on delivering business value. So go beyond the battle royale, put down the architectural dogma, and start asking better questions about what your specific context, organization, and business needs demand. The true champion of modern software architecture isn’t a particular pattern — it’s the pragmatic, business-focused approach that delivers real results in your unique context. Because in the real world, the only architectural approach fighter that truly wins is the one that helps your business succeed. For more insight into how to handle the cage match, read our full report here. source

Moveworks’ global event in San Jose marked a major inflection point in enterprise AI with the announcement of Agent Studio, Plugin Workspace, and an AI Agent Marketplace — all part of its strategy to become the go-to platform for building business-ready AI agents. Analysts Julie Mohr and Rowan Curran provide their insights on the announcements. The Headline Updates Agent Studio. Moveworks’ Agent Studio joins a dizzying number of vendors that are offering low- and no-code development environments to build agents. Moveworks claims a 95% success rate in getting these agents to production, which could drive significantly more agentic deployments in the next year if those numbers continue to play out. Plugin Workspace. This is a unifying developer environment designed to fix the fragmentation and inefficiency of existing toolchains. It solves challenges such as broken integrations, disjointed authentication, and outdated system flows. AI Agent Marketplace. Moveworks launched over 100 prebuilt AI agents across more than 20 business systems such as Salesforce, SAP, and Workday. These agents are positioned as being “production-ready,” and the marketplace includes features like tutorials and sandbox installations for instant deployment. Beyond products, the event revealed critical partnerships: Stack Overflow partnership. This enables developers and tech support teams to tap into verified knowledge via chat or enterprise search through Moveworks. Palo Alto Networks integration. This integration tackles 99% of cyber incidents stemming from misconfiguration by delivering timely, actionable security alerts via AI assistants. ServiceNow collaboration. With the announcement earlier this year of ServiceNow’s acquisition of Moveworks and the finalization of that deal still pending, it was surprising to see ServiceNow speaking at the event about what the merger will provide in the future. Basically, ServiceNow wants to continue to fuel the innovation of Moveworks and get out of its way. From Systems Of Record To Systems Of Action: Moveworks As The New Front Door Moveworks isn’t just rolling out another AI suite. It’s redefining the future of enterprise automation by operationalizing AI agents — not just chatbots but full-fledged, task-completing digital employees. With AI now able to book travel, resolve IT tickets, help HR teams with onboarding, or prep a sales pitch with data from Salesforce and Bing, businesses are poised to shift from people-driven to agent-driven workflows. AI agents are no longer reactive helpers; they are proactive workers integrated into daily operations. In the words of Bill McDermont: “Moveworks owns the employee experience. Who wants to deal with a system of record when you can deal with Moveworks and get all the information, all the content that you can possibly need as an employee to do your job better and have a great experience? And if you think about it, Moveworks can do that for the employee experience and ServiceNow can help with the next best action along the lines of that business process.” This encapsulates the essence of Moveworks’ positioning: an AI front end redefining how employees interact with business systems while platforms like ServiceNow remain as the orchestration layer. Taking The Next Step: Can Moveworks Work For You? If you’re a CTO, CIO, or enterprise leader: Evaluate Moveworks if your organization is still reliant on outdated chatbot workflows or rule-based systems. Start small with prebuilt agents in the AI Agent Marketplace for common use cases (e.g., task completion in Asana or approvals in Workday). Train your dev team on Plugin Workspace to accelerate custom AI agent builds and integrations. Pair with knowledge platforms to unlock internal expertise and reduce support tickets. If you’re building AI-powered products: Study how Plugin Workspace decouples AI agent building from prompt engineering and integrates securely with enterprise systems. Monitor the emerging standards landscape. Moveworks and many others are supporting the Model Context Protocol (introduced by Anthropic), but there are others gaining steam, as well. Integrating with these emerging standards is essential. Architecting Trust: The Governance And Integration Challenges Ahead Despite the hype, there are potential cracks in the armor: Complex setup for real-world environments. Moveworks makes the case for fast development, but real deployment still involves coordinating security, compliance, and existing workflows. This is especially tough for companies with legacy systems. Reliance on ecosystem partners. The stack’s strength is also its risk. Heavy dependence on partner ecosystems such as Stack Overflow or ServiceNow could be limiting if priorities shift or partnerships dissolve. Security and governance concerns. While the platform emphasizes security, any system that automates actions across critical systems (e.g., closing tickets, changing records) must address governance rigorously. A misconfigured AI agent could be more dangerous than a misconfigured human. Evaluation challenges. As seen with Databricks’ experience highlighted at the conference, probabilistic models such as those powering Moveworks’ agents can lead to “hallucinated” workflows if not rigorously evaluated and tuned. Testing and evaluations for agentic AI flows are still largely human-driven and not automated. Agent orchestration. With so many vendors making an agentic AI play, organizations need to be aware of building new levels of complexity into their current architecture. Careful planning is needed to understand the timing of AI agents while establishing trust between agents, platforms, and data. Bottom Line Moveworks is making a serious play to become the platform of AI agents. Its model marries agent intelligence with business process integration in a way that could genuinely transform how work gets done. With the backing of ServiceNow, this could be massively accelerated. But execution will require more than tech — it’ll demand deep cultural adoption and rock-solid trust in AI autonomy. Let’s Connect Have questions? That’s fantastic. Let’s connect and continue the conversation! Please reach out to me through social media or request a guidance session. Follow my blogs and research at Forrester.com. source

We are on the brink of a digital revolution in consumer experiences. A convergence of multiple forces is compelling organizations to innovate in this area: Consumers connect digitally, accessing products and services through a range of devices, channels, and platforms. And they now expect seamless service at their moments of need, often seeking curated and personalized experiences to achieve their goals. A synergy of advancing and emerging technologies is accelerating the transformation of digital experiences — reshaping how firms interact with consumers, streamline operations, and deliver value. Competition is intensifying. While consumers navigate a “digital sea of sameness,” leading firms leverage cutting-edge technologies and extensive partner ecosystems to swiftly develop and scale innovative products, services, and business models. Digital Experiences Are Evolving To Become More Human-Centered Today, we are already witnessing the gradual integration of multiple interaction modes into interfaces, including touch, text, voice, haptics, and gestures. Apps now allow users to use voice commands to ask questions, research products and services, and make payments. Virtual assistants use augmented reality to offer virtual try-ons. Smartwatches use haptic feedback to alert users or share health metrics. In the future, organizations will leverage AI to further reduce friction in human-computer interactions. AI-powered interfaces, such as chatbots and virtual agents, will actively observe, seek information, learn, and communicate with consumers. This will allow organizations to better understand consumer intent and emotions and generate responses that use appropriate tone, emotion, visual elements, and more. In the short term, conversational interfaces will make digital experiences more natural, intuitive, and accessible. In the longer term, the internet of senses, computer vision, extended reality, and edge AI will create more perceptive and immersive experiences by tracking eye movement, expressions, and gestures and blending multisensory experiences to incorporate touch, taste, and smell. Digital Experiences Will Evolve Through Three Phases Over the next decade, emerging technologies will enhance consumer understanding, boost automation, and accelerate the orchestration and delivery of digital experiences. By gaining deeper consumer insights, organizations will be able to: Dynamically assemble the content and services that consumers need. Provide actionable suggestions tailored to individual needs. Act on behalf of consumers — with their permission — to reduce cognitive load and simplify their lives. As market offerings expand, technologies mature, and consumers increasingly adopt new types of digital experiences, Forrester expects that digital experiences will evolve through three phases. These phases will not occur in strict sequential order; instead, they are interrelated and mutually reinforcing, building upon each other: Assistive experiences use consumer preferences to help with decision-making. Already today, consumers interact with firms through chatbots and virtual assistants. These interfaces let customers ask questions, get answers, and perform some actions. Firms use data and real-time models to engage consumers with relevant experiences, providing insights, alerts, and suggestions to help them make informed decisions. Anticipatory experiences leverage consumer context to proactively address their needs. Next, anticipatory experiences will become more common. Consumers will have deeper interactions through multimodal interfaces, sharing more data with firms. These experiences will retain user preferences and behaviors. Organizations will use this data and predictive tools to offer AI-driven insights, helping consumers prepare for events and achieve better outcomes. AI-powered assistants will continuously optimize experiences to proactively meet consumer needs. Agentic experiences understand and act on consumer intent. Finally, firms will use agentic AI systems for real-time personalization and automation. Consumers will use personal AI agents to refine outputs based on their preferences and goals. Major platforms with broader data access such as Apple and Google will use AI to assemble dynamic cross-brand experiences from modular components. With permission, AI agents will autonomously seek information, learn, adapt, and act on behalf of consumers.   By delivering assistive, anticipatory, and agentic experiences, businesses will be able to create a future where technology seamlessly integrates into our daily lives, empowering consumers in unprecedented ways. Trust Will Be A Key Factor In Shaping This Future Brand trust, shaped by the brand promise but also the quality of past interactions, will determine how much data consumers are willing to share for personalized experiences. Additionally, trust in the technology itself, scenarios, and perceived levels of risk will influence the degree of autonomy granted to AI agents and the breadth of service or advice provided. The pace of change is accelerating — but the fundamentals remain the same. As organizations prepare for the future of experiences, it’s crucial to remember that brand and customer experience are the powerhouse duo driving growth. Join Us At CX Summit EMEA 2025 To Learn More To learn more about how to anticipate and prepare for the future of experiences, join us at CX Summit EMEA June 2–4, 2025, in London. I will present new research on the future of digital experiences during my keynote, “Design For The Future Of Experiences.” The Summit brings together leaders in CX, digital, and marketing to explore the future of customer relationships and learn how to build a total experience that aligns brand experience and CX to drive sustainable growth. You can explore the full agenda and register here. If you’re a Forrester client, stay tuned for upcoming research on the future of digital experiences. Visit my Forrester bio page and click “Follow” to receive notifications. You can also follow me on LinkedIn here. Forrester clients can also schedule an inquiry or guidance session with me to delve deeper into this topic. source

“Does your postsale strategy set up customers for success?” was the question we asked the 47 people who attended our workshop during Forrester’s B2B Summit earlier this month. After completing a survey to score their organizations on 16 questions about postsale strategy, we asked everyone to share how raising scores in any of the six categories might impact their business. Working in teams of six to eight, workshop participants placed Post-It notes for each category on flip charts to rate the expected business and customer impact against how feasible it would be to raise a score. Ranking impact vs. feasibility The photograph here summarizes the “impact” versus “feasibility” ratings across all the teams that completed this exercise. The colored stickers correspond to the following six categories from our assessment tool: Team purpose/charter = Blue Strategic alignment to business goals and other teams = Yellow Performance metrics = Green Technology and data readiness = Hot pink Customer lifecycle management = Orange Budget/funding model and capacity planning = Purple While not analytically rigorous (e.g., many of the stickers should appear directly on top of each other if reflecting the exact ratings from the Post-It notes exercise), the patterns reveal several interesting findings: A solid postsale strategy can have a meaningful impact. Attendees represented a wide range of roles and many did not hold direct postsale responsibilities, but the number of stickers placed between the middle and the top of the chart led many to observe that postsale programs can have a positive impact on customers and business outcomes alike. Defining your charter or purpose is relatively easy — so get it done. Many blue stickers along the right edge show that this is so. Top charters seek to help customers achieve their goals through proactive and empathetic experiences with postsale teams focused on driving and protecting retention, growth, and advocacy. Ditto for performance metrics that demonstrate outcomes and value. Quite a few green stickers show up in the upper-right quadrant, showing that attendees feel it is important — and relatively easy — to assess the impact of postsale programs on business success and customer outcomes. (Doing it consistently, however, is a different matter!) Aligning strategically and managing lifecycles rigorously can have a big impact on both customers and the business. Many orange (lifecycle) and yellow (alignment) stickers populate the high-impact/high-feasibility area. Interestingly, quite a few attendees could have scored higher on these two assessment categories. While impactful and feasible, these two practices don’t get nearly enough attention today. While impactful, investing in technology and managing data is hard. At the end of the exercises, we asked attendees to reflect on what they learned. Almost unanimously, participants commented on the challenges they face with technology implementation, data access, and data management, yet they see these areas as foundational to creating and supporting postsale programs that deliver value. Making the business case to fund postsale activity is less of a challenge. A pocket of purple stickers in the middle tells us that while having the right funding model and business case is important, participants feel that other areas, such as alignment and lifecycle management, potentially have more impact. Some are cynical about whether what you say you will do (charters) and how you fund it (business justification) have enough impact. A smattering of blue (purpose) and purple (budget) stickers across the bottom puzzled us a bit. Post-exercise discussion revealed a somewhat pessimistic view that current market and business conditions make it difficult to adjust resources, decreasing feasibility. And without change here, the resulting impact will remain low. Keep in mind that individual company scores are not reflected on this chart. It is possible, for example, to rate a category as high on impact and feasibility but to achieve a low score for it. Good news: This situation represents an ideal opportunity for improvement with relatively less effort! If you’d like to explore your postsale strategy further, please feel free to take our online assessment (no company or personally identifiable information will be shared, although we collect some to understand the demo- and firmographics of respondents). Upon completion, everyone will see how their scores compare to the average of scores collected to date. Forrester clients are welcome to schedule a discussion with Shari Srebnick or myself to discuss how to improve your results in any category. source

The US government’s SHARE IT Act became law in December 2024, requiring that all custom-developed software be accessed, shared, used, and modified governmentwide. By allowing any federal agency to access and use the code, the SHARE IT Act ensures that the investments in custom-developed software ($12 billion spent annually) are maximized, reducing the need for each agency to develop or contract for similar software independently. Agencies are not only mandated to share their custom-developed software with one another but are also empowered to modify the code to better meet their specific needs. This capability to tailor and enhance software without starting from scratch is a boon for rapid, cost-effective technological advancement within the government. The SHARE IT Act Puts Pressure On Quality Coding Practices According to the SHARE IT Act, agencies have 210 days from enactment of the law to ensure that all custom-developed code and corresponding documentation, data models, schemas, metadata, architecture designs, configuration scripts, and artifacts required to develop, build, test, and deploy the code are: 1) stored at not less than one public repository or private repository; 2) accessible to federal employees; and 3) owned by the agency. This means that US government agency software developers and leaders must follow best practices for shared code and: Double down on security and governance. Double-check that static application security testing and dependency updates run regularly on the project and mandate. Monitor the software bill of materials using software composition analysis solutions to detect newly disclosed vulnerabilities for any open-source code that the software relies on. When making an agency source code public, consider using the OpenSSF GitHub action to ensure that your project meets baseline security standards. Government agencies have found success in establishing an open-source governance program office such as the one established by the Centers for Medicare and Medicaid Services. Influence project direction. Government program offices likely won’t have significant influence over the direction of large custom-development projects, making alignment with specific needs challenging if you are expecting a full solution out of the box. That said, it is important that your developers understand and contribute to the custom-development projects you rely on. Make it a goal to fix security issues and quality defects. In the event that a critical vulnerability is discovered, the developers in the community will be the first to know and your team can help with remediation efforts. Take into account interoperability and integration risks. When evaluating project reuse, be sure that your developers are able to understand, extend, and maintain the code to meet your agency’s needs. Reach out to the repository owners and maintainers to let them know that you will be utilizing their project. They can be an invaluable resource should you run into challenges integrating the code with other systems. Interoperability with legacy architectures can lead to costly integration challenges. Implementing a platform such as Dapr (distributed application runtime) within your technology stack will change the optimal methods for developing applications. The SHARE IT Act paves the way for a more interconnected, efficient, and innovative federal government by leveraging the full potential of custom-developed software if implemented properly. To dive deeper into how to build a foundation for using shared custom-developed code, read the full reports on assessing open-source viability in government projects and The Forrester Wave™: Software Composition Analysis Software, Q4 2024. Set up a guidance session with Janet Worthington and Devin Dickerson to discuss in detail. source

So far, 2025 is filled with … distractions for security leaders. Between scrambling to secure their organizations’ AI initiatives, staying on top of critical vulnerabilities (and the organizations delivering the CVE process), perpetually communicating and training to guard against human element breaches, and navigating yet another period of uncertainty and volatility, it’s tempting to take a “set and forget” approach to common attack scenarios such as ransomware. Ransomware Is Not Going Away Ransomware attack volume often dips when law enforcement activity or geopolitical tensions interfere with gang operations. For example, law enforcement actions in 2023 and 2024 disrupted some of the more notorious ransomware gangs, like LockBit and ALPHV/Blackcat, and their supporting infrastructure. In September 2024, German authorities seized 47 cryptocurrency exchanges used by various ransomware gangs for laundering illicit funds, disrupting a core component of the ransomware financial infrastructure. In February of this year, blockchain analytics firm Chainalysis reported a 35% year-over-year decrease in ransomware payments, with less than half of recorded incidents resulting in victim payments. And yet, despite these bright spots, the number of ransomware victims appearing on data leak sites in 2024 rose to 5,243, a 15% increase over 2023 according to the Travelers Q4 2024 Cyber Threat Report, with new gangs and innovative tactics springing up faster than authorities and security leaders can thwart them. According to Forrester’s Security Survey, 2024, 25% of CISOs cite preventing and protecting against ransomware as a top strategic priority for their organization. To do this, security leaders, their teams, and their IR services firms must continue to prioritize ransomware readiness. That’s where our newly published decision tool comes in. As a follow-up to our report The Ransomware Survival Guide, The Forrester Ransomware Readiness And Response Guide, a downloadable Excel-based tool, will help you and your team: Understand the controls in place to prepare for, respond to, and recover from attacks. Identify and close gaps that could worsen the impact of a ransomware attack. Prioritize tactical steps to bolster organizational resilience against ransomware. Read The Full Report Here: Prioritize Your Ransomware Readiness And Response Efforts Recommended actions in the decision tool are aligned with the incident response stages included in the NIST SP 800-61 Computer Security Incident Handling Guide and the SANS Incident Handler’s Handbook, as well as Forrester’s Security Tools and Services Mapping, Zero Trust, and Information Security Maturity models. Avoid getting knocked out by ransomware by regularly reviewing and refining the people, processes, tech, and services required for optimal readiness. Forrester clients can: Complete the Forrester Ransomware Readiness And Response Guide to assess your current state. Align ransomware response strategies and priorities with Forrester’s recommended actions across the incident response lifecycle. Schedule an inquiry or guidance session with us to discuss your ransomware preparedness plan. source