Forrester

My one and only roller-coaster experience was in the 1990s when I succumbed to peer pressure and rode the iconic Coney Island Cyclone, which at that time boasted to be the third-steepest drop of any wooden coaster in the world. My friends found the ride on “Big Momma” (as it’s commonly called) exhilarating and adrenaline-inducing, while I stepped off shaking, nauseous, and determined to never again repeat the experience. Here’s why: When the ride went from thrilling to terrifying, I couldn’t slow it down; I couldn’t make it stop; I couldn’t get off. All I could do was wait it out and hope I survived. Basically, I was completely unprepared for what was happening and had zero ability to control it. Exhilarating Or Nauseating: Your Choice Today’s new era of business volatility is that wooden roller-coaster ride that few business leaders expected and none can stop. Wooden roller coasters are distinct in that they are bumpier, more uneven, and have that distinguishable “clickety-clack” sound purposely to induce more psychological fear. Similarly, volatility, with its massive global outages, cyberthreats, new tariffs, trade wars, divided and impatient customers, and economic concerns is taking all of us on a wild ride. This ride feels like one where we’re strapped in, unable to get off, and don’t know what’s coming next. But it doesn’t have to be that way. While you can’t control the volatility, your approach to enterprise risk management will determine whether this ride is an exhilarating experience or a nausea-inducing one. Smooth Out Volatility With Enterprise Risk Management While business volatility tests the boundaries of resilience, it also creates opportunities for companies to make risk management efforts more targeted and effective. To take advantage of these opportunities as well as to avoid getting caught off guard with everything, all business leaders must understand risk to chart the best course of action. My new report, Regain Control Over Business Risk With The Three E’s Framework, provides a foundation for identifying what is controllable and how to be smart when dealing with volatility. To identify the three sources of risk, model scenarios, and create mitigation plans, recognize that: Enterprise risks are where you have full control. Companies have the greatest level of control within the walls of their own enterprise. Risks that arise from your company’s strategy, investments, business model, products, policies, internal controls, and even the maturity of your enterprise risk management program are fully within your control to address. Luna Park, the amusement park that operates the Coney Island Cyclone, is directly across from the beach but requires all park guests to wear shoes and shirts on all rides for health and safety reasons. Ensuring that rides are maintained, the park is safe and hazard free, and they have the right policies to keep guests safe and happy are risks within the park’s control. Ecosystem risks are where you have partial control. When it comes to your ecosystem, your company is fully responsible for risks, disruptions, and failures that arise from third-party relationships; however, you only have partial control over how they manage their risk or adhere to regulations and practices that will ultimately impact you. Amusement parks, even the theme park giants, don’t build their own rides. Instead, they rely on third-party firms with engineering expertise, and knowledge of safety best practices, to bring their vision to life. Unfortunately, when an accident or injury occurs, it’s the park that’s held responsible, as rising litigation against park operators can attest. External risks are where you have no control but can prepare a response. External forces of systemic risks build slowly, materialize quickly, and cause a cascade of adjacent failures for companies and their ecosystems. You can’t prevent tariffs, technology bans, pandemics, and wars, but you can identify, assess, and mitigate them. Amusement parks are highly sensitive to external forces such as weather. Wet and slippery surfaces, gusty winds, and lightning strikes increase the risk of accidents and threaten the safety of guests and employees. Although park operators have no control over the weather, they must have response strategies such as policies for how quickly to close, how quickly to reopen, and under what circumstances they’ll stop a ride or close the park. With no end in sight to the stream of critical events, profound changes, and global disruptions, yesterday’s approach to risk management can quickly become insufficient. Leverage the Forrester Three E’s Framework to target risk management efforts at the risks that are most consequential to your business and that will provide the greatest reward. Read the full report for more detail on the Three E’s Framework, and schedule an inquiry or guidance session with me for further insights. source

What Shopify’s CEO Gets Right — And Wrong — About Workforce AI Shopify’s CEO Tobias Lütke released an internal email he’d sent to employees with the subject, “AI usage is now a baseline expectation.” His enthusiastic missive implores employees to adopt AI tools “as a thought partner, deep researcher, critic, tutor, or pair programmer.” His ultimate conclusion? “AI will totally change Shopify, our work, and the rest of our lives.” Lütke says the company needs to embrace AI to keep up with its explosive growth: “In a company growing 20–40% year over year, you must improve by at least that every year.” Shopify doesn’t want to hire more employees, however: While the company has grown at least 21% per year since 2022, the number of employees has declined from 11,600 in 2022 to 8,300 in 2023 to 8,100 at the end of 2024. So this is an organization dedicated to efficiency. Reading Lütke’s memo reveals some important lessons about workforce AI, including several that you should emulate and others that you should avoid. What Shopify Gets Right: Vision, Practice, And Community You should take inspiration from several Shopify beliefs and practices for workforce AI: Develop a vision. Lütke writes: “You’ve heard me talk about AI in weekly videos, podcasts, town halls, and [Summit, a Shopify event].” Executive leadership is crucial to workforce AI efforts: Demystifying myths (such as “AI will steal my job if I use it”), establishing the benefits to both the organization and to employees, and painting a picture of the future state are all crucial to driving adoption success. For example, leaders can position AI as an opportunity builder for employees — taking boring, predictable tasks off their plates, improving their competitiveness in the job market, and solving hard problems. Empower learning on the job. Lütke writes: “Using AI well is a skill that needs to be carefully learned by using it a lot.” On-the-job experience is central to successfully learning how to use generative AI. Employees must apply AI to tasks along their daily employee journey that can benefit from the productivity-enhancing impact of genAI. They will learn from both their successes and failures. Encourage social learning. Lütke writes: “Share what you learned […] Slack and Vault have lots of places where people share prompts that they developed.” Social learning is twice as important as formal (think classroom) learning. Clients report that vigorous peer-to-peer and champions programs are central to successful genAI adoption. Many employ active Slack or Teams channels dedicated to workforce AI, too. What Shopify Gets Wrong: Expectations And Learning Styles There are a few beliefs and practices in Shopify’s memo that you should avoid, however: Be judicious, not reflexive, about using AI. Lütke writes: “Reflexive AI usage is now a baseline expectation at Shopify.” Our artificial intelligence quotient (AIQ) research shows that not all employees have the understanding, skills, and ethical awareness needed to use genAI appropriately. High-AIQ employees know when to use it and when not to use genAI for their work tasks. You can’t prove a negative. Lütke writes: “Before asking for more headcount and resources, teams must demonstrate why they cannot get what they want done using AI.” Demonstrating a financial business case for genAI is actually quite challenging today. Most AI augments rather than replaces human labor at this stage of the market, and “proving” that something doesn’t exist is hard to do. Learning requires a system of engagement. Lütke writes: “Learning is self-directed.” Learning workforce AI requires you to build a comprehensive learning system that combines formal learning, social learning, and on-the-job experience. Even sophisticated companies that rely on purely self-directed approaches are less successful than those that create iterated, reinforcing learning opportunities. Set realistic productivity expectations. Lütke writes: “Get 100x the work done” and “What would this area look like if autonomous AI agents were already part of the team?” While agentic AI is on the rise, its promise remains mostly in the future. Most of today’s AI assistants save more modest amounts of labor time. Setting appropriate expectations and KPIs, and measuring them continuously, sets you up for success. Inflated hyberbole doesn’t. Next Steps For You? Let’s Talk. I’ve spoken with over 200 organizations about workforce AI. Forrester clients should reach out to schedule a guidance session with me, and I’ll help you design a successful workforce AI strategy. source

At X4 2025, Qualtrics announced several new features, all supported by AI. Two highlights were Experience Agents and Qualtrics Edge. Qualtrics Edge is a platform for research and insights professionals that combines AI, synthetic insights, and market research data to provide visibility into competitors and adjacent markets. The Edge Audiences feature allows users to access fully human, fully synthetic, or hybrid panels, which is a useful companion to support early phases of discovery work and generating hypotheses. These are advancements that can streamline customer and experience research and broaden customer understanding, and using synthetic insights in addition to real human insights that are gained through traditional user research methods is a big step. We’ll see more AI-powered solutions like these emerge in the research space with advancements in AI. What do advancements like these mean for experience research today and in the future? Here are my three takeaways: AI-supported research is real and serious. A year ago, for many researchers, the idea of using AI to conduct research was an interesting nice-to-have, and for some, it was out of the question due to concerns about privacy and biased data. But today, AI-supported research is real, and teams are actively seeking ways to understand the use cases and learn how to use AI in their research practices. Researchers’ expectations are not fully met. AI-powered features to improve the research flow, such as AI-generated transcriptions and insight summaries, are now nearly table stakes. In many cases, however, researchers don’t find these features nuanced enough. They need more depth in the analysis, more guidance in decision-making, and more support in data visualization and storytelling, and these expectations will continue to increase. Synthetic insights are still not a replacement for research with humans. Synthetic audiences are promising for early phases of experience research — such as discovery work and generating hypotheses — especially when you’re targeting niche audiences or when recruitment is difficult. But synthetic data is still not a replacement for research with real humans. Determining when to use synthetic insights and how to supplement research with real humans still requires research expertise, and success still depends on the ability to ask the right research questions and determine the right research problem. If you are a Forrester client and would like to discuss this topic further or have questions about the experience research landscape, set up a conversation with me.  source

Measuring customer experiences has long been a cornerstone of customer experience (CX) programs, yet traditional survey-based feedback methods are increasingly under pressure to evolve. As businesses strive to capture customer perceptions more accurately, AI-driven strategies are emerging as powerful supplements to legacy measurement techniques. Advanced technologies and analytic methods redefine how organizations measure experiences and extract insights. CX leaders have an opportunity — and a responsibility — to spearhead this transformation. To remain relevant, they must challenge outdated methodologies, embrace innovation, and modernize measurement strategies. CX teams can unlock deeper, more actionable insights beyond conventional surveys and static metrics. These advanced capabilities elevate CX and drive measurable improvements in business performance, strengthening the connection between CX initiatives and financial success. Modernizing CX Measurement: The Opportunity Ahead As organizations mature their CX measurement, the insights they gain empower executive decision-makers to understand the financial benefits of enhancing CX quality and prioritize improvement opportunities to maximize their impact. Legacy strategies often fail to inspire action or prove the financial value of CX improvement. Surveys typically lack actionable root-cause analysis and fail to establish a concrete link between customer feedback and business outcomes. By adopting modern measurement capabilities, CX programs provide leaders with insights directly connected to financial performance, transforming how organizations approach customer experience initiatives. Key Opportunities Driving CX Measurement Maturity Organizations must address several critical areas to realize the potential of a more mature CX measurement function. Here are four of the top opportunities we have identified to advance CX measurement capabilities and practical steps to get started: 1. Measure Beyond Surveys Techniques such as conversational intelligence and social media listening offer real-time insights into customer perceptions. By enriching this data with operational and financial metrics, organizations can perform advanced analytics to uncover actionable root causes and establish a financial link to CX value. 2. Benchmark Experience Effectively Benchmarking experience performance is useful, but it must be done thoughtfully. Many organizations fall into the trap of comparing unblinded internal survey scores to external benchmarks — an inappropriate approach. Instead, as a best practice, use blinded research that includes the organization’s brand and leverage these comparisons strategically to drive meaningful decisions rather than superficial vanity metrics. 3. Leverage AI In CX Measurement AI is impacting CX measurement in three primary ways: Generating signals: AI can generate signals from unstructured and unsolicited feedback. For example, digital intelligence can infer customer perceptions through non-survey channels such as online interactions. Generating insights: AI analytics, such as machine learning models, can generate insights by predicting customer behavior based on experience quality. Enhancing interactions: Generative AI models can support automated interactions, including personalized responses to customer complaints. 4. Prove The Value Of CX And ROI CX leaders consistently tell us that they struggle to show the business value of their efforts. To overcome this, organizations must articulate the financial impact of experience improvement using empirical measurement or statistical modeling methods. Organizations can employ these techniques to demonstrate ROI as CX measurement matures. Embrace The Future Of CX Measurement Now is the time for CX leaders to drive their organizations toward a more modern, sophisticated approach to experience measurement. By identifying opportunities, addressing challenges, and creating a roadmap for advancement, they can avoid stagnation and unlock the full potential of CX insights. When executed successfully, maturing CX measurement strategies transition organizations from reporting traditional metrics to delivering actionable insights that enhance customer experiences and drive financial success. To learn more about how to future-proof CX measurement strategies, join us at Forrester’s CX Summit North America in June. We will be hosting a Q&A session titled “Boost Your Experience Measurement Mastery,” one of several sessions designed to equip CX leaders and teams with measurement best practices and actionable strategies. Explore the full agenda here. source

Data governance is mission-critical for modern enterprises using analytics and AI to make decisions. Yet we hear from many clients that they are on their second, third, or even fourth attempt at establishing enterprise data governance. Why? Most governance programs focus on formalization of governance controls without embedding governance into the organization’s culture. They add governance councils and roles such as data owners, data custodians, and data stewards but ignore the human-centered roles that transform processes into working, adopted practices for data- and AI-driven decision-making within an organization. Roles To Embed Governance In Your Culture To move beyond compliance-driven governance and into a cultural model of data- and AI-driven decision-making, organizations need specialized roles focused on behavior change through communication, literacy, adoption, and engagement. When drafting your data governance policy documents, include roles such as: Data literacy lead. This role establishes and drives organizational data fluency by equipping employees with knowledge of how to recognize, evaluate, work with, communicate, and apply data in the context of business priorities and outcomes. Governance can’t succeed if employees don’t understand data in the first place. This leader will ensure that governance isn’t just about policies — it’s about enabling informed decision-making at every level. Without this leader, your enterprise will have rules without insights. Change management lead. Governance and analytics initiatives need to be embraced rather than resisted. The change management lead role focuses on overcoming corporate culture barriers, addressing resistance, and embedding governance as part of an organization’s natural workflow. Without this function, even the best governance frameworks will face pushback and slow adoption. Enablement champions. An enablement champion accelerates data, AI, and analytics adoption. While governance sets the rules and stewards focus on data quality and access, enablement ensures that teams can actually apply data, AI, and analytics in their daily work by providing training, support, and resources, as well as ensuring that data-driven thinking becomes a part of everyday work. Without enablement champions, you risk a lot of shadow analytics and AI popping up as people struggle to use what’s available to them. Data translator. Data translators convert raw data into meaningful business context. Governance programs fail because they assume that users can make sense of structured datasets without guidance. The data translator acts as a bridge between technical teams and business units, ensuring that governance efforts translate into data that can be used to form actionable insights. Without data translators, you may fail to connect data governance to tangible business results, risk mitigation, outcomes, and value. Data storyteller. Data storytellers communicate data- and AI-based insights through compelling narratives. Governance isn’t just about managing data; it’s about unlocking its value. The data storyteller helps business leaders understand the impact of governance by framing data-driven insights in a way that is engaging, persuasive, and aligned with strategic business objectives. Storytellers help others understand why governance matters and who it impacts. Without these roles, governance remains a theoretical construct rather than an operational reality. Employees see governance as an obstacle, rather than a framework that empowers them to work smarter. Show The “Why” And “How” For Governance Beyond missing key roles, most governance programs fail to explain the why and how of data evolution. They document policies and procedures but ignore a fundamental query: How does data get leveraged to turn into enterprise knowledge and wisdom? To be effective, governance must illustrate: How raw data becomes structured information (e.g., through validation, integration, and categorization). How information turns into knowledge (e.g., by adding business context, analysis, and interpretation). How knowledge evolves into wisdom (e.g., through experience, strategic decision-making, and action). When governance programs fail to communicate this flow, they reduce governance to a set of rules rather than a system that empowers better decision-making. Employees disengage because they don’t see governance as relevant to their daily work or the broader business strategy. Now What? How To Fix These Governance Gaps By addressing the early-stage gaps, enterprises can transform from static policy documents into dynamic drivers of business intelligence. This can help to make sure that governance is not just adopted but actively leveraged to create lasting business value. Schedule an inquiry with me to discuss:   Other colleagues I recommend Relating to this topic, don’t miss out on connecting with: Jayesh Chaurasia (data governance 101–301) Raluca Alexandru (data governance to support data collaboration efforts) Katy Tynan (advanced change management and change leadership) Cheryl McKinnon (internal communications tools) Zeid Khater (artificial intelligence 101, third-party data integration, and customer data segmentations) source

KubeCon + CloudNativeCon Europe 2025 in London underscored that the cloud-native ecosystem is operating within a complex and increasingly uncertain global landscape. While innovation in data, storage, security, availability, and resilience continues at a rapid pace, these advancements must now also consider the implications of geopolitical instability and rising protectionism. The focus on digital sovereignty, secure supply chains, and building robust, geographically diverse infrastructure will be crucial for navigating these challenges and ensuring the continued growth and stability of the cloud-native world. At KubeCon 2025, Linux Foundation Executive Director Jim Zemlin made comments that highlight the organization’s role in creating a common ground for open-source innovation even as trade becomes more difficult and political walls grow higher. Randy Bias of Mirantis said — in response to analyst questions during a panel — that he expects more balkanization of the open-source world, citing situations like the ejections of Russian Linux kernel developers from the community in response to Russia’s invasion of Ukraine. In terms of content, here were the big takeaways: Security is at the core. At KubeCon + CloudNativeCon Europe 2025, security was a central theme, reflecting its growing importance in the cloud-native landscape. The conference highlighted the application of Zero Trust principles to Kubernetes, especially for AI workloads, and addressed issues such as adversarial attacks, data leakage, and endpoint vulnerabilities. Discussions emphasized the complexity of securing modern cloud-native stacks, with a focus on software supply chain integrity and compliance with new regulations like the EU Cyber Resilience Act. Security was not just an afterthought but a core focus in every conversation about the future of cloud-native technology. New projects emerge, including security. These include automated security patching and backporting from Root.io, enhanced security isolation and workload portability from Kubernetes virtualization platforms such as Edera (which focuses on strong security isolation using the Xen type-1 hypervisor), and Loft Labs’ vCluster announcing integration with SUSE Rancher and a preview for vNode to improve multi-tenancy in shared clusters. Digital sovereignty gets mainstage attention. Geopolitical instability has highlighted the importance of digital sovereignty, with Kubernetes and open-source technologies playing a crucial role. In AI, the Kubernetes-native distributed container management environment k0rdent enables European cloud providers to run AI workloads on demand. In infrastructure, Linux Foundation Europe launched NeoNephos to promote open-cloud infrastructure and digital autonomy, focusing on compliance with EU regulations. Open-source and open-cloud infrastructure are essential for ensuring digital sovereignty and sovereign AI options. Enterprise maturity is here. As demonstrated by HSBC’s implementation, which handles 600 million hits daily across over 7,000 production services, enterprise maturity is here. This trend shows that even conservative industries such as financial services are adopting cloud-native as a core technology strategy, moving beyond experimentation. What Should You Do Next? Focus on cloud-native for resilience, innovation, and cloud abstraction. Cloud workloads have changed enterprise architecture, addressing global hyperscaler lock-in. As governments control data more, companies must shift from relying solely on first-party hyperscaler services to using a suite of services across multiple clouds or on-premises. Enterprises should use container-based primitives and Kubernetes-native data services for new workloads. While virtual machines can run on Kubernetes, complex deployments still benefit from platforms such as Broadcom’s VMware and Nutanix, which are enhancing container workload integration. Leverage open source to lay the foundation of a digital sovereignty strategy. A key part of any organization’s digital sovereignty strategy is maintaining control over its tech stack. Using open-source tools frees organizations from proprietary systems that could lock them into third-party vendors. This applies to AI, as well, with the Model Context Protocol (MCP) emerging as an open-source standard for connecting AI assistants to various data systems. Tech executives should consider open-source projects for AI workloads and infrastructure to enhance their digital sovereignty. Embrace cloud-native as a mature technology. Once an interesting theme to explore, cloud-native is now the daily bread of cloud professionals across industries. Cloud professionals can look at cloud-native to adapt to the many new possibilities offered by the cloud compared to traditional on-premises infrastructure in regulated and nonregulated industries. Take Zero Trust as your cloud-native power move. Focus on Zero Trust architecture as the foundation of your cloud-native security strategy. Ensure that no component — user, service, or workload — is implicitly trusted. A Zero Trust model enforces strict identity verification, granular access control, and encrypted communication. Adopting Zero Trust from the start prevents lateral movement during breaches and reduces the attack surface. As AI workloads and containerized applications grow, implementing ephemeral credentials, mutual transport layer security, and default policy enforcement is essential. Tech leaders should see Zero Trust as the core for secure cloud-native operations. Reach out to Forrester to schedule an inquiry to help guide your cloud-native initiatives or to dig into these announcements. source

In February 2025, I transitioned to the role of vice president and research director for international security and risk. With the change, I’m extending my remit from successfully leading our APAC Security & Risk Forrester Decisions business to our well-established EMEA function. I also move from an individual contributor role to one where I’m leading a team of extraordinary people, and I’m now responsible for our collective research agenda across EMEA and APAC. As I deep-dive into our backgrounds, existing research, and capabilities, I feel a sense of pride, hope, and joy at the opportunity ahead. As a team, we cover a multitude of security and risk priorities (see figure below). We’re also geographically distributed across six countries in EMEA and APAC — no one else is as uniquely positioned to add this level of global perspective to our research and our clients. In my excitement and anticipation, I’d like to introduce you to our newly formed team and our 2025 priorities: Paul returns to the analyst chair, supporting Forrester’s global enterprise and cyber risk management and maturity assessment. Luckily for us, Paul McKay made the decision to get back in the analyst chair as VP and principal analyst, working with Alla Valente and Cody Scott to globally support cyber risk management research. Paul has already delivered some hard–hitting research and blogs that have the potential to move our clients to do important things. This includes refreshing Forrester’s Information Security Maturity Model (FISMM) and an informative blog outlining the key risks in the 2025 WEF Global Risks Report. Paul will also be working on key technology and service markets, including governance, risk and compliance (GRC) platforms. He’ll also reclaim his prior cyber risk ratings coverage, leading a Forrester Wave™ evaluation in 2026, and he’ll evaluate risk consulting services. Tope leans into his background to deliver pragmatic Zero Trust, managed detection and response, and digital identity research. With an international background in security architecture, penetration testing, and advisory, Tope Olufon’s research reflects this background, leading Forrester’s efforts in the managed detection and response (MDR) space in Europe and soon to publish a new landscape and Wave evaluation in 2025. He works with our Zero Trust (ZT) colleagues with a focus on making ZT pragmatic, delivering our research on How To Build A Zero Trust Roadmap. Tope is currently writing research on how to think like an attacker in order to use offensive security techniques to uplift ZT capabilities. Leaping off his research on Europe’s fragmented, but hopeful, digital identity landscape, Tope will continue to drive our research on digital identity market trends and their practical applications in the workplace. Madelein sets herself a broad and ambitious agenda, covering security org structure, consulting services, resilience regs, and API security. Madelein van der Hout has an ambitious agenda for 2025. She is ramping up to lead Forrester’s research on security organizational structure and operating models, a highly requested topic by our clients. (Heads up: We’ll be calling out for research interviews shortly.) She continues to lead Wave evaluation efforts on cybersecurity consulting in Europe, with a new Wave report to be published this year. Madelein will support Amy DeMartine’s research on operational resilience in 2024, focusing on regulations and mandates, especially DORA — a hot topic for our clients. She also has plans to double-click into her 2024 API security coverage with Sandy Carielli, giving our clients a well–needed API security roadmap. Enza and Meng enrich our international research, leading on privacy, trust, AI regs, identity and access management, and threat intel. Enza Iannopollo joined Forrester around the same time as I did, and it’s been an honor following her career path in becoming one of the world’s most sought–after experts on privacy and trust ethics — one of the rare people who earns standing ovations at privacy keynotes. She has led significant research on the EU AI Act, how sellers can trust the use of generative AI, and synthetic data. Meng Liu heralds from a payments background, expanding his coverage in recent years to adjacent areas in fraud management, anti-money laundering, and identity verification in collaboration with Andras Cser. Meng saw his research as a natural transition to security and risk and will collaborate with Jitin Shabadu to expand his coverage in APAC to threat intelligence, especially given its adjacency to fraud-related issues such as impersonation and deepfake detections. Meng will also collaborate with Geoff Cairns to expand our most requested topics in APAC: identity and access management (IAM). My career purpose of human-centered security, security culture, and security leadership will continue. I will still contribute to research that aligns to my purpose, which is making security human-centered, as well as focusing on the security and risk priority to lead a high-performing security organization and culture. In this capacity, I will lead markets and research on topics such as human risk management and security culture, as well as some select security and CISO leadership and career path research. Inevitably, I will have to relinquish some deeply loved parts of my agenda, which are critical to our clients, to very capable hands. Madelein will update our research on security champions networks, the CISO’s guide to successfully leading change, and human risk management metrics. Jess Burn will take over my plans for research on leadership and human skills in security to complement her existing cybersecurity skills body of work. As a team, we continue to be relentlessly committed to our clients, our research, and each other. With our global security and risk colleagues, we look forward to serving you in the above capacities. Forrester security and risk clients who have questions about the following risk, security, or privacy-related topics can connect via inquiry or guidance session to our experts: Human-centered security, security culture, security leadership, or human risk management: Jinan Budge GRC, cyber risk ratings, risk services, or enterprise and cyber risk management: Paul McKay Building ZT roadmaps, MDR, or digital identity: Tope Olufon Security org structures, consulting services in Europe, resilience regulations, or API security: Madelein van der Hout Privacy, trust, AI regs and ethics, or

A Comprehensive Portfolio Of Innovation Fujitsu is embracing an all-in strategy in quantum computing — investing across a broad portfolio that includes superconducting and diamond spin qubits, open-source software development, quantum simulation, and a hybrid quantum-classical computing architecture. While most vendors focus on one or two of these elements, Fujitsu is working across all of them in its quest for a place on the world stage. At its recent quantum computing conference in Kawasaki, Japan, Fujitsu highlighted these efforts with a mix of strategy sessions and technical briefings from its experts and partners. It showcased a 64-qubit superconducting machine, a 40-qubit simulator based on Fugaku supercomputer technology, and simulator-driven hybrid workflows that Fujitsu claims can accelerate development by up to 200x. The company’s open-source quantum toolchain and the Quantum Simulator Challenge, which drew 36 participants from 14 countries, underscore growing global engagement with its platform. This full-stack focus signals that Fujitsu sees quantum not as a narrow race for qubit counts but as a systems engineering challenge that spans hardware, software, and algorithms. We see few other vendors taking such a comprehensive approach. The Longer-Term Roadmap Is Not Quite Clear Yet Fujitsu’s strategy favors long-term R&D over near-term commercialization. Its 64-qubit superconducting processor, developed with RIKEN, is a credible step forward, and at the conference, it announced that a 256-qubit processor will be released this summer. This will put Fujitsu on par with IBM and Google in terms of qubit count. Many of the conference presentations were dedicated to innovations in error mitigation, correction, and scaling. We have seen other vendors walk this path before — and it is a hard one. Fujitsu’s plan for a 1,000+ physical qubit system supporting up to 64 logical qubits through error correction is ambitious, but the path and timing were not made clear. That effort may uncover new challenges with scale that require a modular approach similar to IBM’s attempt at Condor. This will take time. Similarly, Fujitsu’s diamond spin qubit work with QuTech shows promise, especially with reported gate fidelities exceeding 99.9%, yet significant questions remain about the scalability, manufacturability, and system integration of this newer qubit type. While Fujitsu’s effort, ambition, and strategic patience are commendable, clarity on its path to scale will be an important signal for the market in the year ahead. Fujitsu’s Momentum Is Increasing Where Fujitsu is gaining ground is in ecosystem building. Its global research collaborations span top institutions, including Osaka University, Delft University of Technology, QuTech, RIKEN, and the Australian National University. These partnerships support joint innovation across the Asia Pacific and European regions. Notably missing were any US partnerships, a gap we hope to see filled. The company’s hybrid platform, combining real hardware and simulation with a coming-soon workload broker, offers a bridge to experimentation before fully fault-tolerant systems arrive. The simulator challenge and open-source tooling are drawing interest and encouraging developers to build on Fujitsu’s stack. One session from the Barcelona Supercomputing Center highlighted breakthroughs in classical simulation of larger quantum circuits, a development that could help accelerate qubit engineering. Conclusion: Resetting Expectations In The “Early FTQC” Era One of the most telling messages from the conference was Fujitsu’s introduction of a new phase: the “early fault-tolerant quantum computing (FTQC)” era. This term refers to quantum systems with tens of thousands of physical qubits — not yet fully fault-tolerant but potentially capable of demonstrating practical quantum advantage. This reframing stands in contrast to the original NISQ vision articulated by John Preskill, which suggested that noisy systems in the hundreds-to-thousand qubit range might deliver early value. With none of today’s NISQ systems achieving such advantage, the industry appears to be moving the goalposts. Fujitsu’s early FTQC label and many of the technical presentations illustrate clearly that useful quantum computing requires far more scale — and far better error rates — than originally hoped. Does this reset invalidate the dream of quantum advantage? Not necessarily. But it highlights the hard truth: Quantum will evolve in cycles of breakthrough and recalibration. For enterprises, this is a long-term, research-intensive journey — not the kind of explosive growth we’ve seen with generative AI. Several industry guests on the closing panel acknowledged this practical point of view. What To Watch For tech leaders tracking quantum innovation, watch for these milestones from Fujitsu: Its roadmap for a 1,000+ physical qubit system, including plans to create logical qubits via error correction Scaling of its diamond spin qubit architecture beyond lab fidelity into multiqubit systems New indicators of value emerging from simulation and hybrid experimentation, especially in the early FTQC regime with ~50,000 physical qubits Want more perspective on the current state of quantum computing? Read Forrester’s The State Of Quantum Computing, 2024, for vendor insights, architecture trends, and realistic adoption timelines. source

Markets And Consumers Are In Chaos Mode We’ve had a little time to chew on the sweeping tariff plans of “Liberation Day,” and if the markets are any indicator, it’s been tough to digest. The free-falling stock indices and the (even more than usual) crush of humanity at Costco with their carts piled high are all signs of skittish consumers and, by extension, worried businesses. Ergo, out of the blue, we teeter on the edge of a bear market. These tariffs are going to take a bite out of consumers’ household income — and the lower the income, the bigger the chunk (hence, tariffs work as a regressive tax). In response to this income hit and the continued fog of uncertainty about their future earnings, consumers have already begun to take several steps to manage the implications for their pocketbooks. Five Consumer Behaviors Here are five buying behaviors to look out for among your customers: Pantry-loading: People are stocking up because they know prices will rise. This is somewhat futile, however, as it’s not entirely clear which categories will be hit hardest (at least, the average consumer does not have the means to figure that out). More importantly, there isn’t a pantry large enough to accommodate years’ worth of trade policy chaos. Downscaling: People are purchasing less, completely skipping larger-ticket items, and opting for cheaper brands, including private labels. Promotion-hunting: Consumers are responding more eagerly to promotions, purchasing items on sale, and making real-time brand switches based on offers (such as digital deals on the grocery store app while pushing the cart down the tortilla chips aisle). Channel-shifting: Shoppers are flocking to purchase from less expensive retailers such as dollar stores, as well as from warehouse stores where buying in bulk is associated with better value (hence, the aforementioned crush of humanity at Costco). Self-servicing: Savvy consumers are relying on DIY, repairing things, and growing their vegetables (I kid you not: Numerous consumers told us this in our qualitative research!). What You Can Do To Manage The Chaos How should you react to this behavior and prepare your business and your brand? First, do the homework on your customer segments. Apply a financial resilience filter before you react in haste, because not every person and category will experience the economic effects in the same way, and a shotgun approach to giving away margins will unnecessarily deplete profits. Look before you leap — chances are that you will have to leap, but at least you will be going in the right direction. Look at any tactics through a growth framework. Use our five-lever approach — salience, product, price, experience, and access — to plan your strategy. This may take you down the road of initiatives such as shifting media dollars, changing products or pack architecture, or even providing new digital experiences with timely and relevant promotions. To better manage your brand and business through this period of uncertainty and shifting consumer behaviors, please read our report, Consumer Marketing, CX, And Digital Leaders: How To Thrive Through Volatility (US). If you are a Forrester client, stay tuned for additional research on how CMOs can better manage uncertainty and volatility. Go to my Forrester bio and click “Follow” to be notified. Also, as a client, you can schedule time with me for an inquiry or guidance session, or talk to your account team about workshops and strategy days on planning through uncertainty. source

Across IT, acronyms come with the territory. Whether they’re classic ones (ENIAC, Electronic Numerical Integrator and Computer), just a tad more modern (VAX, Virtual Address eXtension), network-based (TCP/IP, Transmission Control Protocol/Internet Protocol; XNS, Xerox Network Systems), or cybersecurity-related (NGAV, next-gen antivirus; DLP, data loss prevention; IDS, intrusion detection system), the acronyms and the process of keeping up with them are endless. It doesn’t help that many IT vendors create new acronyms in an effort to stand out and make themselves feel special. In the world of autonomous endpoints, we are dealing with five primary acronyms. To clarify the meaning of these acronyms, here is some guidance and perspective. IoT: internet of things This is the broadest category, as there are a myriad of devices and technologies within it, both at home or as part of a business. Device types range from smart assistants, doorbell cameras, and fitness trackers to printers, security door locks, and warehouse label scanners. What ties these devices together is that they are designed to communicate and exchange internet data, with ‘I’ being the key letter in the acronym. IoT devices, such as sensors and actuators, are integrated into or attached to machines or assets and connected to the internet via a Wi-Fi connection or through cellular networks. The devices use cloud platforms to send and receive data to make informed decisions about the connected assets. IIoT: industrial internet of things A subset of the IoT category, these devices, as the name implies, are made for heavy work but are often larger than simple sensors or scanners. IIoT devices are usually focused on improving industrial processes, including predictive maintenance, asset tracking, quality monitoring, process optimization, supply chain visibility, and building management. The industrial aspect isn’t restrictive to just monitoring; it can also incorporate devices such as electric vehicle chargers or building management systems. The first ‘I’ is the differentiator in the acronym. OT: operational technology As the name implies, OT encompasses the hardware and software that controls the physical operation of industrial devices. Here is where we will find manufacturing, energy production and transmission, water treatment devices, or factory equipment. Connectivity is regularly restricted to private networks, but in recent years, OT has started to have external/internet connections. The focus is on the ‘O.’ To make matters worse, under OT, you also have industrial control system (ICS), supervisory control and data acquisition (SCADA), distributed control systems (DCS), and programmable logic controllers (PLC). There seems to be no end to OT-based acronyms. IoMT: internet of medical things As the ‘M’ implies, this subset of IoT revolves around devices used within the healthcare industry. These could be devices in a hospital, such as infusion pumps or smart medication dispensers, or outside devices like blood pressure monitors, CPAP machines, and pacemakers. But like IIoT, you also have devices that could be considered operational technology like MRI or X-ray machines, but it is generally accepted that IoMT, the ‘M’ for medical being the distinction, will incorporate both IoT and OT. M2M: machine to machine This entails technology that enables machines to interact via wireless or wired communication channels without human intervention. Devices connect and interact with each other to exchange information and perform actions without requiring an internet connection. M2M technology is often integrated into security, track and trace, automation, manufacturing, and facility management processes. IoT technology differs from M2M communication because IoT extends interactions to include cloud-based networks. Please note: We recognize that there are many other relevant IoT-related acronyms, which we will explore in an upcoming IoT report. A simplified version that takes these distinctions to just IoT and OT would be: IoT devices are those that you run inside your business. If these devices go offline, you may have some challenges, but your business can still function. OT devices are those that run your business. If these devices go offline, you’re not doing business. Like all analogies, there are exceptions that don’t fit. For instance, if your medical business relies on performing MRI scans and the MRI machine is offline, you can’t do business. A hospital can treat patients without IoT infusion pumps or Bluetooth pulse oximeter sensors, but it won’t be easy. And would you really want to run your industrial manufacturing tools without IoT noxious gas sensors? For a little more distinction, we could use this image below:   Device protection is important with IoT and OT, but the purpose is different. For IoT devices, the goal is to protect the data. For OT, the goal is maintaining operational safety. Because of this, the approaches to security for these technologies have historically been different. Until recently, many enterprises completely walled off their OT devices into their own air-gapped network, developing extensive human-action security policies to control the flow of data in and out of the network to ensure that these devices stayed operational and weren’t exposed to internal or external threats. Conversely, IoT devices were often interspersed throughout the enterprise with other endpoints. In more secure environments, network traffic to and from these devices is logically segmented and controlled to protect them against internet-based threats. Security in IoT and OT environments is currently changing. The walls between the OT devices and the rest of the network are becoming porous. Business leaders are still highly concerned about OT security, but the need for connectivity to IT and internet resources is growing. For IoT, simple segmentation is no longer sufficient because of the mounting threats. This is leading business and security leaders to deploy solutions to improve device security. New acronyms will continue to emerge (such as the confusing CPS, cyber physical security) as IoT and OT security solutions expand. I’m still dreading hearing about the first IoTDR solution. Vendors in this space need to stop throwing out word salad in an attempt to make something relevant and stick with established acronyms. If you’d like to get assistance in understanding the complexities of managing and securing IoT and OT devices, please schedule an inquiry or guidance session