Forrester

In a climate of economic and political uncertainty, tech budgets are under pressure. According to Forrester’s Industry- And Customer-Supporting Software Survey, 2025, 23% of organizations cite budget as their number one software challenge. Currency depreciation, ranging from 6 to 12% in EMEA/APAC, adds further strains on US-dollar-denominated renewals. Making things worse, 27% of organizations report that over 50% of non-IT tech spending occurs without IT oversight (source: Forrester’s Security Survey, 2024). This fragmentation undermines cost management and increases risk. In this environment, software asset management (SAM) tools emerge as a critical lever to gain visibility, regain control, and optimize license utilization — tracking usage in real time and driving cost efficiency across the technology landscape. Reclaiming Control In A Complex Tech Stack SAM tools bring discipline to the entire software lifecycle by automating discovery, deployment, and retirement. They centralize software-as-a-service (SaaS) management, giving IT clear visibility into subscriptions, usage patterns, and costs. This enables smarter license utilization and prevents waste. In addition to cost tracking, high-performance IT organizations utilize SAM budget forecasting and identification of underutilized assets. Leading platforms reduce the risk of surprise true-ups by automating license reconciliation and real-time usage monitoring to maintain continuous compliance. SAM also enforces governance by aligning software usage with policy, reducing audit risks and unexpected spend. In The Forrester Wave™: Software Asset Management Solutions, Q1 2025, we highlight the following features as crucial when selecting a SAM tool. Ensure that the tool offers: AI/ML in contract and license management. Vendors should integrate AI/ML to automate contract term extraction, ensure compliance, and provide predictive insights into software usage trends. SaaS management with extended FinOps capabilities. Providers should offer comprehensive SaaS management with real-time visibility into subscriptions, license utilization, and spending optimization. Support for the entire software lifecycle management process. Vendors should enable end-to-end lifecycle management, streamlining software acquisition, requests, approvals, and compliance. Choosing The Right Vendor Is Half The Battle No two IT environments are the same. Each operates with its own blend of tech stacks, philosophies around build vs. buy, asset management practices, and definitions of success. Accordingly, selecting the right SAM vendor that meets the IT team’s needs is crucial. IT teams should start by identifying their most critical criteria, such as avoiding true-ups, managing security vulnerabilities, or optimizing costs. They should then examine these criteria in detail to identify the essential functionalities of a SAM tool that can best meet their needs. Refer to our latest Forrester Wave evaluation of the SAM solutions space to gain insight into each type of functionality, helping you choose the right vendor that aligns with broader organizational goals and objectives. source

We often talk about AI through the lens of individual productivity: automating tasks, accelerating workflows, and reducing costs. But there’s something far more powerful — and far less discussed — emerging in front of us: the impact of generative AI on teams — not just replacing tasks but reshaping how people work together. That’s the story behind one of the most fascinating studies I’ve seen this year, a large-scale experiment conducted with 776 professionals, in commercial and R&D spaces, at Procter & Gamble (P&G) in collaboration with researchers from Harvard University, the Wharton School of the University of Pennsylvania, and ESSEC Business School in France. The question the study asked was bold: Can AI act as a teammate? This means more than just a tool but a genuine contributor to team dynamics, performance, and emotional experience. The study’s findings should provide inspiration for any tech and business leader who is rethinking the operating model of collaboration in an AI-enabled enterprise. AI Equals And Augments Human Collaboration In traditional settings, teams outperform individuals by integrating diverse perspectives. But what happens when an individual is paired with genAI? The study found that individuals using generative AI matched the performance of human teams working without it. More strikingly, teams with genAI outperformed everyone else, producing higher-quality, faster solutions with more comprehensive detail. We’re talking real business challenges that P&G employees tackle in their day-to-day work.   AI Breaks Down Silos If you’ve ever led a cross-functional team, you’ve seen how people’s ideas tend to reflect their domain: R&D folks skew technical, while commercial folks lean toward marketability. Collaboration helps blend those ideas, but it takes time, trust, and iteration. Here’s what changed with AI: Those silos started to dissolve. With genAI, both R&D and commercial professionals produced solutions that were balanced — integrating both technical and commercial dimensions. The genAI interface nudged them there. It helped them think beyond their professional default. In other words, genAI is enabling cross-functional thinking at the point of creation. That’s not task automation — that’s meaningful, intellectual contribution. For CIOs, this opens the door to rethinking how we configure teams, how we design roles, and how we structure collaboration. AI Makes Work More Human There’s one more dimension, and it might be the most surprising. We tend to associate technology adoption with friction, stress, and overload — not here. Participants using AI reported significantly higher positive emotions: more excitement, more energy, less frustration. In fact, individuals working with AI felt as positive about the experience as people collaborating in human-only teams. And when teams used AI together? Emotional engagement surged even higher. When was the last time that we saw a piece of technology improve morale?   1+1+AI=5 This isn’t just a productivity story. It’s a human story. AI, used well, doesn’t just get the job done; it makes people feel more confident, more creative, and more connected to the work. That’s true empowerment. That’s why 1+1+AI doesn’t equal 3; it equals 5. This study was conducted with prior-generation models not optimized for team interaction. So imagine what’s possible when tech and business leaders start building AI into workflows designed for collaboration. We can move from using genAI as a tool to automate tasks to one that reinvents workflows by integrating it as a core part of how teams think, solve, and create together, because the future of work isn’t just faster; it’s more human, more inclusive, and — if we design it right — more extraordinary than we imagined. source

With the average cost of a data breach at $2.7 million and 33% of enterprises reporting being breached three or more times over the past 12 months, understanding and learning from past incidents is not just beneficial — it’s essential. Our detailed examination of the top 35 breaches and privacy fines of 2024 has unearthed critical insights into the evolving cyberthreat landscape. Among the key findings: Attacks cause more than just monetary damage; inadequate data protection severely impacts customer trust; and healthcare in particular is at a critical juncture, because it’s not just brand reputation at stake but delivery of critical medical services. 2024 also saw hefty fines levied on organizations. GDPR is once again the most enforced privacy regulation in the world, but it isn’t the only regulation with sharp penalties. In the US, more states are putting privacy laws in place and holding organizations accountable. Not only does Meta hold the record of the highest-ever GDPR fine at €1.2 billion in 2023 from an Irish regulator, but in 2024, Meta took home the largest US state fine ever at $1.4 billion. While some companies can pay off their fines like parking tickets, most organizations do not have the capital or lawyers to copy this behavior. From our analysis of the top breaches and fines, we found the following: Massive breaches and outages drive regulatory proposals and changes. In early 2024, US Executive Order 14117 focused its attention on bulk sensitive personal data, with emphasis on telecommunications and the healthcare market. The US Federal Communications Commission has proposed telecom cybersecurity and supply chain risk management rules. The proposed HIPAA Security Rule that is currently open for comment is the first major update to the rule in over a decade. New York State, acting independently, implemented strict cybersecurity mandates for hospitals. And not to be outdone, the EU has focused on operational resilience, as the Digital Operational Resilence Act (DORA), which has been years in the making and has sweeping demands on security practices, went into effect January 17, 2025. Organizations need to worry about more than regulatory fines. It is important for firms operating within the US to be aware that, although the regulatory penalties they face can be substantial, there is another financial risk on the horizon that can’t be overlooked. Recent data indicates that the proportion of companies confronted with class-action lawsuits has reached its highest point in 13 years, and it is projected this year that the expenses associated with defending against these class-action lawsuits could exceed the costs of regulatory fines. Not all breaches are for financial gain. This past year, US ISPs and telecoms found their systems infiltrated by Chinese state-affiliated actors. After the investigation of these breaches, it appears that the focus was on a small number of individuals of political interest. In a separate incident, state-sponsored Chinese attackers breached the US Department of the Treasury through third-party vendor BeyondTrust’s support software. The objective was to gain sensitive information and conduct reconnaissance. To see the rest of our analysis and, more importantly, get the recommended actions you can take to protect your organization, read our report, Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2024, or schedule a guidance session with us to talk more. (written with Danielle Chittem, research associate) source

Collaboration emerged as the key to unlocking the power of emerging technology and tackling tough challenges for healthcare at the Healthcare Information and Management Systems Society (HIMSS) annual conference for 2025. CEO Hal Wolf called on all healthcare organizations (HCOs) to prepare for change, acknowledging the anxiety and uncertainty many feel amid rapid policy shifts. Healthcare leaders highlighted the lack of preparedness as the pace of change instills a sense of chaos. Vendor conversations revealed that they’re struggling with solutions and approaches for handling change. Lastly, the conference seemed to pay lip service to cybersecurity by relegating its tracks to the annex and by naming it as a pillar but not a priority. Where Action Is Speaking Louder Than Words While cybersecurity felt underrepresented — a reminder that we’re just one year post the Change Healthcare breach — many HCOs are collaborating to speed development of emerging technologies. HCOs can leverage the same or configurable algorithms and tools to meet similar needs. While we all need the tech, we don’t all need to build the tech. We heard and saw notable developments in key areas: Agentic AI. Salesforce’s Agentforce for Health intends to reimagine healthcare with digital labor. Partnering with athenahealth, Agentforce streamlines tasks such as checking eligibility, scheduling appointments, and verifying insurance benefits. Talkdesk’s platform enhancements enable AI agents to use embedded call controls and conversation management tools within Epic. With Talkdesk Copilot, agentic AI manages calls, accesses patient information, schedules appointments, verifies benefits, and manages prescription refills, improving workflow and patient care. Ambient listening. Microsoft unveiled its Microsoft Dragon Copilot, which combines the natural language voice dictation of Dragon Medical One with the listening capabilities of DAX Copilot. The industry’s first unified voice AI assistant enables clinicians to streamline clinical documentation, automate tasks, and generate after-visit summaries, referral letters, and summaries of clinical evidence. Intelligent healthcare organizations. Samsung Medical Center showcased its innovative use of AI, robots, and digital tools to enhance patient care and business operations. Samsung’s embrace of a collaborative culture led it to a completely redesigned process that incorporates emerging technologies and helps create an intelligent HCO. As a result of these ongoing efforts, the health system achieved a perfect HIMSS Digital Health Indicator score in October 2024. Customer engagement. Arcadia and League teamed up to bring longitudinal patient data to League’s customer experience platform. As Michael Meucci, president and CEO of Arcadia, shared, “Functionally, Arcadia acts as the data and analytics hub to provide longitudinal patient records that will drive League’s consumer application with AI-based personalization and engagement to improve the patient experience.” HCOs will now be able to deliver individualized health recommendations and use AI and behavioral science to engage consumers. HCOs Must Find Their Balance On AI And Cybersecurity While the AI buzz captivated attendees, the lack of action and focus on cybersecurity will have sobering effects on the industry. AI, in its many forms, is useless if we do not protect the data as well as the organizations generating and using it. We also need to ensure that only authorized AI is being used by HCOs so they don’t risk leaking clinical data to public large language models and exposing patient records. We’d love to hear your takeaways and thoughts on the event and key announcements. Forrester clients can schedule time with us here. Not a client? Learn more about how you can have Forrester on your side and by your side. source

Forrester was invited to a Siemens Industry Analyst Day event focused on data centers in Zug, Switzerland and received presentations covering a wide variety of data center topics, as well as a tour of Siemens’ facilities showcasing the practical application of its strategy and products. There were a variety of key topics covered at the event. Market Strategy Siemens showcased its product solutions across several categories: power solutions, automation, infrastructure management, thermal optimization, physical security, fire safety, digital twins, microgrids, lifecycle services, and financial services. This included how the company is leveraging its Xcelerator platform, open protocols, and partnerships to benefit customers in the most flexible way. Impactful Sustainability Siemens’ data center sustainability efforts are centered on three points: decarbonization and energy efficiency; resource efficiency and circularity; and a focus on impacts to people and society. The company has established the DEGREE framework guiding Siemens’ sustainability ambitions, as well as for its customers. The presentation highlighted how its solutions address these three points on sustainability with specific solutions, along with case studies showing the real impact seen by customers. Scalability From Modular Power Siemens presented the challenges seen from changes in the requirements of data centers: bigger campuses, the need to be environmentally friendly, and the difficulties in design standardization with different standards and across regions. Siemens’ modular power presentation highlighted its solutions and how they can be used to accelerate delivery and reduce costs for data center buildouts. This is achieved by leveraging global centers of competence and customizable prefabricated modular power solutions, from e-houses to kiosks and skids. Digital Twins Driving Design To Operations Siemens showcased how it is leveraging digital twins for infrastructure and building management. The benefits of using the digital twin approach for data centers is not just for operations but also for design and construction, as well. The presentation outlined how Siemens enables and uses digital twins, the different levels of digital twin maturity that it sees (cognitive, prescriptive, predictive, informative, and descriptive), and a case study with the actual value realized by this approach. Siemens’ customers are still at the beginning of the journey on this topic. Automation And Operations Siemens presented different solutions for data center-automated management of infrastructure, power, thermals, and HVAC systems. The presentation included different reference architectures for automated control, as well as how the company addresses challenges with brownfield scenarios, evolving technologies, and the need for a multidisciplinary approach. Monitoring For Secure And Reliable Operations Siemens’ energy and power quality monitoring solutions target future data center needs in terms of performance, sustainability, and resiliency. The presentation illustrated how its solutions address security, reporting, integration with other vendors, and power quality issues, with resiliency being a clear Siemens priority. If you have more questions about Siemens or how its solutions address data centers and sustainability, please submit an inquiry request or reach out to your account team. source

Announcing The   The Upcoming CMS Buyer’s Guide According to Forrester’s data, in 2024, 90% of global –facing digital products and services over the next 12 months. Vendors — whether small or large, new or old — are racing to beef up product features to help businesses elevate customer experiences. The Forrester Wave™: Content Management Systems, Q1 2025, reveals a transformed field of third-generation content management systems (CMSes) that are delivering new business value by using to enhance content teams’ interactions with digital content. The following is a preview of some of our takeaways from the evaluation and our upcoming CMS buyer’s guide: Generative AI (genAI)-powered content generation is impacting customer experiences — as digital properties are consolidating. Reference customers shared that time to market is now the primary growth driver for their businesses and that digital properties consolidation was a big efficiency driver. Additionally, genAI-powered content authoring is beginning to drive quantifiable growth for customer acquisition. Visual editors, personalization, and collaboration features are center stage. Businesses are distributing content to more geographies and channels than before, which is driving demand for even more intuitive management and collaboration tools like seamless integration into Microsoft Teams and Slack. Simultaneously, data generated from content variants are raising the bar even further for personalization features. Several reference customers indicated interest in experimenting with genAI capabilities to beef up experimentation and personalization for their customers. Headless delivery and composable architecture were building blocks for the reimagination of AI-powered digital content management. Reference customers shared equal preference for composable pure headless solutions versus template-based CMSes. AI is taking over core user functions — think assistive authoring experiences with specialized AI agents to manage your content model, as well as content agents that automatically learn by generating variants based on analytics and interaction data. CMS features are being reimagined with AI to redefine how content is managed in enterprises. How To Determine Which Solution Is The Best Fit For Your Business If you are assessing the content management capabilities of your organization, please get in touch with me to schedule an inquiry or guidance session so we can explore the right technology for your business. Forrester clients can interact with the full Wave scorecard and dig into the wealth of evaluative information in the scores and scales via our new digital experience. Some of our recently released reports provide additional detail to help guide your decisions, including revenue/cost drivers, embedded solutions, and the larger CMS landscape of vendors: source

Celebrating Excellence: The 2025 Enterprise Architecture Awards Forrester is thrilled to announce the opening of nominations for the 2025 global Enterprise Architecture Awards. In partnership with The Open Group, this year’s awards will again celebrate exceptional enterprise architecture (EA) practices that drive business transformation, enhance risk management, and improve customer experiences. As we embark on a new year of technological advancements, the importance of enterprise architecture in shaping organizational success has never been clearer. The awards recognize organizations that demonstrate how their EA frameworks have helped navigate challenges and fueled innovation. The EA Awards are part of Forrester’s global Technology Awards, which spotlight organizations pushing the boundaries of technology to drive business growth and remain one of the key accolades in enterprise architecture. A Prestigious Legacy Of Excellence The Enterprise Architecture Awards have been an integral part of Forrester’s awards program since 2010. Last year’s winners, including Scotiabank in North America, DRÄXLMAIER Group in EMEA, and Contact Energy in APAC, demonstrated the depth of impact that a strong EA practice can have on an organization. These organizations were recognized for their ability to use EA to streamline operations, improve agility, reduce costs, and enhance customer and employee experiences. They exemplify the core pillars of successful enterprise architecture: accountability, collaboration, agility, and innovation. As we move forward into 2025, we continue to see a shift in the role of EA from a disengaged “ivory tower” to a hands-on, outcome-driven practice. In an era of rapid technological evolution, organizations with strong EA capabilities can better align their IT strategies with business objectives, empowering them to stay ahead of the curve. The Award Categories The 2025 Enterprise Architecture Awards will focus on the following criteria: Risk management: how effectively the EA practice manages and mitigates organizational risks, ensuring business continuity and compliance Cost efficiency: the impact of EA in driving operational savings, reducing waste, and maximizing resource allocation Customer experience and employee experience: the role of EA in improving both customer-facing services and internal organizational operations Business transformation: demonstrating how EA has supported the transformation of business models, technologies, and organizational processes to achieve measurable outcomes The awards will also feature special categories for innovations in generative AI and platform engineering, which are becoming increasingly vital in modern enterprise architectures. Last Year’s Winners In 2024, Forrester, in collaboration with The Open Group, recognized outstanding EA practices in three global regions. For example, Scotiabank in North America earned accolades for its use of EA to support its digital transformation, aligning its architecture with business goals to streamline operations and reduce costs. The DRÄXLMAIER Group in EMEA stood out for its commitment to agile, accountable, and influential EA practices, while Contact Energy in APAC demonstrated how EA can be a strategic enabler of both operational efficiency and business growth​. Steve Nunn, president and CEO of The Open Group, shared his thoughts on the importance of EA, saying, “The importance of enterprise architecture is as great as it has ever been, so we are glad to be part of celebrating best practice in the discipline. We look forward to seeing the innovative entries submitted this year and rewarding the outstanding work being done.” Why Enter? Winning the Enterprise Architecture Award not only brings global recognition but also provides valuable exposure to peers, industry experts, and stakeholders. It’s a chance to highlight the hard work, innovation, and transformation driven by EA teams. The 2025 winners will set the standard for excellence in the discipline, showcasing the vital role of EA in modern business operations. For more information and to submit your nomination, visit Forrester’s Technology & Innovation Summit websites for your region. How To Apply Organizations worldwide that have demonstrated success in applying outcome-driven enterprise architecture are encouraged to submit their nominations. The awards are open to companies with 1,000 or more employees, and submissions will be evaluated across the North America; Europe, the Middle East, and Africa (EMEA); and Asia Pacific (APAC) regions. The nomination deadline for each region will be as follows: APAC. Organizations in APAC can visit here to apply for Forrester’s Technology Strategy Impact and Enterprise Architecture Awards, with a submission deadline of May 27, 2025. Award recipients will be announced prior to and honored at Forrester’s Technology & Innovation Summit APAC, being held in Sydney and digitally, August 19, 2025. EMEA. Organizations in EMEA can visit here to apply for Forrester’s Technology Strategy Impact and Enterprise Architecture Awards, with a submission deadline of July 16, 2025. Award recipients will be announced prior to and honored at Forrester’s Technology & Innovation Summit EMEA, being held in London and digitally, October 8–10, 2025. North America. Organizations in North America can visit here to apply for Forrester’s Technology Strategy Impact, Enterprise Architecture, and Data & AI Impact Awards, with a submission deadline of July 16, 2025. Award recipients will be announced prior to and honored at Forrester’s Technology & Innovation Summit North America, being held in Austin, Texas, and digitally, November 2–5, 2025. Winners will be announced at Forrester’s Technology & Innovation Summits in each region later in the year. We invite technology leaders, including chief information officers, enterprise architects, and chief technology officers, to submit their entries and share how their EA practices have contributed to their organizations’ success. Resources Learn more about Forrester’s 2025 Technology Awards program. Register to attend Forrester’s Technology & Innovation Summits this year in North America, EMEA, and APAC. About Forrester Forrester (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We empower leaders in technology, customer experience, digital, marketing, sales, and product functions to be bold at work and accelerate growth through customer obsession. Our unique research and continuous guidance model helps executives and their teams achieve their initiatives and outcomes faster and with confidence. To learn more, visit Forrester.com. source

Google has announced definite plans to acquire cloud-native application protection platform (CNAPP) vendor Wiz for $32 billion, which is the largest ever acquisition in cybersecurity, surpassing the $28 billion that Cisco paid for Splunk in 2024. This is also Google’s largest ever acquisition and, based on Forrester’s estimates of Wiz’s annual revenue, represents an astronomically high, approximately 45–50x estimated multiplier of Wiz’s annual revenue. Wiz has been making financial headlines since last summer, stemming from rumors in July 2024 that Google would acquire Wiz for $23 billion, as well as Wiz’s acquisition of Gem Security along with talk that Wiz would acquire Lacework, a deal that fell through (Fortinet later acquired Lacework). This acquisition highlights the following: In the light of Google’s track record with past security acquisitions, Google can successfully integrate Wiz. When evaluating Googe Cloud’s previous security acquisitions, the track record is strong. Google’s 2022 acquisition of Mandiant has proven to be a key component of Google’s cybersecurity product strategy, infusing Google Security Operations with Mandiant’s threat intelligence and analytics. Google has also retained many of Mandiant’s most prominent security leaders, which is a positive sign. Similarly, the 2022 Siemplify acquisition was productive for Google Security Operations — it recently fully integrated Siemplify into the platform as a full-fledged security orchestration, automation, and response offering. The success of Wiz’s acquisition will also depend on: 1) Google’s ability to navigate today’s current volatile economic environment; 2) its ability to “save some cash” to remain in the AI race with AWS and Azure; and 3) whether Google operates Wiz separately or embeds them into Google Cloud’s security portfolio. Multicloud CNAPP is indispensable for cloud infrastructure security offerings. While Google Cloud Platform (GCP) has successfully developed CNAPP capabilities (cloud security posture management and cloud workload protection) for its own platform’s native security, these tools have predominantly focused only on protecting GCP endpoints/assets. After Microsoft’s 2021 early acquisition of CloudKnox and development of Defender for Cloud (a multicloud CNAPP tool competing with Palo Alto Networks and others), Google is now feeling the pressure to offer a true, multicloud-capable CNAPP tool, given that so many organizations are multicloud today. Forrester expects that, post-acquisition, most current CNAPP capabilities in GCP (such as cloud security posture management [CSPM], cloud infrastructure entitlement management [CIEM], and agentless cloud workload protection [CWP]) will be replaced by Wiz’s offering and remain with multicloud support. Multicloud security capabilities will accelerate Google Cloud’s entry into many enterprises. App security synergies provide additional opportunities for cloud providers. While Wiz is primarily focused on CNAPP, the firm’s product offerings bleed into the application security space. Recently, Wiz expanded into app security, including software composition analysis, infrastructure as code (IaC), and secrets scanning; software bills of materials; and continuous integration and continuous delivery security posture management. These moves position Wiz to compete with application security testing vendors and other CNAPP vendors that have “shifted left.” Google has also begun extending its API management product, Apigee, into broader API security use cases. While there are still gaps to fill, such as static application security testing, dynamic application security testing, and API attack detection, adding Wiz to the Cloud Armor, reCAPTCHA, and Apigee offerings moves Google closer to being a holistic cloud application security provider. The acquisition will provide competitive pressures and drive consolidation for independent CNAPP suite vendors. Fortinet, Palo Alto Networks, Sysdig, Rapid7, Trend Micro, and others now face fierce competition from cloud infrastructure providers (Google and Microsoft). This planned acquisition, plus Microsoft’s continued investments in CNAPP and app security, will drive independent CNAPP providers to innovate and seek differentiation in comparison to the cloud infrastructure providers and could lead to further consolidation within the CNAPP space. Cloud customers must consider whether these independent CNAPP vendors have sufficient capabilities to maintain themselves as a trusted third-party platform that mitigates reliance on a single cloud provider — a pattern that has benefited vendors in the observability and AIOps space, for example. Other CNAPP vendors must integrate cloud detection and response. Wiz’s cloud detection and response offering, Wiz Defend (formerly Gem Security), takes a different approach to cloud detection and response. Instead of relying on built-in detection capabilities in its own cloud protection tools exclusively, Wiz Defend offers a unified tool solely for detection and response that takes in alerts and data from other tools (identity tools, Google Cloud audit logs, Azure activity logs, AWS CloudTrail logs, etc.) and does detection engineering on them. This reduces alert volumes from the cloud at a critical time — clients are struggling with cloud alert volumes more than ever given the disparate products. With this acquisition, it puts pressure on other vendors to consolidate their CNAPP and cloud detection and response (CDR) offerings in a similar way and provide explicit CDR capabilities in their CNAPP solution: a big win for security operations teams. Wiz’s cluster optimization and cost considerations raise questions on Google’s cloud management ambitions. Although traditionally a CNAPP solution, Wiz — driven by customer requirements — developed a Cost Optimization framework, with Cloud Configuration Rules being its latest capability. It optimizes Kubernetes costs in Amazon’s Elastic Kubernetes Service by identifying cluster optimization opportunities. Though this capability starts with AWS, Wiz earlier had stated plans to extend its next generation of Wiz Cloud Cost to other public clouds. Since Google Cloud has its own cost management capabilities, the question remains whether Wiz Cloud Cost will be deprecated or folded into Google’s native management suite, or perhaps Google will continue its FinOps ambitions and expand to ingesting and managing its competitors’ cloud costs. AWS will need to react to these CNAPP trends. While Amazon Web Services has been providing GuardDuty and Config, these solutions are not as strong as other CNAPP solutions in areas of best practices, compliance template breadth and depth, and, more importantly, multicloud coverage. While AWS WAF (web application firewall) supports hybrid and multicloud deployments, many Forrester clients tell us that they still limit AWS WAF to the AWS environment. To respond to Google’s acquisition

Protecting internet-of-things (IoT) devices is not easy. With few exceptions, you can’t take a traditional endpoint protection approach and install a local agent on the IoT device for protection. Proprietary OSes/firmware in many cases precludes installing an endpoint. Even when the device runs embedded Linux or Windows Embedded OS, standard endpoint defensive measures aren’t available either, as those are locked OSes that require complicated processes to update. This leaves you with network defenses, and if you haven’t taken the time to lay out your network segmentation strategy (VLANs alone don’t cut it; you need to restrict traffic from crossing segment boundaries), your organization is still vulnerable to an attack from a compromised IoT device. IoT-based attacks come in many forms, but one that exploits this lack of proper network segmentation is the lateral movement attack. This attack is compounded when it’s not just a simple DDoS but starts delivering payload. We saw this in late 2024 with the Androxgh0st botnet, and this type of attack should worry security practitioners, as it uses devices that can’t be protected locally to deliver exploits within your enterprise. The most recent attack by Akira used a compromised remote access solution and then tried to compromise traditional endpoints with a ransomware payload. When an endpoint detection and response solution detected the attack, Akira turned to unprotected IoT devices and utilized these devices to conduct a network-based encryption attack against endpoints. This type of attack exposes a common flaw in network design in that, once I’m “in the enterprise,” I’m considered a trusted device and have unfettered access to any other device within the enterprise. While this approach is not consistent with Zero Trust principles, many enterprises continue to take this approach because the alternative is a lot of work. Tough. Blaming the victim is never a pretty thing, but sometimes you have to call it as you see it. When looking at the Akira attack, if proper network segmentation was in place, those IoT devices would only talk internally to their approved workloads and only communicate externally to the internet properties required for the device’s daily operations. But this requires a lot of network and, possibly with newer devices, local policy control. There is a chance that these IoT webcams could be compromised, but that means the blast radius of a cyberattack would be limited to the data or application servers where they’re delivering their video payloads, and if proper Zero Trust principles are being followed, other connected assets would only accept certain data streams from these video cameras and potentially ignore the remote encryption commands. Protecting IoT devices is not like protecting Windows or Mac desktops. For devices that use vibration-based energy, the resources required to run a local agent to analyze threats targeting the endpoint are not available. Edge, network, and gateway security devices are critical portions of IoT security design, and with that, proper segmentation with limits on data flows in and out of the device will be what protects your enterprise from attack and what prevents malicious actors from extracting critical information from your organization. source

Barriers to growth seem to be continuously on the rise for B2B companies. Higher-than-ever customer expectations, rapidly advancing technologies that are harder and harder to keep up with, and a seemingly constant influx of new competitors all make markets more crowded and more challenging than ever. Portfolio Marketers And Product Managers Should Align To Ignite Growth Portfolio marketers and product managers both want to ensure the success of their offerings and grow revenue. But the two functions often operate separately, focused on their own efforts to drive growth. Portfolio marketers are often focused on go-to-market strategies for the existing book of business, while product managers are working on how to add more capabilities to existing products. These two functions, however, can work together to provide a unified approach to growth that identifies the most attractive market opportunities while determining the best product strategies to capitalize on them. Portfolio Marketers Should Be In Search Of New Audiences Portfolio marketers should always be assessing the best growth opportunities by looking at existing and new buyers and markets: Existing buyers and markets. Opportunities exist to increase retention rates and usage, extend the offering to more users, or upsell buyers with better features or premium capabilities. New buyers. Opportunities to expand to new targets, such as new buying centers, new buying groups, and/or new buyer personas, exist to increase cross-sell and penetration within accounts. New markets. Evaluating new markets to target could include new industries, geographic regions, companies of different sizes, and even different market categories to play in. Product Managers Should Look For Innovation And Expansion Opportunities Product managers are always looking for opportunities to improve their products and need to determine how best to invest in offerings to create competitive advantage and leadership: On par. Offerings need to be continually improved with new features, better performance, improved user experience, and seamless integrations as well as ongoing regulatory and security compliance to keep up with market demands and competitive moves. Competitive distinction. To create an advantage and drive faster growth, offerings can create a new and better way of solving an existing problem, making it better, easier, or more economical for customers. Sustainable advantage. To achieve a sustainable advantage, oftentimes a new innovation that solves new, unmet, or emerging needs allows an organization to have a first-mover advantage in a changing or newly developing category. Marrying these two spectrums of market and product opportunities creates a matrix where it becomes easier to see how different strategies — innovate, expand, and adapt — might be used to create competitive distinction and sustainable advantage for each type of market opportunity.   To find out more about the innovate, expand, and adapt strategies, join me and my colleague, Lisa Singer, at B2B Summit North America in Phoenix, March 31–April 3, 2025. Or if you’re a client and would like to book a discussion with an analyst, please reach out to Beth Caplow or Lisa Singer. source