Forrester

If you’d driven your shiny and new steam-powered automobile on the roads of late 19th-century Britain, someone would have walked in front of you with a red flag. As the Locomotives Act 1865 clearly stipulated (with much Victorian capitalization, and my emphasis): “Secondly, one of such Persons, while any Locomotive is in Motion, shall precede such Locomotive on Foot by not less than Sixty Yards, and shall carry a Red Flag constantly displayed, and shall warn the Riders and Drivers of Horses of the Approach of such Locomotives, and shall signal the Driver thereof when it shall be necessary to stop, and shall assist Horses, and Carriages drawn by Horses, passing the same […] ” Legislative change happens slowly: That Act wasn’t repealed until three decades later, in 1896. (Image source: Wikimedia Commons)   Fast-forward to today, and the march of autonomous mobility is being held back by the red warning triangles you see ahead of broken-down vehicles by the side of the road. Rebecca Bellan at TechCrunch wrote about Aurora Innovation’s problem with US federal safety regulators back in January, and I meant to comment then. Thomas Black at Bloomberg then picked up the tale this week, giving me the nudge I needed. Rebecca summarizes the federal safety rules that are expected to happen when a truck breaks down on a US highway: “Truck drivers activate their hazards and have 10 minutes to put out reflective safety triangles as a warning to other road users. The first triangle goes 10 feet behind the truck facing oncoming traffic. The second goes 100 feet behind the truck. And the third goes 100 feet ahead of the truck or 100 feet behind the truck but off-center. The driver might adjust those positions if the truck is pulled over on a curve or a blind spot.” Obviously if there’s no driver, then there’s no one to climb down from the cab and carefully place little red triangles. Aurora Innovation (and Waymo, which was also developing trucks at the time) asked for an exemption and proposed fitting bright beacons on the cab that could be triggered instead. Those beacons might work just as well (or even better) for traffic approaching the front of the truck, but they wouldn’t be particularly useful to traffic approaching the truck from behind. The trailer would obscure the cab from view, and there wouldn’t be any fancy beacons on it, as neither Aurora nor Waymo would own, control, or build the trailer. Also, as the Federal Motor Carrier Safety Administration (FMCSA) noted in its rejection of the exemption request, beacons physically attached to the vehicle would not be sufficiently visible if it was stopped on a curve. Bloomberg’s Thomas Black doesn’t seem convinced, commenting that: “The best argument the FMCSA made for rejecting the exemption was that the beacon’s light can’t bend around a curve. In the somewhat rare case where a truck would be forced to pull over just past a sharp curve, it’s plausible that a triangle could be set out at the apex of the curve and give motorists better warning than the beacon. Then again, compelling a driver to walk on the shoulder of a curvy highway adds more risk.” I have more sympathy for the FMCSA’s position but also feel that this case helps to highlight a broader set of issues. Self-Driving Cars On Public Roads Remain A Difficult Proposition Forrester consistently argues that autonomous driving on public highways is a hard problem, one that won’t be solved for most roads in most conditions any time soon. But it is a soluble problem at which vast amounts of time, money, and brainpower are being thrown. We’ll get there. It’s the fuzzier stuff around the edges that most of the brilliant engineers at well-endowed startups are ignoring, dismissing, or are not yet even aware of. Something, for example, does need to inform other road users about a hazard. Today, that something is a red plastic triangle, placed on the road by a human hand. It doesn’t have to be a red plastic triangle, and it doesn’t need to be placed by a human, but something else would need to be found to take on that warning role: bright beacons, vehicle-to-vehicle alerts such as those that drivers of modern Volvo cars get in Denmark, or some more low-tech approach? And in the world of robotaxis, more thought needs to be given to the mundane background work involved in cleaning and charging vehicles. As I commented in my coverage of Tesla’s Cybercab announcement: “If a passenger leaves a mess in the back of a cab, how quickly and accurately can the broader system detect that mess, take the cab out of service, and direct it to a nearby cleaning facility? If there’s no driver, you really don’t want the next passenger to be the one who gets into a filthy vehicle and has to report the problem — or leave a thumbs-down review!” In the headlong rush to solve the exciting technical challenge of autonomous mobility, we mustn’t lose sight of the supporting tasks that will make this autonomous future clean, safe, cost-effective, and practical. As always, if you have your own perspectives to share on addressing these small but critical supporting tasks, please schedule a briefing and tell me all about them. If you’re a Forrester client and want to discuss (or challenge) my thinking on this topic, please schedule an inquiry. source

IBM has announced its intent to acquire DataStax, a leading data platform provider. This strategic acquisition significantly boosts IBM’s AI data platform by integrating advanced vector capabilities critical for powering retrieval-augmented generation (RAG) applications. It positions IBM to help businesses leverage value from vast volumes of unstructured data, an area where IBM lacks a strong foothold. DataStax brings expertise to IBM in distributed databases capable of spanning multiple regions, an essential capability for enabling seamless global AI and data fabric deployments. Also, this acquisition strengthens IBM’s commitment to advancing open-source initiatives with DataStax’s support for the Apache Cassandra database and Langflow, a low-code tool for AI development. What It Means IBM has made numerous acquisitions over the years, but this one stands out as one of the most strategic moves to enhance its data platform, primarily focusing on AI. While IBM has previously acquired database companies, integrating them into its stack has often been slow. The success of this acquisition will hinge on how quickly and seamlessly it integrates with IBM’s watsonx AI platform. This acquisition positions IBM to better compete in the AI space in several key ways by adding: Enhanced support for unstructured data management at scale. While IBM supports unstructured data management with its Db2 offering, it has historically lagged in providing comprehensive and scalable solutions. This acquisition addresses that gap, enabling IBM to offer a more robust suite of AI data capabilities. Apache Cassandra, a schemaless NoSQL database, is designed to handle massive volumes of semistructured data at scale, empowering IBM to deliver a more robust and scalable data platform for AI applications. Strengthened vector capabilities for RAG applications. IBM has lagged in providing the critical vector capabilities that are now essential for powering RAG applications. Built on Apache Cassandra, Astra DB delivers high-performance advanced vector capabilities vital for AI-driven workloads requiring rapid retrieval of high-dimensional data. Recognized as a Leader in The Forrester Wave™: Vector Databases, Q3 2024, DataStax has comprehensive, advanced capabilities. Integrating Astra DB with IBM watsonx.data will significantly enhance its vector capabilities, positioning IBM for greater success in the evolving AI landscape. Enablement for globally distributed data AI environments. DataStax delivers a cloud-native database as a service that simplifies deployment and management and provides a globally distributed data infrastructure ensuring flexibility across multicloud and multiregional environments. As the demand for distributed data continues to rise, this capability significantly enhances IBM’s ability to empower AI-driven solutions on a global scale. Middleware capabilities for IBM watsonx.ai with Langflow. In April 2024, DataStax acquired Logspace, the creator of Langflow — a graphical low-code platform that empowers users to visually design and manage AI workflows. Langflow offers seamless integration with diverse AI models and provides Python-based customization. This acquisition extends the IBM watsonx platform by adding dynamic middleware capabilities, streamlining the creation of advanced generative AI applications more efficiently. Expanded data fabric capabilities with a scalable data platform. IBM has a viable data fabric solution with its IBM Cloud Pak for Data and watsonx.data offerings. With this acquisition, IBM is poised to enhance its data fabric capabilities, supporting both structured and unstructured data at scale while integrating advanced vector capabilities. This expansion is also likely to help IBM deploy AI agents at scale, strengthening its position in the AI-driven data landscape. For more insights, book time with me via an inquiry or guidance session. source

Or, All the Best Ways To Cheat I Learned By Kindergarten One of the hard early lessons for most kids is that life isn’t fair. Sometimes you are simply not going to win. For the lucky ones, those teaching moments are fairly harmless. That’s how it was for me. As a kid with no real problems, my examples are mostly trivial — like the fact that I shoot pool left-handed. That would be unremarkable if I actually were left-handed, but I am not. No, I’m just a guy who had two much older brothers who thought teaching me to play pool backwards was hilarious. And so, at least at that young age, the game seemed remarkably hard to win. I have similar memories of playing “Monopoly.” On the rare occasion when I pestered my closest sibling (seven years older) into playing, I lost so badly that he liked to arrange his $500 bills in rows across the table. The bills are tan in color, so he was “sunning” them to enhance their hue. Years later, he would admit that he was just taking them from the bank whenever I wasn’t looking, because I was five and had the attention span of a gnat. And of course, the old favorite, “keep-away.” As the two teenagers tossed a frisbee back and forth above my head, safely out of reach, I would run and jump pointlessly between them — until the day I grabbed a long stick and knocked it out of the air. We live and learn. What Does This Have To Do With Data Investment? When I work with clients who have been struggling with long-term data quality issues, those concerns most often coincide with an ongoing lack of investment in data management. The competition for scarce resources is tilted heavily toward financial metrics such as cost reductions or direct ROI. The rules of that particular game are too skewed for operations teams to fairly compete. There will always be an investment option, such as hiring additional sales reps, that can claim a more direct link to driving pipeline or revenue. A game based on those rules can keep investment away from data teams for years. They need a longer stick. Change The Way The Game Is Scored In order to prove that data investment should be a priority in your business, you need to adopt a deeper rulebook, expanding the definition of business value to paint a truer picture of both the problem and the potential in your current data strategy. Design a data scorecard that considers: Financial benefits. Yes, direct and indirect financial impacts matter, but they’re just one piece of the puzzle. Experiential benefits. How does improving data quality enhance the experience for customers, employees, and partners? How many of these benefits are already business priorities for at least some of your peers? Operational benefits. Consider the ripple effect of better data across all areas of marketing and sales leading to improved performance, effectiveness, and efficiency. How many stakeholders would support your cause if you can deliver value for their teams? It’s important that the metrics you choose are meaningful, provable, and closely tied to other current business priorities. If you do, you’ll often find allies in other parts of the business who see your investment as a way to address some of their own long-standing pain points. I’ll be presenting on this topic at Forrester’s upcoming B2B Summit North America (Phoenix, Arizone, March 31–April 3, 2025) and meeting with attendees one on one to go deeper. Existing Forrester clients, read more now in the report, Making The Case For Investing In B2B Marketing And Sales Data, and reach out to your account teams to schedule a guidance session on the topic.   source

Insurers collect a wealth of data, but only a few have found ways to harness its true potential. Most insurance business and technology leaders have very low confidence in their data assets’ ability to meet customer and competitive demands. Almost all incumbent insurance companies support disparate lines of business and individual parts of the value chain through a plethora of legacy systems and disjointed data silos. For example, policy administration systems have different data stores and differing data formats from claims management systems, making it impossible to match risk with loss data. Add the complexity of siloed data representing each line of business, and you have entangled chaos for data environments. AI technologies are advancing at breakneck speed and the use cases for AI in insurance are immense, but only high-quality data can adequately serve as training data for these AI use cases. Feeding bad data to AI engines dramatically increases the chances of bad outcomes. Carriers need improved data postures if they want to scale AI and see some real gains from the transformative technology. The consequences of poor data posture in today’s operating environment are far-reaching. Poor data adds risk to almost all parts of the insurance value chain and can significantly challenge several business and technology areas: Underwriting performance Attracting the right distribution partners Product innovation Claims experience Seizing the power of AI Historically, the plight of mediocre data posture hasn’t been as dire. But with growing competition, increasing expense pressures, a greater push for digitization, demand for product innovation, and consumer expectations of seamless digital experiences, strong data postures are a prerequisite for strong operating performance. The insurance industry’s evolving needs require insurers to get their data houses in order with urgency. Data readiness requires a comprehensive and systematic approach. Insurers that do not get their data in order will be left with an adversely selected pool of risks that could affect operating performance. Digital leaders need to consider a range of impactful internal and external solutions to this data conundrum to drive innovation, be competitive, and meet the evolving needs of their business. Our new report, Insurance Industry Survival Relies On Data Sophistication, explores this topic and provides practical approaches to data readiness. Clients interested in discussing this report and increasing their data sophistication can connect with me via an inquiry or a guidance session. source

Reports of X CEO Linda Yaccarino tying appeals for increased advertising commitments to X lawsuits and Congressional oversight reads as extortion and requires advertisers and agencies to take steps to maintain their fiduciary imperative to direct media investments. Let’s back up… Over the past 6 months: X filed a federal antitrust lawsuit in August, alleging the World Advertising Federation and several large advertisers colluded to deny X advertising dollars. In October, the Judiciary Committee notified Dentsu Group about concerns for anticompetitive activity concerning its brand safety initiative, Dentsu Coalition. In December, the Judiciary Committee contacted both Omnicom Group and Interpublic of Companies, raising anticompetitive concerns for their proposed merger could impact advertising spend on platforms like X. On February 1, X notified the court of its intention to add several large enterprises to its existing anti-trust lawsuit. The Wall Street Journal reported last week that X chief executive Linda Yaccarino made appeals for large advertising commitments from both advertisers and agency holding companies, alluding to X’s lawsuit and congressional oversight. Whether intentional or not, X’s actions threaten the solvency of the advertising industry because they: Contradict common-sense media practices. Publishers have no right to advertising dollars unless prior commitments are made. And advertisers have every right to make media choices. A free-market economy necessitates that the best publisher win, and a lesser one work to earn a spot on an advertisers’ media plan. Testing campaigns across publishers and tech products is how advertisers and agencies continually look for ways to reach and engage their target audiences. The growth of TikTok as an advertising platform is due, in part, to advertisers, agencies, and the publisher testing and learning in the name of media choice. Compromise advertisers’ and agencies’ fiduciary responsibility. When investing media dollars, advertisers and agencies have a fiduciary obligation to company and shareholder value. Agencies make publisher recommendations to advertisers and, in turn, advertisers make business decisions based on a publisher’s efficacy — to deliver targetable audiences at scale, with efficient rates, and on-brand context. If media investments don’t meet those standards, advertisers and agencies are responsible to shift media dollars. Bud Light’s influencer campaign targeting the trans community conflicted with its brand and core customers’ values, making it a questionable use of media dollars. But just as agencies and advertisers have a right to media choice, so does X have a right to pursue legal action. And the US House Judiciary Committee has the right (and constitutional obligation) to conduct oversight. The courts will adjudicate, and Congress’s lawful oversight will continue. Advertisers: Here’s How To Protect Your Right To Media Choice Forrester recommends three actions for advertisers to keep control of media choice: Lean into non-binding advertising commitments with X. This might sound counter-intuitive but hear us out: Proactively make an “endeavor” deal with X that gradually increases advertising spend to a specified goal or target — identifying tiered spending thresholds that you must meet based upon the publisher (in this case X) also meeting specific requirements. Structure the deal contingent around X addressing three fundamental platform capabilities: (1) improved audience targetability to allow advertisers to pinpoint audiences; (2) better filtering to allow advertisers greater precision in selecting contextual environments. These filters should include language, violence, pornography, news, and political spectrum. (3) APIs that align with how agencies purchase digital media enabling for more efficient activation and optimization. The good news? X appears to have the technology and engineering savvy to meet these requirements making for a win-win-win for advertisers, agencies, and X. Explore principal media solutions for X upfront deals. Consider using agencies’ principal media capabilities to meet commitments to increase X inventory. For those not in the know, principal media is a buying tactic in which an agency purchases advanced inventory at a sizeable discount in order to re-sell that inventory to its clients. Most principal media programs involve client opt-ins, audit rights, clear benefits (like cost or performance), separate contracts, and labeling on plans. In other words, principal media solutions are highly scrutinized and often bring financial benefits to the advertiser and agency. In this instance, X will need to provide increased inventory levels at a substantial discount in order to fit within the principal media pool the agencies manage. When this happens, it’s another win-win-win for all three stakeholders. Require X to meet media performance thresholds. Structure your partnership with X to include performance requirements that unlock continued or increased investment. Leverage incrementality testing to prove whether X can deliver equivalent or more value than other media platforms. Media professionals are tasked every day with building media plans that balance reach, efficiency, and impact. When placements don’t perform, they optimize—meaning they move the investment to new tactics, audiences, or channels. X isn’t exempt from this same level of scrutiny. Historically, X (including when it was “Twitter”) hasn’t been of material significance on most media plans for several reasons: the reach isn’t notable, their ad products lack performance, and targeting capabilities are nascent. If X wants more ad dollars now, it needs to prove the platform’s efficacy. Make them earn their spot on your media plan, just like any other publisher. In our capacity as a neutral adviser to our clients, Forrester offers this guidance solely as a means to help advertisers, agencies, and publishers navigate the changing marketplace and confront its business significance. Forrester believes that “media choice” is a fundamental underpinning of the advertising industry and we urge organizations like the ANA, 4As, and WARC to advocate for this. If you’re a Forrester client and would like to discuss this further, set up a Guidance Session with Jay Pattisall and Kelsey Chickering. source

Application modernization remains a critical priority for enterprises as they continue their journey to the cloud and beyond. While the “lift and shift” era of cloud migration has ended, the modernization journey continues. Many enterprises require assistance from external service providers, not only for the purpose of modernization but also for operational efficiency. In light of this, yesterday we released The Forrester Wave™: Application Modernization And Multicloud Managed Services, Q1 2025. We looked at the top 15 vendors in the market and evaluated them across 25 criteria. This report represents a combination of two previously separate Wave evaluations, one covering application modernization and migration services and another covering multicloud managed services providers. Why did we combine them? Customers increasingly conflate the build, modernize, and operate phases. The choice to modernize and operate is more often than not a combined decision. This means that customers prefer modernization and ongoing run services from a single provider, although in practice, philosophies differ. For example, some customers fear that affording such a broad span of control to a single provider gives too much power to that supplier. Others fear that end-to-end suppliers might optimize in the run side what they should have optimized on the build side. But overall, client references preferred a single supplier across modernize and run on a four-to-one basis. AI/ML and generative AI (genAI) loom but remain a slow burn. Naturally, AI/ML and genAI have begun to influence the market: Most participants have built genAI-enabling platforms with which to accelerate results. Despite this, the overall impact remains muted, although it surely will have a significant impact across the entire range of modernization and multicloud managed services shortly. Suppliers stress investments in IP, but customers yawn. Customers continue to give mixed reviews to suppliers for their ability to innovate and their pricing/contracting strategies. Moreover, despite suppliers’ efforts to brand their packaged IP in the form of accelerators and platforms, clients seldom see much value in them, pointing to a potential disconnect between client and supplier in terms of perception and recognition. Customize The Wave Based On What You Care About The meaning of these trends, taken together, raises the stakes on making the appropriate choice, or choices, in choosing application modernization and multicloud managed services provides. Proceed with care! Fortunately, Forrester clients can browse to this site and select “Help me find a vendor” and then select what they care about most in an application modernization and multicloud management services provider. The site will return a ranked list that aligns to their selected priorities. Forrester’s transparency policy — we detail the full criteria, scale explanations, and scores — allows us to offer an interactive experience to help inform the choices that our clients make about their providers. Highlights From The Q1 2025 Wave There are six Leaders in today’s market: Accenture, Tata Consultancy Services, Infosys, Capgemini, HCLTech, and Cognizant. We found that Leaders in this market differentiate themselves by having: The required scale and ability to provide end-to-end capabilities. Many types of suppliers of varying sizes deliver modernization services. Find the right supplier type for your needs. Increasingly, suppliers handle ongoing management of applications and data assets after modernizing them, rather than niche managed service providers. Look for suppliers that can provide both in the context of multicloud scenarios. A strong, differentiating vision for application modernization that suits you. There is no singular vision for modernization and multicloud managed services that fits everyone. Look for suppliers with a distinguishing vision for application modernization that aligns with your journey. This may be technical- or business-oriented in nature (preferably both) and could be rooted in existing relationships with application management services suppliers or independent of them. Thus, it’s important to look past incumbency when evaluating alternatives. Staff augmentation on a time-and-materials basis still has its place, but many customers prefer to use opinionated suppliers for managed services that deliver business or technical outcomes. The resources to invest in and make use of emerging technologies and practices. The landscape is shifting rapidly with the advent of genAI. The ability and will to invest in emerging technologies such as genAI will be key to establishing and maintaining future Leaders. Look past grandiose spending pronouncements to practical use cases and enabling IP. Evaluate suppliers that can deliver on genAI in the context of business and technology strategy. Although modernization practices are still diverse, look for use of modern practices such as platform engineering on the build/modernize side and site reliability engineering on the run side. Another six vendors — IBM, Wipro, NTT DATA, EPAM, Deloitte, and Tech Mahindra — are Strong Performers, while LTIMindtree, Virtusa, and Mphasis are Contenders. Depending on your strategic goals, any of the participating suppliers (and a few others that did not qualify for Wave participation) are viable choices for your modernization and multicloud managed services needs. It’s about applying our research to your own specific business needs. I recommend the following resources to learn more: source

Consumer electronics brands have continued to strengthen their direct-to-consumer (DTC) operations and brand presence. By now, 27% of US online adults prefer to buy their consumer electronics directly from the brand or manufacturer’s website. Using Forrester’s Digital Go-To-Market Review methodology, we reviewed 28 consumer electronics brands across a range of criteria essential to their long-term digital success and the strength of their DTC operations. This review evaluates the digital touchpoints that consumers use and assesses how different brands stack up vis-à-vis their online presence. From our review, we found that three companies are best in class alongside four others in the study: Samsung offers a one-stop shop on its product pages. Two-thirds of US online adults think it’s important to be able to scroll over a product for more information without leaving the page. Samsung provided customers within the product image pop-up all the information necessary to make an informed purchase, including elements usually populated in the checkout cart such as financing options, pickup availability, and final pricing after discounts. The product detail page shows traditional product specs and technical information, as well as trade-in purchase options for eligible items, delivery time frames and payment options, and any add-ons available. Samsung also showcased innovation in its products: For example, some of its electronics such as TVs have an “AI Energy Mode” to consume less energy. Apple’s localization features allow ownership of the whole buying journey. Apple’s differentiating store-finder function helps customers find the type of store they need, whether for services or products for purchase. The Apple site also features programming and events that it hosts (e.g., in its stores) to engage, educate, and deepen the brand relationship with shoppers after they buy. Apple also stood out compared with other brands we reviewed with its strong social media and search-engine results presence. Bose offers interactive content beyond visual features. Bose uniquely lets shoppers sample different audio types for the company’s various speaker products. For an experience that shoppers in the past could only have in the physical store, Bose customers now can compare audio products and sound specs digitally. The company also boasts interactive product pages with artificial reality capabilities to immerse the shopper in the product’s look, feel, and sound. To generate consumer excitement, Bose also promotes collaborations with celebrity partners and other brands across the site. Brands reviewed in Forrester’s Digital Go-To-Market Review: Consumer Electronics Brands, 2024   If you’d like to learn more, please see our latest report, Digital Go-To-Market Review: Consumer Electronics Brands, 2024. Also see our earlier Digital Go-To-Market Review reports covering luxury brands, apparel and footwear brands, CPG brands, and beauty brands. Questions? Let’s connect. Schedule an inquiry or guidance session with us! source

Last week, I attended the AV-Comparatives conference in Innsbruck, Austria. This conference brought together many cybersecurity vendors, particularly those with a European focus, as well as a few nonprofits, academic institutions, and analyst firms. The event was a combination of talks and an award ceremony, a typical arrangement for a conference from a security testing lab vendor. Conference organizers asked me to give a talk on how we as analysts use third-party lab testing results like those from AV-Comparatives, MITRE Engenuity, SE Labs, and others. It provided a good opportunity to give a look behind the curtain as to how we use these results in our conversations with clients. My predecessor, Josh Zelonis, was the first Forrester analyst to include the MITRE ATT&CK evaluations as a requirement for inclusion into The Forrester Wave™: Endpoint Detection And Response Providers, Q2 2022. I continued that trend for the past several years. The reason? As comprehensive as the Forrester Wave is — and you can see just how on our methodology page — we don’t test the technology in a lab. We use three inputs for the Forrester Wave: 1) the questionnaire, which is typically several questions per criteria about the product; 2) the strategy briefing and demonstration, so we can see the product in action and learn more about the vendor strategy; and 3) the customer interviews, where we hear directly from customers about their relationship with the vendor. This gives us a great picture for an executive-level audience as to exactly what a partnership with the vendor will look like. It lets us get direct feedback from existing customers and identify the strengths and weaknesses of different offerings. Third-party lab tests give us input into how effective the tool is (or isn’t) against specific attacks. To be clear, we do not use third-party lab tests as an input into the Wave, but we do use them to get a more complete view of vendor capabilities. I use these results to do three things: Validate how effective the vendor is for a particular attack scenario and where potential gaps are. Interpret the results from the entire cohort of results to get a better sense of how the technology market is changing. Help push the industry forward by highlighting gaps in the products or ways it may not be as effective for customers. I want to ensure that we have a complete picture of the technologies we cover, which is why I review third-party lab results for my security operations research. It’s one more input into the bigger picture of how effective the vendor will be for each client’s specific use case. We are also careful to evaluate the third-party lab tests we consider, ensuring that they are not pay-to-play, that they prevent the introduction of potential biases, and that all vendors are treated equally as part of the process. We never parrot third-party lab test outputs. Instead, we focus on our own analysis of the data. If you have more questions about how we use third-party lab results, or if you want to talk about a particular vendor, book an inquiry or guidance session with me. Lastly, Innsbruck is a beautiful town — if you have a chance to visit, definitely do so. And make sure you bring your ski gear! source

The commercial availability of quantum computers that can compromise traditional asymmetric cryptography is still five to 10 years away. But security and risk (S&R) professionals must assess and prepare for the impact of quantum security now. While the encryption market has a history of vendors publishing incredible claims like “unbreakable encryption,” the hype and interest around quantum is real because hackers are already using the “harvest now, decrypt later” approach. This new report examines the governance, strategy, architecture, and impact of quantum security over the short-, medium-, and long-term horizons. Quantum Security Should Be The Security Foundation Of Your Environment Quantum security and cryptoagility — the ability to replace and upgrade cryptographic algorithms in infrastructure, commercial, and in-house-built applications — will improve the security of any information exchange, improve digital signatures, and mitigate the risk of “harvest now, decrypt later” attacks. We see quantum security as consisting of several technologies, including post-quantum or quantum-computing-resistant key exchange, digital signatures, key generation and management, cryptographic algorithm discovery and inventory, certificate management, cryptographic algorithm change management (cryptoagility), and quantum key distribution. With quantum security, organizations can expect to: Build a future foundation for security. Quantum security will force an overhaul of systems across an organization’s: 1) on-premises and cloud computing; 2) storage and network infrastructure; 3) commercial off-the-shelf software; 4) commercial software-as-a-service offerings; and 5) software built in-house. Organizations will need to upgrade their entire security stack to ensure cryptoagility for the future to protect their data. See quantum security requirements accelerate security investment. Three key externalities — third-party partner management and business requirements, regulatory requirements, and cyber insurance requirements — will drive new investments in security technologies and services. Quantum security will impact all three, putting additional pressure on organizations to act, demonstrate proof of cryptoagility, and use pluggable and easily manageable cryptographic algorithms across infrastructures and point products. Find increasing clarity and guidance from standards bodies and governments. Organizations, technology vendors, and industry groups have been waiting for quantum security standards. NIST released the first three finalized post-quantum encryption standards in August 2024. This kicked off a flurry of announcements from Amazon, Google, and IBM highlighting their ongoing contributions to standards and working groups, current implementations of quantum security in products and services, and migration activities. Governments around the world have also issued guidance on migration to post-quantum cryptography, with some specifying requirements and migration timelines. Quantum security will impact all areas of security including certificate and key management, data encryption and digital signatures, transport layer security and secure comms, and authentication. This demands that orgs have a plan for building in cryptoagility and build a security architecture that can securely operate in a post-quantum world, even if quantum computing is still several years away. Our report examines how quantum security will deliver ROI over the short, medium, and long term, identifies the key factors influencing each timeline, and provides guidance on how to increase security posture today while preparing for tomorrow. Such opportunities don’t come along often, so S&R pros need to begin a plan for cryptoagility now. If you are looking to better understand the implications of quantum security on your security architecture, please read our report and schedule an inquiry or guidance session with us. source

I’ve enjoyed watching GraphQL’s evolution during my time as a Forrester analyst. While I can’t say it is a super popular topic in my client calls, I have seen a noticeable uptick in interest. This has happened while objections to GraphQL adoption are being alleviated: monolithic graphs, poor developer experience, and performance issues. Let’s review how each of these barriers is being addressed. Monolithic GraphQL Becomes Federated The original GraphQL implementation was one giant, monolithic graph for the enterprise. This couples everything to everything, creating an operational problem wherein an outage anywhere in the enterprise could ripple through the graph. The enterprise team supporting GraphQL operations lacks visibility into and ownership of those services surrounding it, as Netflix famously wrote about in two blogs. Apollo Federation first addressed this a few years ago. It allows GraphQL to be split into subgraphs, each owned and operated by different domain IT teams. Unfortunately for buyers, Apollo switched this from an open-source license to proprietary, preventing competitors from using it. There are attempts in progress to create an open standard to federation. Wundergraph responded with a federated product under the Apache 2.0 license. ChilliCream and others developed GraphQL-Fusion under the MIT license. A subcommittee of the GraphQL Working Group is also developing Composite Schemas, a federation specification for the GraphQL Foundation. Hasura has yet another option. GraphQL’s Developer Experience Is Improving The GraphQL developer experience (DX) has been very far behind that of REST API development, but there have been steady improvements. Federation, of course, improves DX by giving application development teams more autonomy from other teams building on the graph. Writing a new schema by hand is very error prone; now there are linters to automate enforcement quality standards, error checks, and backward compatibility checks from vendors such as Apollo and Inigo. In the past, connecting to a new data source often meant writing custom code in a GraphQL server. Apollo recently made GraphQL Connectors generally available, a way to build resolvers through declarative configuration. This not only makes it easier to connect to service endpoints, but I also expect this approach will make it easier for future AI to generate fully connected GraphQL implementations. From Performance Concerns To Performance Gains GraphQL has always had opportunities to improve performance by consolidating several REST data fetches into one query fetch. But performance concerns also arise from the fact that you’re adding yet another layer between the client and the back ends. Nonetheless, the GraphQL ecosystem has been making headway with performance. Apollo has recently converted its router from JavaScript to Rust, improving performance like C++ while maintaining memory safety. The GraphQL Connectors described above also boost performance by eliminating the need for a GraphQL server supporting those connections. Since federation runs different parts of the graph on different servers, it also provides more opportunities for parallel processing and optimized query planning. The worst performance risk, though, is recursive or redundant queries that can DOS a database. Although this problem remains, there is better tooling today to protect from it. More API management vendors support GraphQL-specific policies to limit query depth. Startup Inigo specializes in GraphQL security policies, including query depth and rate limiting to protect back-end infrastructure. It also offers advanced observability of runtime queries to diagnose the root cause of problematic ones. Apollo provides a query planner to introspect how queries will execute and a means to declaratively present unique subset views of a graph to different users. Fine-grained caching is also available from vendors. I spoke with one user who believed screen rendering went from 5 seconds to 1 or 2 seconds when employing solid schema design and caching in GraphQL. Another company found up to a 95% reduction in latency by migrating to the Rust-based router in the travel industry, where latency could mean the loss of millions of dollars in revenue. Pick The Right Use Case GraphQL mainly supports front-end developers, replacing the back-end-for-front-end pattern, but not much beyond that. This leads to caution about going overboard. The wisdom of exposing it to third parties remains to be seen. That recursive query risk is easier to deal with when the client is one of your employees. When it’s a customer, for example, you have much less leeway to tell them to stop making that query. I have talked to vendors who made client-facing GraphQL and regretted it for that reason. Shopify provides another caution. It recently pushed customers off REST and onto GraphQL. User reaction has not been all positive. Some of this was self-imposed by Shopify: incomplete documentation and not migrating all data from REST to GraphQL. But negativity was mostly due to GraphQL itself, notably using it for write operations. The problem with write operations is that — unlike reads — they often must execute in a specific order. GraphQL does not have a way of knowing that order. A single REST API can hide this orchestration from clients using iPaaS. GraphQL pushes that complexity onto clients. For example, one Shopify user wanted to upload a product image with alt text and position information, attached to multiple product variants. This had been one REST call. With GraphQL, it now takes six calls: Stage the upload, upload the image, send media info to link to that image, etc. GraphQL is like every other tech: It’s not a silver bullet, and it has tradeoffs. As its tooling matures and becomes viable for more and more organizations, enterprises must never lose sight of the bigger picture: GraphQL is here to stay, and adoption will grow in the coming years, but it will never fully replace REST. AI: A New Horizon For GraphQL? I look forward to seeing how this continues evolving. AI creates an interesting potential. For AI to leverage APIs as tools, it needs to know the relationship that one API has with another. GraphQL’s schema provides context of how entities from different endpoints relate to each other. The growth of agentic AI may provide a tailwind for