Forrester

I recently joined Forrester as an analyst on the security and risk (S&R) research team. My focus areas will be network analysis and visibility (NAV), Zero Trust, and the Zero Trust domains of analysis and visibility and automation and orchestration. Before Forrester, I was part of the US banks operational risk (2LOD) cyber risk team at Morgan Stanley, reporting directly to the global head of cyber risk. Prior to Morgan Stanley, I spent most of my career in consulting, working on the cyber defense team at Help AG (a major cybersecurity service provider in the UAE, acquired by a regional telecom provider) for the EMEA region, and in the cyber strategy space at Boston Consulting Group (BCG). During my undergraduate years, I often ventured beyond the regular coursework to explore various areas of computer science that weren’t fully covered in my undergrad program. One such venture led me into the world of networking through the CCNA certification. It was here that the “security” component sparked my curiosity, pulling me down the fascinating rabbit hole of cybersecurity. This early interest set off a chain reaction: I pursued the CompTIA Security+ and CEH content, which together built a solid foundation for my cyber journey. Altogether, this helped me secure my first internship in the field. From there, one opportunity seamlessly led to another, opening doors to meaningful experiences, incredible mentorship, and lifelong friendships — each step deepening my passion and expanding my exposure across the cyber domain. The only thing that didn’t quite “click” for me was my attempt to watch the TV series “Mr. Robot” as I naively assumed that my passion for cybersecurity would naturally translate into an obsession with hacking-themed TV shows. Spoiler alert: It didn’t. You can view my full bio here. What brought me to Forrester? For me, research has always been the backbone of innovation, and Forrester’s commitment to delivering actionable insights for clients immediately resonated with me. At its core, Forrester seeks to bridge the gap between theory and reality for its customers — a mission to which I’m thrilled to contribute. Another compelling draw is Zero Trust, which is, in fact, one of my coverage areas as an analyst. Forrester’s pioneering work on this cybersecurity model — developed and popularized by former Forrester analyst John Kindervag (with whom I recently had the privilege of speaking) — captured my attention. Some of you who might not be familiar with Zero Trust or who think it’s just a marketing term may be wondering, “What exactly is Zero Trust?” While formal definitions often boil down to “Never trust; always verify,” let me simplify it with an analogy: Zero Trust is like swiping right on a dating app but insisting on meeting in a well-lit coffee shop with a background check first. Just because they look good doesn’t mean they’re not a red flag. Today, Forrester continues to publish impactful and prescriptive research in areas such as Zero Trust and beyond, and I’m excited to roll up my sleeves and contribute to this body of work. I’ll also be leading the coverage for network analysis and visibility (NAV), a domain that sits at the heart of modern security architectures. As the industry evolves, however, so will my coverage areas, so if you’re curious about my latest research and coverage areas, check out my bio page — it’s where I’ll be painting my perfect cyber world. Joining at the right time? You could say I got lucky. Just three weeks into my role, I had the privilege of attending the annual Security & Risk Summit in person — an ideal scenario for a new analyst. This Summit wasn’t just an event; it was a launchpad that allowed me to hit the ground running. Over these three days, I: Accompanied my fellow analysts as they engaged in insightful one-on-ones with Forrester clients. Mapped out the broader S&R team’s coverage areas, identifying overlaps and opportunities. Took deep dives via analyst-led sessions into key focus areas such as SecOps, API security, security leadership, Zero Trust, and more. Enjoyed informal meet-and-greets with industry leaders and former Forrester analysts — moments that truly enriched my perspective. Attending the Summit was nothing short of phenomenal. In three days, I gained insights and connections that would have otherwise taken me months to accomplish. What’s next? As we hurtle into the age of AI, the industry will experience exponential changes more than ever before. We’ll have to navigate the technology’s new capabilities (as it becomes more humanlike) along with its impact, historical context, ethical dilemmas, trade-offs, and, most importantly — SECURITY! I’m truly excited to work alongside the brilliant minds connected with Forrester to navigate this ever-shifting domain. Here’s to a future when curiosity meets action, security meets innovation, and no red flag goes unchecked! Forrester clients, please feel free to schedule a guidance session or inquiry to further explore my research topics and coverage areas. source

The Basics Of The Merger Cohesity and Veritas’ merger just completed last week, creating the single largest data resilience provider in the market by revenue, with a combined total revenue of $1.7 billion in the fiscal year ending July 2024. The details of the merger mean that all the intellectual property and organizational resources for NetBackup and the Alta platform become part of Cohesity. The InfoScale, Data Compliance, and Backup Exec businesses were not included in the merger and have been formed into a new company with around 1,500 employees called Arctera, still owned by the Carlyle Group. Leadership Emphasizes Stability As most enterprises know, integrating even small acquisitions can be rocky. Cohesity’s leadership has the task of merging Veritas’ larger set of customers and employees into a single organization that is greater than the sum of the two companies’ parts. Sanjay Poonen and the rest of the Cohesity leadership have emphasized that they plan on making this merger a net benefit for all their clients. There is a focus on keeping customer data resilience platforms stable, providing expected updates, and exposing customers to value-added offerings from each portfolio. That’s all you can really ask for. Merging of development and building a unified product platform will happen, but it will be incremental to minimize disruption while maximizing value to customers. Future Value In Innovation And Packaging Cohesity’s novel data management focus and Veritas’ experienced professionals create a strong team. On the roadmap, expect Cohesity to lean into its infusion of generative AI functionality into its products and expanding that expertise into the NetBackup and Alta platforms. One simple example of easy innovation might be the expansion of Cohesity’s Gaia platform for retrieval-augmented generation from backups to include data housed in legacy systems backed up by NetBackup. Beyond AI, the consolidated team has a deep bench of expertise in all aspects of resilience: security, availability, and accountability. On the packaging side, the new portfolio is expansive, and Cohesity has an opportunity to disrupt the market just through smart packaging of the overall portfolio, addressing the pain points that many customers face about operating multiple data resilience platforms to address all their needs. Competition Continues To Be Fierce In A Consolidating Market Other vendors from the likes of Veeam, Commvault, Dell, Druva, IBM, OpenText, and Rubrik still represent formidable competition. Internal innovation to support new services like Entra ID, expanding SaaS support, feature evolution on data security, and more are driving change in the industry as customers ask for more capabilities. While the Cohesity and Veritas merger may be the latest in a series of acquisitions, it is not the only one. Some recent M&A activity over the past 18 months includes Veeam purchasing Alcion, Cirrus, and Coveware; Commvault purchasing Appranix and Clumio; and Rubrik’s acquisition of Laminar. These acquisitions tell a story of increased consolidation, especially as large vendors look to add new capabilities quickly to their portfolio. Other vendors in the space have largely focused on augmenting existing capabilities with specific features by purchasing smaller companies and integrating them quickly. For example, Commvault’s acquisitions further its depth and breadth in cloud backup, specifically AWS. Veeam added backup-as-a-service capabilities and ransomware incident response. Rubrik expanded its posture management capabilities. The Veritas acquisition is more massive, however, and promises to reset the competitive landscape as well as set up the company for an eventual IPO. What It Means For You As noted in the Forrester report, The Data Resilience Solutions Landscape, Q3 2024, customers have been opportunistically switching from ill-fitting backup solutions to modern data resilience-oriented solutions, especially as they adopt cloud architectures and generative AI capabilities. But the transition to new tools is often slowed by the need to maintain recovery capabilities for existing backups and the amount of production systems that those solutions must connect with. This makes the current market moment important both to vendors and to enterprise customers. Cloud and SaaS adoption have collided with generative AI transformations to make organizations rethink how they secure, back up, recover, and govern their data. Because data resilience solutions are sticky and will be with your organization for a long time, make sure that you properly assess your needs. Reach out for a guidance session and take advantage of tools such as the Forrester Wave™ evaluation of data resilience solutions or our Technology Resilience Maturity Assessment to make that sure you are on the right path to keeping your data resilient. source

In the traditional English Christmas carol “The Twelve Days of Christmas,” a slightly overgenerous suitor bestows on their true love a series of increasingly lavish gifts to mark the yuletide season. The twelve days of Christmas themselves actually refer to the period between Christmas day and Epiphany, when the Magi are understood to have arrived at the mangerside of a certain recently born infant. Rather than waiting until then to post this blog, though, as today marks twelve sleeps until Christmas Day, I thought I would take the opportunity to suggest what a revenue operations-minded true love might consider as suitable stocking fillers. First day: a RevOps operating model. The right operating model avoids overreliance on job titles and reporting lines to configure a high-performing framework wrapped (naturally) in a set of operating principles. Second day: a revenue process transformation. Buyers are changing, and so must businesses to ensure that they continue growing, which requires changing their focus, work and culture. Third day: a campaign-aligned budget plan. Key to effective budgeting is building a campaign strategy that clearly connects goals, spending, and outcomes rather than treating the funding part as an afterthought. Fourth day: better marketing measurement. Relying on marketing-sourced revenue as a KPI, we like to quip, is the fastest way for a CMO to get fired, so ditch the sourcing metrics. Fifth day: a data quality strategy. At this time of year, it’s timely to remember that data quality is for life, not just for the holidays, which necessitates a suitable marketing and sales data strategy. Sixth day: operational excellence. Although frequently overlooked, streamlined and optimized processes are the bedrock to achieving successful B2B outcomes. Seventh day: AI tools for RevOps. Generative AI is widely deployed across B2B marketing, and RevOps teams have plenty of options to maximize their own efficiency and performance with AI, too. Eighth day: omnichannel-empowered buyers. The right technology enables B2B revenue leaders to win, retain, and grow customers by enabling buyers to buy how they want to buy. Ninth day: buying group-enabled martech. High-consideration B2B purchases are today made by groups of between four and nine people, likely requiring a revenue marketing platform that is suitably enabled. Tenth day: genAI-driven personalization. Among the top use cases for AI in B2B marketing, there are plenty of opportunities to leverage it throughout the buyer journey. Eleventh day: a ticket to B2B Summit North America. Taking place in 2025 on a new date (March 31–April 3) and in a new location (Phoenix, Arizona), B2B Summit North America will deliver solutions to the challenges facing B2B right now. Twelfth day: advice for the year ahead. Ranging from the rise of AI coworkers in B2B organizations to quitting trying to scale chaos, there is plenty of insight and guidance to be had. The observant will have noticed that, unlike the gifts in the song, these are all in the singular. Putting aside what use anyone would have for ten leaping lords, for instance, certainly nobody needs more than one operating model or revenue process. As such, you’ll allow a little creative license, I’m sure! And so, whether that special person in your life will place some or all of these items under the tree for you, I’m sure even a few of them will result in a small epiphany of your own. Happy Holidays! “The Twelve Days of Christmas” as seen by AI: While the words aren’t quite right, they’re probably no worse than when most people try to sing it! source

Skoda and Volkswagen are the latest vehicle manufacturers that have had vulnerabilities discovered in their cars that could allow malicious actors to execute code remotely. The exploits can range from tracking GPS coordinates and speed data to recording conversations in the car via the in-cabin microphone and, if skilled enough, even control functions such as stopping and starting the vehicle. These incidents confirm that security vulnerabilities with connected vehicles are ongoing. In my recent connected vehicle security report, I discuss how modern cars are just a rolling network of internet-of-things devices connected through a gateway to the internet to communicate with the vehicle manufacturer. Depending on the car’s age, the car’s internal components can be brand-new (likely meaning that security considerations went into the programming) or a decade-plus old, so there’s no telling how many security vulnerabilities are inside a given vehicle. Along with that, modern conveniences like mobile apps for the infotainment system or remote start/stop allow owners to interact remotely with the vehicle through the internet, and like all internet-connected devices, hackers just love to discover new vulnerabilities that give them control of a device or vehicle, giving new meaning to the term “crashing the computer.” The other issue with modern connected cars is that they collect a lot of data, from the car itself as well as from the devices connected to it. In 2023, a federal judge in the US ruled in a class-action suit that vehicle manufacturers have a right to use the data they collect from the car they sold you, including the phone logs and text messages you send through the infotainment system. This is a serious privacy issue, but considering that many employees will connect their business or personal smartphones to their car, or to a rental, this now means that business data can be collected by these cars, shared with the manufacturer, and the automaker is then free to use that data as they see fit. If that doesn’t concern you enough, Ford is now seeking a patent to record conversations that happen within its vehicles in order to serve you ads. Ads within a browser on your PC are bad enough, but in a car? This would mean that Ford (and possibly other automakers) could have access to any conversation you have in your car, which could potentially compromise business secrets or even national security secrets. So what can be done about this? From a technological perspective, not much. Yes, as a business leader, you can utilize unified endpoint management solutions to gain better control of the mobile devices that are used for business within your enterprise and mobile threat defense offerings to secure this endpoint. But once that device is communicating with the connected car, you have little control over what info is shared with the car, outside of just not allowing that to happen. From a business policy perspective, you need to institute policies that inform employees about how certain vehicles (especially newer ones) could be collecting business data and how to mitigate those risks. This is the same as existing policies that many organizations have implemented to educate employees on proper BYOD usage, such as not connecting to open Wi-Fi at the coffee shop. There are a lot of privacy risks with modern cars, and more people are becoming aware of them. If you are interested in discussing how to improve the security posture of your connected vehicles, reach out and schedule an inquiry or guidance session with me today. source

When President-elect Donald Trump declared that he would “shut it down” during his campaign, many dismissed it as mere rhetoric. Yet beneath the sound bite sits a policy approach that’s surprisingly ordinary — at least by international standards. It’s what many democracies call “machinery of government” (MoG) changes: administrative overhauls — common in countries such as Australia, Canada, and the UK — that align government functions with evolving policy priorities. What Are Machinery Of Government Changes? MoG refers to the administrative restructuring of government organizations: creating new departments, merging existing ones, or redistributing their functions. MoG changes enhance government effectiveness and efficiency by tailoring structures to serve the needs of the moment. In parliamentary democracies, prime ministers regularly wield MoG powers to respond to emerging challenges or shift priorities. For instance: Australia: The Department of Climate Change was reestablished to reflect renewed environmental priorities in 2022. Canada: The Indigenous Services portfolio was divided to address reconciliation with First Nations more effectively. United Kingdom: The Department for Business, Energy & Industrial Strategy was split into three distinct entities in 2023. A Comparison Of US And Commonwealth Approaches In the United States, MoG changes are disdained as chaotic political overreach, especially when considered through a partisan lens. The US, constrained by its separation of powers, requires Congress for major restructuring, making the process slower and more fragmented. By contrast, MoG changes are considered pragmatic in parliamentary systems, where more centralized authority enables swift changes. Aspect United States Commonwealth (e.g., Australia, the UK) Decision-Making President, with Congress’ involvement Prime Minister/Cabinet decision Legal Requirements Often requires legislative action Executive prerogative; less legislative input Speed Of Changes Slow; often crisis-driven Fast, proactive, and systemic Drivers Of Change Crises or political mandates Strategic policy shifts Examples  DHS (2003); DNI (2004); CFPB (2010) MBIE (2012); UK Health Security Agency (2021) Why More Systematic And Regular MoG Changes Could Work For The US Adopting a more MoG-like approach to government restructuring offers several benefits. Future administrations — regardless of party — could use MoG changes to modernize government operations and better serve national priorities by: Aligning better with policy priorities. An MoG approach could reorganize departments to align with evolving national goals, such as reshaping energy and environmental agencies to address climate change. Improving civil service efficiency. The US federal government is notorious for duplication of effort. For example, over 40 federal agencies oversee food safety. Streamlining such fragmented oversight could cut costs and improve service delivery. The incoming Trump administration has proposed merging the Food and Drug Administration’s food safety responsibilities with the Food Safety and Inspection Service to create a single “Federal Food Safety Agency” to unify oversight. Increasing responsiveness to crises. The COVID-19 pandemic highlighted the limits of US bureaucratic agility. Establishing temporary crisis agencies or task forces with clear mandates — as is done in the UK and Canada — could help the US respond more effectively to future challenges, whether public health emergencies or natural disasters. Modernizing the bureaucracy. Eliminating redundant layers of bureaucracy and focusing on digital transformation would make federal agencies more responsive and transparent. For example, the incoming Trump administration has said that it will consolidate narrow commissions and bureaus such as the Bureau of Alcohol, Tobacco, Firearms and Explosives. Similarly, Australia folded narrower agencies into a single Border Force. Enhancing customer experiences. By focusing agencies on customer journeys, the US government could make customer experiences more intuitive and efficient. Service Canada aligns agency operations around life events such as retirement, unemployment, or having a child. The Biden administration has already taken steps toward a journey-centric life events model (Forrester client access only). Simplifying politics. MoG changes could help reduce legislative gridlock by shifting responsibilities within the executive branch. While such changes would require careful planning to maintain checks and balances, they could enable administrations to implement necessary reforms without years of partisan negotiation. Could this be the moment that the US federal government embraces MoG as a strategic tool for more effective public services? Let’s discuss. source

The MITRE Engenuity ATT&CK Evaluations 2024 results are out and, with them, another year of vendors claiming victory. As a reminder, these evaluations have no winners or losers — just sweet, sweet data. Case in point, MITRE ATT&CK tracks and tests on techniques that could be completely benign, even something as simple as T1059.004, which launches a Unix shell. Depending on the user, this could be a totally normal activity — but it could also be an attacker. Similarly, T1059.002, using AppleScript, could be perfectly legitimate and was actually used in the test to generate benign noise. If a vendor says that it achieved 100% on the evaluations, it is likely doing one or more of the following: Manipulating the results by only showing parts of results that they feel benefit them Turning on settings in the product that are unrealistic for a real-world environment so as to appear more effective Treating the results as a competition instead of a learning opportunity and a chance to improve the product So long as you look at these evaluations as informative data, not providing winners or losers, you can get real value out of the results. With all that silliness aside, let’s get into what you need to know. The evaluation broke new ground with macOS. The evaluations focused on two adversary scenarios: ransomware targeting Windows and Linux (CL0P, LockBit) and DPRK targeting macOS. Range operating systems Windows Windows Server 2022 Windows 11 Linux Ubuntu 22.04.x LTS macOS OS: macOS Sonoma 14.x Arch: Apple Silicon The focus on macOS is a new addition to the evaluations. It’s exciting to see this type of evaluation cover macOS, as the capabilities that tools have on this OS tend to be more of a black box than the more well-tested capabilities on Windows and Linux. The evaluations take place over several days per vendor. They kick off with detection rounds, then allow a day for configuration changes and retests (which could include deploying additional detection rules, gathering additional telemetry, making changes to the UI, etc.). The protection round is executed last. All emulations were done post-compromise to examine the detection and protection capabilities once an adversary gained access. Background noise and alert volume make the detection results especially useful. One interesting hurdle MITRE introduced this time is background noise and false positives. In this round, MITRE generated additional signals to serve as background noise and tracked false positives. This tests the product’s ability to only find truly malicious behavior and not alert on benign activity. It also makes it more difficult for vendors to crank up the detection capabilities to alert on everything, which has skewed vendor results in the past. MITRE also introduced a “volume” metric. This was a much-needed addition, as in the past, some vendors issued thousands of alerts in a single scenario, which, in practice, leads to a lower-quality analyst experience. Now, the results show exactly how many alerts were triggered for each scenario and the severity of those alerts. Protection micro-emulations give more granular results. There was a separate emulation plan for protections (though still focused on ransomware) than detections this year, which helped keep the test realistic. In addition, MITRE tested protections via micro-emulation plans, which MITRE defines as compound behaviors involving a short series of related ATT&CK techniques that are frequently used together in real-world attacks. Instead of running the entirety of the emulation end to end, MITRE bundled a select few techniques together. For example, Test 1 looked at enumeration and exfiltration via batch script and rclone (a combination of added noise [T1059.003, T1105, T1021.001] and actual activity [T1560.002 and T1048.003]). This is not the full scope of the attack, but it is a series of steps that are common in attacker activity. Using micro-emulation plans is important when testing preventive controls — instead of having an attack blocked from the very start. This lets you see exactly how effective the tool is at blocking each portion of an attack. It’s important, however, to remember that expecting a tool to block every micro-emulation plan is unrealistic, as certain actions should not be blocked in isolation. For example, archiving collected data and then exfiltrating it, as mentioned above, is not necessarily malicious. Some prevention methods rely on understanding user behavior or indicators of compromise. Further, due to the constraints of the test, the testing doesn’t consider locking down user account permissions based on use case or some of the tuning that happens over time with analytics about typical user activity. It’s still difficult to know what to do with the results. The MITRE team has put a lot of work into making the results consumable via a very easy-to-use results page that lets you compare and contrast different vendors, see screenshots of their capabilities, and clearly see alert volume. We highly recommend looking through this page. With that said, we will be releasing a more in-depth report in the coming months that provides more complete details on the evaluation results and how to use them. Stay tuned and if you’re a Forrester client book an inquiry or guidance session with me if you have more questions. source

It’s “finalizing budgets time” for many CMOs and senior marketing leaders. This time of year, we see peak interest from clients who want to calibrate their budgets and understand how their industry peers are investing in marketing. Often, this is to counteract pressure to decrease marketing budgets — or to advocate for an increase, given that marketing targets typically go up each year. Questions about the ROI of marketing also abound because investment in marketing, annual target setting, and measuring impact typically go together. (TL;DR — Here’s my advice: Don’t rely just on mean investment percentages to plan your budgets.) Global Means Don’t Mean Much, But Details Such As Industry And Revenue Do According to Forrester’s 2024 B2B Marketing Budget Benchmarks: Overview (client access only), the average B2B firm invests 8% of annual revenue in marketing. What does this mean for your business? Perhaps not much by itself. Why? Because this percentage is based on averaging a sample of nearly 500 organizations that show significant variation in their marketing investments. While the largest group of our survey respondents invest between 7.1% and 10%, when we segment the data by industry or annual revenue, we find that there are a lot of ways firms get to that 8% mean. For example, some industries, such as retail and wholesale, cluster tightly around the global mean while others, like production and manufacturing, have a much broader distribution. But in both cases, the mean investment as a percentage of revenue is the same — rounding to 8%. The same holds true for B2B marketing budget allocation by revenue band: Global averages belie the diversity of investment found within and across firms with different revenues. This is why Forrester doesn’t publish only a mean investment percentage. Instead, our B2B marketing budget benchmark reports provide much more depth, analyzing budgets across numerous dimensions including industry and revenue band as well as global/central vs. regional and business unit investments; programs, personnel, and technology splits; and even more detailed breakdowns within marketing subfunctions. Ways To Leverage Forrester’s B2B Marketing Budget Benchmarks Forrester clients can use our B2B marketing budget benchmark reports to: Access budget benchmarks with unmatched depth. Engage in an annual benchmarking exercise to compare their marketing investment with peer set data, review analyst recommendations for optimizing allocations, and collaborate on making the case for increased marketing investment. Request custom views of our B2B marketing budget data specific to their needs. Clients regularly share that this customization and context generate even greater value when applying our benchmarks. We work side by side to ensure that they have up-to-date, compelling data and business cases to accelerate marketing-driven growth for their organization. How To Get Started Forrester clients should start with our 2024 B2B Marketing Budget Benchmarks: Overview and The B2B Marketing Budget Data Hierarchy, 2024 reports, as well as schedule a Forrester Decisions guidance session or inquiry. If you aren’t yet a client, click here to explore becoming one. Join Us At Forrester’s B2B Summit We’ll be hosting a roundtable session on best practices and risks to avoid with B2B marketing budget allocations at Forrester’s B2B Summit North America, in Phoenix from March 31 to April 3, 2025. Come join us and network with your peers as part of this lively discussion! source

2024 has been a year of profound transformation. Major elections, political unrest, wars, civil uprisings, and ongoing supply chain disruptions have created global turbulence. Despite these challenges, a silent technological revolution is driving fundamental shifts in human behavior, community interactions, societal structures, and government services. This revolution carries the potential to redefine economies and reshape how governments and enterprises function. India, amidst this global upheaval, has emerged as a beacon of resilience. Outperforming every large economy, it leverages its status as a hub for leading IT service providers and offshore development centers. Simultaneously, India’s thriving startup ecosystem is pioneering innovations in AI for defense, drones, satellites, data analytics, and cybersecurity. As these advancements take root, 2025 is set to become the year of AI maturation and solidification. Forrester has identified the following four predictions for India in 2025 that will impact enterprises, service providers, and software vendors. Most enterprises fixated on AI ROI will scale back prematurely. Forrester research highlights a growing challenge in AI investments. About 24% of AI decision-makers require an ROI of 51–75%, and 8% expect 76–100% ROI to consider their AI initiatives successful. Meeting these expectations remains elusive, however, due to high up-front costs, intangible benefits, rapidly evolving technologies, and privacy or regulatory challenges. In 2025, enterprises will shift their focus from ambitious, organizationwide AI implementations to targeted, practical use cases. These include customer service support, intelligent chatbots, automated report generation, and contract analysis. To adapt, organizations will increasingly rely on partners for proven use cases, prebuilt templates, and AI toolkits. They will also prioritize building internal capabilities by upskilling employees or recruiting talent in AI, data science, and analytics to ensure sustainable progress. Implementation challenges will stall more than 50% of agentic and AI agent efforts. Forrester defines agentic AI as advanced AI systems, powered by foundation models, that demonstrate a high degree of autonomy, intentionality, and adaptive behavior, extending beyond the capabilities of traditional and deterministic AI agents. These systems can plan, make complex decisions, and adapt to changing environments, thereby driving toward the highest levels of autonomy in complex process execution. Agentic AI leverages the capabilities of large language models by using primitive reasoning loops to accomplish a task from end to end in ways that weren’t possible with simple prompt strategies. Based on computer scientist Andrew Ng’s work, agentic AI is characterized by four design patterns, to which we’ve added two of our own: reflection, memory, planning, tool use, multiagent collaboration, and autonomy. We are still in the early stages of development of agentic AI technologies and platforms. It’s an evolutionary phase that will take time, but there is lot of noise in the market on it, which is confusing enterprises. Enterprises still need to get their basic act together, including having a proper data strategy and governance in place, working with the overall business in understating the business cases that can be solved using agentic AI, and working with partners and software vendors to work on building templates and toolkits for easy adoption of agentic AI solutions. The top 10% of USD $1 billion-and-above IT service providers will start delivering 30% of their core services through AI-enabled platform services. A Forrester survey underscores why enterprises engage service providers: 33% value their expertise in emerging technologies, while 32% appreciate prebuilt accelerators and software. Service providers will capitalize on this demand by deploying AI-enabled platform services (APSes) to streamline operations and enhance service delivery. These platforms automate essential subprojects such as legacy system assessments, code review and migration, workflow optimization, and data modeling. By reducing manual effort, APSes boost efficiency, ensure higher quality, and cut costs. This transformation enables service providers to offer fixed-price models that focus on measurable outcomes like cost reduction, revenue growth, and market expansion — shifting away from traditional billing practices tied to full-time-equivalents or change requests. Service-as-software will push 20% of midsized services vendors out of business. Forrester’s Software Surveys from 2023 revealed that 9% of companies spend three times their application costs on services, while 20% spend twice as much. Enterprises will increasingly seek to reduce these expenses by adopting service-as-software (SaaS-like) solutions. Service-as-software integrates customizable AI-powered building blocks into prepackaged solutions, minimizing the need for extensive implementation or customization. These solutions can be deployed like traditional software, hosted either on-premises or in the cloud and configured to meet specific organizational needs. Larger service providers will dominate this market, offering expansive service-as-software portfolios or leveraging marketplaces to scale their offerings. Conversely, midsized service vendors face an existential challenge. They must either specialize in niche processes or verticals or expand their breadth of services as software. Without a clear strategy, many will struggle to remain competitive, potentially leading to a 20% reduction in this segment. Start Planning Today For What’s Coming Tomorrow To learn more about our predictions for the coming year, Forrester clients can access our Predictions reports. Use the following research to guide you on your path to success in 2025. AI Agent Platform Selection The State Of AI Agents, 2024 Top Emerging Technologies: AI Agents With Agentic AI, Generative AI Is Evolving From Words To Actions source

Earlier this month, we wrapped up Forrester’s India Predictions 2025 event. I look forward to this event every year, and this year was no exception. This year’s event for India saw record turnout, with over 350 participants across three cities in India including marketing and tech leaders. The conversations were insightful and engaging, setting the stage for discussing the predictions we had lined up. Here is a summary of the key marketing predictions for India for 2025. Prediction 1: CMOs and CSOs will aim to reorganize in 2025, but half will fail to fix what ails them. We predict that CMOs and CSOs will aim to reorganize their processes and teams, but half of these efforts will fail to address underlying issues. Forrester’s Q4 2023 Demand Marketing Organizational Design And Process Survey uncovered that many organizations are embarking on transformation projects, change management, and AI-driven disruptions to drive growth. Despite these efforts, only 12% of marketing leaders believe that their current organizational design will help them meet revenue targets over the next year. This lack of confidence will drive more reorganization efforts in 2025. Organizations may attempt to address competency gaps by quick moves such as moving partner ecosystem marketing under the CMO, swapping revenue development reps between sales and marketing, or rebranding revenue operations under a “go-to-market” title, but superficial changes won’t suffice. Instead, the focus should be on resetting strategy and planning around customers, developing shared KPIs for marketing and sales teams, fixing broken revenue processes, improving operational effectiveness, building stakeholder trust, and enhancing talent to blend human and machine competencies. Prediction 2: Generative AI will drive B2B buyers to consider more vendors in the purchase cycle. We predict that generative AI (genAI) will drive 50% of B2B buyers to consider five or more providers for large purchases but will still shrink buying cycles. GenAI has been adopted faster than any technology in history, significantly changing B2B buying behavior. Forrester’s Buyers’ Journey Survey, 2024, revealed that B2B buyers are now spoiled for choice, with genAI aiding in more thorough research during the sourcing and provider evaluation process. A survey of nearly 600 Asia Pacific purchase influencers involved in B2B purchases of USD$1 million found that 91% of business buyers using or planning to use genAI reported achieving better business outcomes. Additionally, 65% of buyers considered more than one provider, with one-third considering five or more vendors. GenAI is also compressing the buying cycle, with 65% of buyers who are using genAI to inform their purchases reporting quicker decision-making. Marketers must respond to this compressed sales cycle by reaching buyers before they enter an active sales cycle, focusing on their core target audience, and optimizing their generative presence. Prediction 3: AI coworkers in marketing will become commonplace. We predict that AI coworkers will emerge as valued team members in two out of five organizations but won’t affect marketing departments’ headcount in 2025. AI may eventually reduce the human marketing function, but this won’t happen in 2025. While AI-powered assistants are becoming smarter, marketers still don’t fully trust them (29% of genAI decision-makers say that lack of trust in AI is a significant barrier to adoption). Investment in B2B conversation automation solutions continues to grow, with 55% of global B2B marketing leaders planning to increase spending on this technology. This will expand further in 2025 to support use cases requiring real-time contextual insights and output to fuel marketing and sales processes. As AI-powered chatbots and assistants evolve from experiments to essential components of the B2B martech stack, they will become trusted coworkers working alongside humans, supporting a wide range of use cases across the growth engine, engaging prospects and customers in conversations across channels, and automating back-end tasks with greater autonomy. It is crucial for organizations to get started with agentic AI solutions to drive greater efficiency and effectiveness in process workflows. If you would like to discuss how your company can benefit from these predictions and build a more effective marketing organization, feel free to reach out by contacting us. source

When Forrester published research on toxic security team culture in 2020, we revealed that an unhappy security team can result in infighting, unhappiness, and aggression. Not only will this toxicity cultivate an unpleasant environment, it also has the potential to put your organization at risk. Our 2023 research into burnout in cybersecurity called out that burnout is not only a human issue — it’s a cyber risk. What we didn’t know at the time was the extent to which toxic and burned-out teams result in more breaches. Our latest research into security team toxicity, Security Team Toxicity Leads To More Breaches, shows that engaged, healthy, psychologically safe, and collaborative security teams experience fewer breaches. We now have tangible data to stop us from brushing human-centered issues, such as burnout and toxicity, under the “soft” skills carpet, choosing instead to focus on the known and familiar — technology. Security leaders should know that: Security teams whose members aren’t emotionally engaged with or attached to their work report nearly three times the internal incidents and slightly more external attacks than those who feel attached to their work. Security teams that suffer unacceptable levels of absenteeism — possibly due to burnout, heavier workloads, condensed resources, shorter timelines, and increasingly complex attacks — report more internal and external breaches at their organizations. Security teams that fear retribution if they raise issues that affect the organization’s risk posture may leave damaging issues unaddressed. Teams that lack this psychological safety report more breaches, including 3.5 times more internal incidents than the global average. The health and culture of a team and its members is more than just a nebulous or benevolent idea to strive for — it has a direct impact on how effectively you can function and defend your organization. It’s time to redress the balance from tech to ensure that you foster a positive team culture and workplace environment. This isn’t just as a human issue — it’s a cyber risk imperative. Forrester clients can schedule a guidance session or inquiry with me to discuss the risks associated with security team toxicity and how you can build a security team culture to be proud of.   This blog was written with the assistance of Research Associate, Chiara Bragato. source