Forrester

Forrester’s US end-of-year holiday season forecast for 2024 is live! Forrester defines holiday retail sales as the purchase of durable and nondurable goods that consumers make during November and December. These sales don’t include automotive and gasoline sales or spending on services, such as food and drink services at restaurants. What can retailers and brands expect this year? A few highlights from our just-released forecast: US total holiday retail sales in 2024 will top $1 trillion — up 3.7% year over year from 2023. That includes holiday sales made online and offline (e.g., in stores). We forecast that US shoppers will spend about one-quarter of that total specifically online — 10.1% year-over-year growth from 2023. US shoppers will spend the balance of the holiday season forecast in-store/offline — smaller year-over-year growth than in 2023 and 2022 but growth nonetheless. As in previous years, we see that retail specials around events like Amazon’s Prime Big Deal Days have pulled some holiday spend into October. Favorable macroeconomic factors are bolstering the outlook for 2024 holiday sales. Plus, deflation — whereby prices actually come down — is happening across numerous durable and nondurable goods categories. That said, a recent US Federal Reserve study shows that wealthier households are the primary drivers of US retail sales, supported by rising asset prices, particularly in housing and stocks. The benefits of wage growth are not evenly distributed across all segments of the workforce; blue-collar workers have seen only modest growth in real wages. To learn more, please see our forecast report. If you’re a Forrester client, please schedule a guidance session or inquiry with me to discuss the forecast in more detail. source

“Nobody wants to admit that their own death is coming soon.” Low-code has been swinging the pendulum away from off-the-shelf applications and toward custom development for years. There are good reasons for this. When practical, fit-to-purpose software is best. And the lower cost, risk, and lead time of low-code development — coupled with an expanded developer pool, easier integration, management of apps on a common platform, leveraged licensing, etc. — makes it much harder to justify off-the-shelf software licenses and vendor sprawl. AI-powered enterprises will “build” software instead of “buy” it — and many applications in enterprise portfolios will consolidate onto low-code AppGen platforms. Until recently, this shift was typically unplanned and organic. Even as firms scaled low-code and told us that they were buying fewer apps and building more instead, they were often surprised to realize that their practices and view of “build vs. buy” had changed. It had just sort of happened along the way. But now, this “build first” mindset is becoming a deliberate enterprise strategy. Here is a sample of comments we’ve received from enterprises over the last few months: “We’re freezing all new app purchases. We start by developing [on low-code platforms].” (CIO, North American energy enterprise) “For new applications, our recommendation is [low-code platform] first.” (IT director, global engineering firm) “AI tilts the floor. We see a move away from the big enterprise apps. You’ve got a lot of single-purpose SaaS tools that are expensive when you put them all together. Some of those will collapse into one low-code platform.” (Partner, global consultancy) This last quote hits to the heart of the trend. Advancements in low-code and development practices already made the “build first” and “platform consolidation” strategy unavoidably practical. But it’s generative AI — and its killer use cases in TuringBots and low-code AppGen platforms — that has served as the accelerant for more firms to recognize these conditions and embrace them. AI-powered AppGen platforms will drain the competitive “moat” of domain knowledge encoded in off-the-shelf business apps. There are two benefits of genAI in software development that tip the scales: 1) even more speed and ease throughout the SDLC (self-evident) and 2) the infusion of business and industry “domain knowledge” through AI models into the development act. This second point is monumental. The typical remaining “moat” for many business application vendors is the “domain knowledge” and “industry best practices” encoded in their off-the-shelf software. AppGen will drain this moat. Even a vanilla large language model knows what a CRM is and how it’s put together, or what a truckload shipment process looks like, or what the airspeed velocity of an unladen swallow is. And AppGen platforms make this domain knowledge instantly available in the development act. This means you can ask the platform for the app you need and get it — like the gentleman we interviewed who generated an app for managed sea containers and their documentation. He marveled that the platform knew “his” industry! Where’s all this going? Over the next several years, these factors will lead to market consolidation as enterprises retire many of the apps in their portfolios (both off-the-shelf and custom) and replace them with bespoke, dynamic applications delivered using AI on low-code AppGen platforms. True story: a frank conversation with an enterprise software vendor. There are caveats to this prediction. Some specific app functionality is too high-risk and legally bound to be done custom by the typical firm (e.g., general ledger), some app vendors will become AppGen platforms themselves, some apps have legitimately differentiated technology that’s not easily replicated, and so on. But the many applications of the business world, which are basically collections of the same generic, fungible software components rearranged into different industry and use case patterns, is clearly under threat. And the vendors know it. To illustrate: Several months ago, we interviewed a leader at a significant software vendor. This vendor’s flagship product is an application in one of the major “three-letter acronym” enterprise software categories (such as ERP, CRM, HCM, etc.), which from here on we will refer to as “app.” In our discussion, he said: “Fast-forward five years. Building an [app] is going to be very easy. Half a dozen prompts, and something will work for you, and it’s going to be very specialized to your use case. So what is the value of our own [app] product? Or anyone’s [app] product for that matter? In 10–15 years, people won’t be buying our software. We might not even be slinging [app] anymore … that product could go to zero; we’re not going to be pulling money that way. People will be accessing that functionality through different mechanisms. There has to be the next-level step of where the value is going to be provided.” We agreed. Many trends in AI and software development point to it, and we had years of research backing it up. But outside our research, we’d never heard the point so boldly and clearly stated. So we asked, “Why are none of the software vendors talking about this?” His response: “Nobody wants to admit that their own death is coming soon.” source

The seasons are changing, Christmas catalogs are arriving, the clocks have shifted back an hour (in some countries) … yes, the new year is coming. While we don’t advocate for closing the books on 2024 yet (it’s only November, after all!), now is a great opportunity to consider what’s in store for next year. On the privacy front, will there be new regulations? New enforcement? Let’s break down key trends. In The US: More Laws, More Enforcement A new administration is likely to bring significant changes, especially at agencies such as the Federal Trade Commission. From a regulation standpoint, we’ll likely see more action at a state level than a federal one: More states will adopt their own privacy regulations. This is admittedly a prediction, not a surety, but a handful of states have bills making their way through the lawmaking process. We expect at least one or two to advance and be signed into law next year, further complicating the regulatory patchwork of privacy laws in the US. First-time enforcement of newer state laws will cause headaches. Laws that went into effect in 2023 and 2024 may be enforced for the first time in 2025. As we’ve seen from earlier privacy laws, enforcement is a harsh but effective tool for defining key terms (like California’s fine of Sephora defining “selling data”) and the scope of laws. Compliance teams will be busy monitoring enforcement action, which will likely have ripple effects on their relationship with the marketing team and how much leeway they grant marketers to operate in regulatory gray areas. Noise (but not necessarily progress) around a federal law will continue. Concerns about how much data things such as connected cars capture and major security breaches like what happened with Change Healthcare are driving renewed lawmaker interest in data privacy and security. Even if a federal law passes next year (which is unlikely), there would be a multiyear lag before it’s enacted and enforced. In The EU: A Focus On AI Investigations We don’t expect to see any significant changes or updates to existing privacy rules in Europe in 2025. But don’t mistake that to mean the privacy waters are calm. Far from it: Data protection authorities will be the real privacy movers, not lawmakers. Data protection authorities’ activity will be more interesting than lawmakers’ next year. With multiple open investigations of generative AI apps (mostly OpenAI), we will likely see some decisions coming — possibly against the providers of genAI models at first but later against companies using customer and employee data to feed, prompt, or otherwise interact with genAI models, as well. EU AI Act enforcement will establish clearer safeguards for AI. Enforcement of the new EU AI Act will start in February, initially as a private right of action on certain requirements. But in August 2025, authorities including the EU AI Office and the data protection authorities will start enforcing requirements on general-purpose AI models/systems, and this is something to watch. For full guidance on the EU AI Act, see this report. The ePrivacy Directive will continue to stall. The only piece of legislation currently undergoing an update is the ePrivacy Directive (also known as the “cookie directive”), but it has been stuck at the trilogue stage for several months. The European Parliament, Commission, and Council cannot find an agreement on the final draft of the legislation. We believe that the failure to identify a viable alternative to the management of third-party cookies, and of cookies more generally, contributed significantly to the delay in the legislation. In APAC: Strengthening Laws, Enforcing New Frameworks, And Factoring In AI The APAC region is poised for significant advancements in data privacy regulations. Here are three key trends to watch: Countries will strengthen existing regulations. Long-existing privacy regulations in the region will get important updates in 2025. Australia Privacy Act reforms will introduce stronger penalties, new protections for children’s data, and stricter rules for automated decision-making. An update to the Act on the Protection of Personal Information in Japan will implement new rules for biometric data, children’s data protection, a stricter opt-out scheme, and enhanced enforcement mechanisms. Newer regulations will be in full enforcement. After the latest Personal Data Protection Law (PDPL) in Indonesia came into enforcement on October 17, the other two newer privacy regulations will follow suit in 2025. India’s Digital Personal Data Protection Act, effective August 2023, and Vietnam’s Personal Data Protection Decree, effective July 2023, will see full enforcement by 2025. AI regulation will expand. The EU may have led the way, but as AI technologies become more integrated into everyday life, APAC countries are also updating regulations to address AI challenges. New provisions will be introduced in Thailand’s Personal Data Protection Act in 2025 to regulate the use of AI. These provisions will ensure that AI systems are transparent, accountable, and do not infringe on personal privacy. Updates to China’s Personal Information Protection Law to include specific guidelines for AI technologies are expected to take effect on January 1, 2025. If you need help making sense of the rapidly changing privacy landscape and what it means from a compliance, marketing, and customer experience perspective, schedule a guidance session! And don’t miss our webinars on our cybersecurity, risk, and privacy and B2C marketing predictions for 2025. source

The International Air Transport Association (IATA) — the trade association for world airlines, representing over 330 airlines and over 80% of global air traffic — announced a new framework and plans for using decentralized digital identity (DDID) to provide end-to-end travel experiences for domestic and international passengers. The experience includes check-in, immigration/border controls, and boarding. Despite recent negative developments around DDID adoption (such as the Sovrin Foundation likely shutting down MainNet operations), IATA’s announcement has the potential to find market traction. Here is why: Proven past track record. Digital COVID-19 immunization certificates (Travel Pass) for travel use cases were utilized by IATA and ICAO (International Civil Aviation Organization) and were based on W3C (World Wide Web Consortium) DDID standards. A study found personalization of the digital experience to be an important factor in overcoming adoption barriers, so there has already been partial adoption and implementation of DDIDs, albeit on a much smaller scale. This proves to airlines that IATA has the technology to implement DDID-based digital identities. Business need. There is a business need (with forecasts calling for a doubling of global passenger volume by 2040 from current levels) to offer a better customer experience to travelers, one that is cost-efficient and doesn’t increase airlines’ and airports’ operational costs. Automation, technology, and digitized solutions play a key role in improving the entire passenger journey from online check-in to boarding. IATA and ICAO’s current power and influence. IATA has significant influence in the global airline travel industry. All airlines need to comply with and follow current and upcoming IATA regulations. This means if IATA makes this digital ID a reality, it will gradually apply to all travelers. IATA is in a great position to operate the blockchain network behind its recently proposed DDID framework. Governments’ increasing issuance of digital identities. IATA’s proposal builds on governments’ digitally issued identities natively. Given the Global Acceptance Network’s rollout for further standardization of trust for DDID, as well as the European Union’s eIDAS adoption, IATA’s chances of amalgamating trust are high. Currently, there are no DDID-based IATA passenger ID ecosystems in live production. Forrester expects actual implementations within 18–24 months. Forrester customers who have questions or concerns about DDID should schedule an inquiry or guidance session with me. source

Data ingestion into security information and event management (SIEM) is too expensive. In fact, it’s so expensive that “How do we reduce our SIEM ingest costs?” is one of the top inquiry questions I get from Forrester clients. And the problem is not new — security leaders have struggled with managing their SIEM budget for over a decade. Visibility without actionability is an expensive waste of time. The increasing spend in SIEM is driven by a few factors. First, the shift to the cloud produced more data to intake and store. To scale at the rate of ingest, SIEM vendors moved their offerings to the cloud — a shift that necessitated ingest-based pricing to balance out cost. But most importantly, the crux of SIEM cost challenges stems from the belief that more data in the SIEM is better. Security is a big data problem, right? More data, more visibility, more insights … right? Not quite. Data — and subsequent visibility into that data — is meaningless without actionability. Data is brought into the SIEM for compliance requirements and for alerting on potential attacker activity. To alert on attacker activity, a human being needs to build a rule. Visibility into the data is only half the battle. You could have all the visibility in the world, but without those rules, you will not find the attackers consistently and in a more automated way. Instead, we recommend focusing what you ingest on what’s most important for compliance and alerting. But it isn’t always easy to do so because: Logs have extra fields that you don’t always need. The structure changes and is different between vendors. You want some logs to go to a certain datastore with others elsewhere. You may want to redact data for privacy reasons. Further, indexed data can often become 3–5x the original size. SIEM vendors have the ability to address some of these challenges, but the capabilities tend to be limited and cumbersome to use. The vendors haven’t created effective tools for log size reduction or routing especially, since it directly opposes their own interests: getting you to ingest more data into their platform and, therefore, spend more money with them. Data pipeline management tools reduce data preparation. This is where data pipeline management (DPM) tools for security come in. DPM tools can route, reduce, redact, enrich, or transform data. The benefits of a purpose-built data pipeline tool are to reduce the data preparation necessary to interpret the streams of data and events specific to security insights. With increasingly distributed and disparate systems, a purpose-built data pipeline tool is designed to address complexity of classification, integration, and modeling data for analysis. Security teams get immediate value from its ability to reduce log sizes and thus ingest costs. In the longer term, however, much of the value comes from storage tiering or data routing — being able to redirect data to the storage location of your choice. For example, short-term data valuable for incident response can be routed directly to extended detection and response (XDR), while data for compliance requirements can be directed to longer-term, cheaper storage. This can be useful across the business, especially for those that have data storage requirements for different use cases such as compliance, detection and response, or IT. When it comes to DPM tools for security, Cribl is one of the earliest to market and the most ubiquitous, but others such as Tenzir, Tarsal, DataBahn, Calyptia, observIQ, and Observo AI are also built to manage data pipelines for security use cases. Some SIEM and XDR vendors are also building more robust data pipeline management capabilities, like Splunk’s Data Management Pipeline Builders and CrowdStrike’s CrowdStream (CrowdStream leverages Cribl). Generic DPM tools lack security-specific context. Data pipeline management tools are not new; your enterprise likely uses them already, especially on the data team, but they are likely not specific to the security use case, which makes them more cumbersome for the security team to retrofit to support the security use case. For example, it will become more difficult to transform data to align to a standard like OCSF (Open Cybersecurity Schema Framework), since generic tools will not support the framework. The tools may also lack the integrations into security tools you need. With that said, in upcoming reports, Forrester will be releasing research on data use case crossover and consolidation. In December, I’ll be speaking on security data management strategies at Forrester’s Security & Risk Summit in Baltimore, Maryland. Come join us and get your questions answered! In the meantime, if you have any questions about data pipeline management for security and IT, request an inquiry or guidance session with me or one of my colleagues. source

When B2B marketing leaders start their annual planning, they often lack some critical input. That keeps their plans from being as effective as they could be — and often, it means that marketing activities won’t support business objectives. In my previous post, I explained how the Forrester B2B Marketing Planning Process provides a structure for annual planning efforts. In this post, I will share the three types of information that need to be gathered, distilled, and integrated into a marketing plan. The Business Strategy Is An Input Into Marketing Planning Marketers building a plan need to understand the company’s strategy and how it translates into what the company wants to become, how it plans to get there, and how it will reach buyers. In addition to aligning with the strategy in the plan year, the strategy indicates what needs to be in place in subsequent years, and that may require marketing action in the current year. This information often comes from your C-suite. In an ideal situation, it is part of a documented strategy that has been developed and that coordinates vision, growth, routes-to-market, and operational realities across the sales, marketing, and product functions. But often, this information is not communicated beyond the executive team. And to make it even more challenging, it is aspirational, spans multiple years, and may be too vague to use for planning. Marketing leaders must translate this strategy information into brand, audience, value, and operational terms to know how this will affect marketing priorities, team alignment, marketing annual goals, and resource requirements in the coming year or two. Target Audiences And The Offering Portfolio Are Inputs Into Marketing Planning A marketing plan needs to reflect an understanding of the audience for the company’s offerings and how the offerings will evolve over the plan’s timeframe. If new product offerings or competitive initiatives are in the cards, marketing needs to prepare. Audience and offering information usually can be found by working with your product management and product marketing teams and through your business unit leaders. Ideally, there is a timeline for new product introductions as well as target buyer personas, clarity around buyer needs, and an understanding of the buyer’s journey. Sometimes it can be challenging for marketing to gain access to this information, but clearly conveying how this information will inform near-term and intermediate-term marketing efforts should make it easier. The Business Revenue Plan Is An Input Into Marketing Planning Without an understanding of the revenue plan, marketers are flying blind. It is essential to understand the proportions of revenue that will come from both prospects and existing customers, including retention, upsell, and cross-sell. It’s essential to understand the distribution of planned revenue by route and geography so that the marketing programs that come from the marketing plan are pointed at the right regions and on the right sales teams, partners, and marketplaces. Also important is setting expectations for executive leadership as to what marketing will achieve to support the revenue plan. While we at Forrester try to get our clients to think about measuring marketing engagement that drives desired revenue outcomes, we also know that many companies are still focused on marketing-sourced and -influenced revenue. Without a clear view of the overall revenue plan, committing to contribution levels is a wild guess. The next step of marketing planning is to figure out what to do with all this information. (Hint: You use it to gain alignment on objectives, set an overall approach to interacting with the many audiences you are targeting, set priorities and quantifiable goals, determine action plans, and identify risks.) In my next post, I’ll outline how this information is brought into the B2B Marketing Planning Process and used to develop the B2B-Marketing-Plan-On-A-Page Template (client-only; non-clients can access a version here). source

I am excited to announce The Forrester Wave™: Point-of-Service Solutions, Q4 2024. When we last evaluated this market in 2018, new cloud point-of-service (POS) solutions offered the safety and excitement of reliability, plus features to engage customers. The goals for POS haven’t changed much in those six years. Then and now, retail firms expect POS to drive omnichannel sales, deliver brand consistency across the empowered consumer’s path to purchase, and boost store associate productivity. What has changed is the internet’s impact on offline retail sales and the demand for seamless omnichannel services. Even in the grocery sector, consumers use digital touchpoints in-store and appreciate convenient checkout and fulfillment options. As a result, more retail firms are assessing their POS technologies and replacing slow or limiting POS solutions that can’t keep up with evolving expectations. Customer references for this Wave mentioned modern architecture, ease of use, and interoperability as key requirements for their new POS. But strategy and partner relationships often sealed the deal. References shared comments such as “We knew we could inform some of the way [the vendor] built [the POS],” “The vendor shared a compelling vision and has delivered on that vision,” and “They keep adding features to meet our needs.” Today’s POS buyers aren’t just looking for a bunch of features to check off their list. They’re also looking for a strategic partner that knows their business and is committed to helping them grow and rapidly adapt to whatever lies ahead. So what do you need to know when selecting a new POS? Vendors differ in how they: Support traditional and emerging checkout experiences in the store. Although most POS vendors provide a responsive UI, they do not equally support fixed, mobile, self, and automated checkout. Some offer comprehensive self-checkout systems with specialized interfaces, kiosk integrations, management tools, etc. Others excel in mobile experiences, utilizing native capabilities such as push notifications for pickup orders. Few have extensive deployments across all touchpoints. Leverage integrations to provide value beyond in-store checkout. A connected and informed POS that easily integrates with adjacent solutions is table stakes. Retail firms expect their POS to not only “see” what’s happening across the business, but it must also expose that data to users in a way that’s maximally useful. This means sleek interfaces and tools that are purpose-built for value-added functions such as clienteling, store fulfillment, and inventory management. Empower nontechnical practitioners to customize the POS experience. Vendors differ in how they equip users with no-code/low-code tools. Some vendors offer sophisticated visual editors that enable nontechnical practitioners to easily adjust the front end, such as modifying the checkout flow, configuring promotional offers, or updating digital receipts. These tools enable quick changes without requiring technical expertise. You can read our full Wave evaluation here and our market overview research on the 2024 POS landscape here. We’ll also host a webinar in early 2025 for Forrester clients about learnings from this evaluation — stay tuned for details. Brands and retailers: Please schedule a guidance session with me to see how to use this research to identify the best-fit solutions for your needs. I’ll walk you through my findings and help you tailor the research to your needs to identify the vendors that should make your shortlist. POS vendors and commerce-related solution providers: Please schedule an inquiry or advisory session with me to discuss what my findings mean for the industry and your offering. source

Media continues to be a flywheel for growth and integration, especially when marketers and providers work together to combine expertise and capabilities into a full-funnel marketing strategy. Crucial to that success is uniting the scale of trading, technology, and execution with the skill of planning, intelligence, and optimization. Marketers are ready to move beyond choosing between full-service media generalists wielding buying power and agnostic execution or channel specialists offering subject matter expertise for search, social media, or performance marketing. Nearly half of US marketing executives prefer a single agency partner to provide brand and performance media assignments. They want fewer partners to manage, reduced fees, and better marketing experiences. Providers are responding with offerings that integrate precision with persuasion, intelligence with content production, and technology with ingenuity to help marketers realize efficiency and growth. What characteristics should marketing executives keep in mind when evaluating their agency or looking for a provider? Look for agencies that convert buying power into buying intelligence. Paid media represents the largest portion of most marketing budgets. In the past, media billings translated to preferred rates. Today, it also provides access to performance guarantees, technology co-development opportunities, and audience insights. Today’s media management providers combine data strategy and agency audience activation platforms, transforming buying power into buying intelligence as they grow “up” funnel or add expertise. Prioritize providers that connect media insight to creative development. Technology strategy is crucial for all media management providers. Proprietary audience platforms, powered by machine learning and first-party, third-party, and transactional data sources — combined with generative AI — become marketing operating systems to guide media planning, activation, and reporting. The best media management providers use operating systems to guide creative and content development, (re-)uniting media and creative. Identify partners that offer mutually beneficial, outcomes-focused commercial models. The growing influx of technology in marketing’s and agencies’ pursuit of software solutions creates the opportunity to innovate the agency commercial model. Providers are responding with performance- and outcomes-based remuneration options. These reward co-innovation and provide mutual reward. The best providers offer a range of options, with an eye toward outcomes models to align objectives. Only hire providers that use principal media in a transparent manner. Mutual benefit, trust, and visibility must be tenets of principal media buying products and deals. Principal media is when the media management provider invests in media inventory — often at a substantial discount — and resells that inventory to clients — often with a markup that is still below the baseline cost. When executed in an open and transparent manner, principal media can offer marketers benefits such as reduced rates, exclusives, and performance guarantees while offering the provider additional margin. When executed in a nontransparent and opaque way, principal media practices raise questions about whether the provider is acting in the brand’s best interests both financially and strategically. The best providers recommend principal media solutions sparingly, are transparent in its practices, and work to educate and inform marketers about how and when to use such solutions. The Media Management Services Evaluation Showcases Changes To The Forrester Wave™ The Forrester Wave™: Media Management Services, Q4 2024, provides clients the opportunity to dive deep into the progression toward full-funnel media capabilities by evaluating 12 prominent agencies, including the global holding company agency groups and private equity-backed independent media agencies. It also debuts new innovations in experience and format. The new Wave graphic:   Declares each provider as a Leader, Strong Performer, or Contender. Forrester’s Wave graphic now shows three bands instead of four, which better highlights our calls about where vendors or providers sit in a market relative to their peers and aligns with our three-point scoring rubric. All evaluated providers in the media management services Wave are ranked as Leaders, Strong Performers, or Contenders. Showcases in-depth customer feedback. Forrester’s Wave graphic now highlights the quality and caliber of provider reference customers, as well as ongoing feedback that Forrester collects outside of the Wave process, with more prominent markers on the Wave graphic. In the media management Wave, PMG is a customer favorite in this evaluation, with Omnicom Media Group and Publicis Groupe recognized for superior customer feedback. Complements an interactive Wave digital experience. Forrester clients can now easily move from the classic Forrester Wave report to an interactive digital experience. The media management services Wave digital experience allows clients to more easily compare providers or an individual provider’s scorecard to tailor the media management Wave findings into a custom shortlist of media agencies based on specific priorities. Forrester clients can access The Forrester Wave™: Media Management Services, Q4 2024 report. If you would like to further discuss implications, please schedule a guidance session with me. Be on the lookout for my upcoming Forrester Wave evaluating marketing creative and content services in Q1 2025. source

AI is a leading theme among cloud vendors globally, and European vendors are following suit. In a cloudy Paris on November 7, the cloud vendor Scaleway hosted its third ai-PULSE event, with about 1,000 attendees and 40 press delegates and analysts. The guest lineup was remarkable, from CEOs of global companies such as Michael Dell (founder of Dell Technologies) to government representatives such as Clara Chappaz (the French secretary of state for artificial intelligence and digital technologies) and founders of startups like Charles Kantor (CEO and cofounder of AI startup H Company). The event revolved around cloud and AI and, specifically, sustainability in AI and cloud deployments and digital and cloud sovereignty. AI Takes Center Stage At A Cloud Provider’s Event Fundamentally a cloud provider, Scaleway is massively focusing on AI. The vendor has significantly boosted its AI computing power by making over 5,000 NVIDIA H100 GPUs available to its clients. This is to support the On Demand GPU Cluster service, allowing customers to reserve computing clusters of varying sizes for flexible durations. Additionally, Scaleway has partnered with stealth startup H Company to provide a large training cluster of NVIDIA H100 GPUs. This pivot to AI is driving discussion in related areas such as AI and cloud sustainability, as well as digital and cloud sovereignty. Cloud And AI Sustainability Due to increasing numbers of GPUs available in data centers belonging to cloud providers and their associated power consumption, cloud and AI vendors have begun to consider environmental sustainability as a pivotal issue both in cloud and AI deployments. If the adoption of AI continues at scale, there will be no power plant that will be able to sustain AI workloads’ energy needs. In fact, over time, the increase in AI utilization will more than offset the gains in power consumption efficiency that are being made for every new GPU model released. Cloud decision-makers should keep an eye on these trends: Colocation of data centers and power plants. Given the increasing power consumption of data centers, it could be necessary to build power plants to meet cloud vendors’ demand exclusively. This will be a viable solution to avoid overprovisioning of (diesel-powered) backup generators to grant continuity in case of power grid overload or failure. This will also require colocation of power plants and data centers to minimize energy dispersion. Increase of nuclear power usage. Cloud vendors are realizing that they need nuclear energy to meet their power demand. While solar and wind power aligns better with the cloud vendors’ sustainability goals, nuclear is going to be the main energy source in countries, such as France, where this kind of source is available. GPU mutualization. Solicited by my question on GPUs’ utilization and efficiency, Scaleway’s CEO Damien Lucas illustrated an interesting concept: GPU mutualization. With GPU mutualization, cloud vendors are becoming GPU brokers, providing them on demand to end-user organizations and enabling 100% utilization of the processing units in their data centers, with related power efficiency gains. Improvement of efficiency of cloud infrastructures, AI, and generative AI workloads. A single request to an AI chatbot consumes 2.9 watt hours. This is 10 times more power consumption than a regular Google search query. This has an obvious impact in terms of power consumption and related emissions from AI workloads hosted in public cloud environments. According to Renee James, founder of Ampere Computing, when interviewed for one of the keynotes, AI has to be affordable and environmentally efficient. Given the current increasing power consumption trend, it must become more efficient rather than more affordable to be sustainable from a cloud vendor’s emissions perspective. Digital And Cloud Sovereignty Digital and cloud sovereignty of course play a major role in France, where the SecNumCloud regulation was developed. This topic has consequences on AI as well as in terms of data residency and workloads’ location. Presenters and keynote speakers made a few interesting points: Bring AI to the data, not data to AI, for inference. One sovereignty-related issue with AI is that some organizations bring data to where the AI engine is running. Moving forward, AI will be more and more at the edge, be it on mobile phones, laptops, or any other edge device. For example, a lot of inference can be done on more efficient CPUs with special-purpose transistors. This will make it possible to keep the data used for inference local, overcoming some of the sovereignty-related concerns. Select data for model training. Organizations do not — and should not — need to feed models with all the available data. Selecting the data to provide for model training in the cloud is one way to stay in control and avoid leveraging data in the public cloud when it need not leave the premises. Foster a startup culture in Europe. Europe is not short of ideas and capital for startups in the cloud and AI space, but some startups do leave the continent seeking higher funding, less regulation, and better ecosystems in places such as the Silicon Valley. If Europe wants to play a leading role in the cloud and AI space, regulators and operators need to contribute to a better culture that will keep talent and top ideas in Europe. This will help tackle sovereignty constraints as more technology options are going to be available locally. European organizations should be aware that they can leverage AI opportunities within the continent’s boundaries to abide by digital sovereignty requirements as well as shrink the number of cloud vendors making CO2 emissions that they have to keep under control. Set up an inquiry or guidance session with me to learn more. source

Many of you will have noticed that I have moved back into an analyst role over the last few weeks. I had an immensely rewarding time working in the European research management team with a talented group of analysts on our European tech research coverage, whom I’m incredibly thankful to for their hard work and dedication over the past few years. As I move back into the analyst role, I’ve had a lot of questions on what I’ll be focusing on as I return to the role. My new coverage can be broadly summarized as covering enterprise and cyber risk management and maturity assessment. In my prior role, managing the risks of introducing AI into the organization and managing against operational, cyber, and broader resilience, geopolitical, and regulatory risk have been common areas of concern for technology leaders. Over the last few years, risk has permeated all of the epoch-making investments in everything AI-related, from the infrastructure powering it to the large language models and data underpinning it all. Organizational environmental sustainability has been challenged by the substantial power and physical infrastructure needed to scale up AI. Here are the key technology areas and services markets that I’ll be working with my colleagues Alla Valente and Cody Scott on to support the broader enterprise and cyber risk management research agenda: Governance, risk, and compliance (GRC) platforms. As stated in Cody Scott’s research, the GRC market has seen something of a renaissance over the last one to two years, as the volume of global regulation and compliance mandates make it impossible to rely on cottage-industry Excel spreadsheets and the ever familiar email. The power of AI in this space and the potential to automate aspects of compliance and assurance workload has some potentially transformational implications for risk organizations, and I look forward to exploring how GRC software platform providers will support this broader transformation as I join Cody in looking at this market. Cyber risk ratings. This is the one area of my prior analyst coverage that I take back over. In 2021, I wrote with Alla Valente that the cyber risk ratings market wasn’t ready for prime time. Since then, it has advanced considerably and thankfully has shifted its thinking away from the pure act of collecting data to calculate a rating to now understanding how that data and insight can help security practitioners manage and reduce risk. I look forward to picking this market back up and running the next Forrester Wave™ evaluation in this space beginning in the winter of 2025 and onward. Risk managed services. One broad trend that has accelerated in the security and broader risk services world is both client demand and vendor interest in offering risk managed services. Clients have interest in getting support in managing not only their GRC platforms but other aspects of their enterprise risk management programs as they run into the familiar challenges of not having the internal skills, resources, or scale required to run complex enterprise risk management programs. I’ve even heard anecdotally of a few organizations talking about setting up risk operations centers to bring the same discipline, scale, and industrialization approach traditionally found in security or network operations centers. I will start researching trends in risk managed services in the market, matching what enterprise clients need with what the market can provide. Vendors can brief me via the regular Forrester briefings process, and Forrester clients are welcome to schedule an inquiry or guidance session with me to discuss further. source