Based on the West Coast, Senior Analyst Josh Zelonis is the newest addition to the S&R team. When he’s not out cruising his Harley, Josh is working with clients to adapt their architecture, policies, and processes to evolving threats and to develop robust incident response programs. His research focuses on threat intelligence, endpoint detection and response (EDR), malware analysis, pen testing/red teaming, forensics and investigations, and of course, incident response.
Prior to joining Forrester, Josh accumulated over 13 years of experience as a security practitioner with demonstrated success in product architecture, engineering, and security assessment roles. As a product architect, Josh helped design and build innovative technologies in the breach detection space, architecting both endpoint and appliance products with a focus on data collection and analytics. His background also includes extensive experience in security assessment roles including red team, vulnerability research, and compliance.
Listen to Josh’s conversation with me to hear about his biggest surprises since starting as a Forrester analyst, his most frequent client inquiries, and the topics he's excited to research in the coming year:
To download the MP3 version of the podcast, click here.
What do you foresee as the biggest threat to security and privacy in the United States in the next ten years?
The battle over ad blockers has never been fiercer: Their popularity with consumers is skyrocketing across the globe. Ad blockers offer a better online experience and have become easier to use. But consumers like them as a way to protect their privacy and their data from being misused. Firms increasingly think that their best bet is to block the blockers. But a recent study has shown that this strategy is just a losing game, as it has contributed to the deep decline in traffic figures. And the problem doesn’t end there; the EU recently made its voice heard by saying that blocking ad blockers is a practice that breaches EU privacy rules.
But what about your customers? If you use ad blockers, just think of the last time you wanted to check out an article online but were asked to uninstall your ad blocker first or, possibly worse, to fill in your details to “freely” enjoy your read.
Security, risk, and privacy professionals must be mindful that the privacy practices that they design and enforce have a direct effect on the customer’s interaction with their firms. As much as they think about compliance, they must consider the privacy experience of their customers too. And this is one of the examples where the collaboration with marketing leaders, including customer experience, customer insight, and the marketing leadership, becomes extremely important.
A lifelong Atlanta Braves fan, Forrester Senior Analyst Joseph Blankenship longs for the mid-1990's with respect to his baseball team, but we promise that he looks to the future as he advises his clients on current and emerging security technologies. He covers security infrastructure and operations, including security information management (SIM), security analytics, and network security, and his research currently focuses on security monitoring, threat detection, operations, and management. Joseph has presented at industry events, been quoted in the media, and has written on a variety of security topics.
Joseph's over 10 years of security experience includes marketing leadership and product marketing roles at Solutionary (NTT), McAfee (Intel Security), Vigilar, and IBM (ISS), where he focused on managed security services, consulting services, email security, compliance and network security. As a marketing leader, Joseph helped to align client needs with marketing strategy, messaging, and go-to-market activities while educating users about security strategy. His background also includes extensive experience in the IT, telecommunications, and consulting industries with Nextel, IBM, Philips Electronics, and KPMG.
Listen to Joseph's conversation with VP, Research Director Stephanie Balaouras to hear about Joseph's biggest surprises since starting as a Forrester analyst, his most frequent client inquiries, and the topics he's excited to research in the coming year:
2015 was a tumultuous year for CISOs. Breaches affecting The Home Depot, Anthem Blue Cross Blue Shield, and T-Mobile dominated the headlines worldwide and left no industry, region, or CISO unscathed. These unfortunate spotlights created a slew of negative infosec publicity along with panicked demands from business leaders and customers alike. How secure are we? Ask the CISO. How did this breach occur? Ask the CISO. Why did this breach occur? Ask the CISO. Could we have prevented it? Ask the CISO. How could we let this happen? Ask the CISO.
Yet, CISOs continue to struggle to gain clout and influence with the rest of the C-suite and sometimes it can feel like a thankless role. There is little recognition when you’re doing your job right, but you face a whirlwind of pain and blame the second something goes wrong. The world’s growing emphasis and focus on cybersecurity should be running parallel with the capabilities and reputation of the CISO. Instead, CISOs see their responsibilities increasing with only modest funding increases, recognition, or support from their fellow colleagues.
He declined to live tweet his upcoming wedding from the altar, but there is no doubt that Nick Hayes is the social media expert on Forrester’s S&R team. He has extensive knowledge of the security, privacy, archiving, and compliance challenges of social media, as well as the technical controls used to address them. He also specializes in the tools that monitor and analyze social data to improve oversight and mitigation tactics of myriad reputational, third-party, security, and operational risks. He is certainly aware of the reputational risk of staring at your cell phone when you’re supposed to say, “I do”, but maybe if you follow him (@nickhayes10), you might get lucky with a pic or two -- and some good risk thoughts to boot.
Last week, we learned that cybercriminals undermined the identity verification of the IRS’ Get Transcript app and gained access to the tax returns on 104,000 US citizens, so it’s only fitting in this analyst spotlight, we interview one of the team’s leading analysts for identity and access management (IAM), VP and Principal Analyst, Andras Cser. Andras consistently produces some of the most widely read research not just for our team but across all of Forrester. And clients seek his insight across a number of coverage areas beyond IAM, including cloud security, enterprise fraud management, and secure payments. As the tallest member of our S&R team at 6’5”, Andras also provides guidance to clients on the emerging fields of height intel and altitude management.
Once a month, my co-research director and partner in crime, Chris McClean, and I will use our blog to highlight one of the 26 people who collaborate to deliver our team’s research and services and always make Chris and I look really, really good. Each “Analyst Spotlight” includes an informational podcast and an offbeat interview with the analyst. This month’s Analyst Spotlight features our newest analyst, Martin Whitworth. Based in London and bringing experience as a CISO and Head of Security across several industries, Martin will cover the most pressing issues keeping CISOs reaching for another bourbon on the rocks, including security strategy, maturity, skills and staffing, business alignment, and everyone’s favorite pastime, reporting to the board.
Prior to joining Forrester, Martin served as CISO and senior security leader for a number of blue chip organizations, including Coventry Building Society, Steria Group, UK Payments Council, British Energy/EDF Nuclear Generation, and GMAC. In these roles, he developed and executed a variety of security strategies and programs, and he has extensive experience successfully engaging business and board-level stakeholders. He also has considerable experience as a trusted advisor to security leader peers in the public and private sectors internationally, as well as advising standards and regulatory bodies.
This month’s S&R Analyst Spotlight Podcast features a slight change to our usual program: we have a guest host! Chris McClean, our San Francisco-based Research Director, interviewed the newest addition to our analyst team, Merritt Maxim. Merritt’s coverage areas include identity and access management, access governance, federation, authentication, and role design and management. In our podcast, Maxim tells us about his career before Forrester, his planned coverage area and his current must-read book on security.
These Analyst Spotlights are all included in S&R’s First Look newsletters. Email firstname.lastname@example.org to be added to the list!
To download the mp3 version of the podcast, click here.
If you had to go up one level in a train station, would you take the stairs or use the escalator? Most people would choose the escalator. But what if the staircase played musical notes like an interactive piano? This may change things, right? A couple of years ago, Volkswagen began sponsoring an initiative called The Fun Theory that tested the degree to which they could change people’s behavior for the better by introducing an element of fun. In one example, they found that by adding a unique element to the stairs – transforming it into an interactive piano – they were able to increase staircase use by 66%. You can watch the short video here.
You can apply this same principle to your training and awareness programs -- find your own piano staircase, and use it to begin guiding people to choose the right thing on their own. Chris and I have been working on a report that stresses the importance of organizational culture in the development of risk and compliance programs. Throughout the research process, we asked risk and compliance professionals and vendors in the space the same question: “How are you influencing and promoting positive behavior?”
You can create new technical controls and policies, and you can require employees to sign attestations all day, but these efforts have minimal value (or worse) when there’s no positive reinforcement. When compliance and risk management are considered obligatory tasks, rather than meaningful efforts that the company values, it diminishes the perceived importance of ethical behavior.