Forrester’s Security & Risk Spotlight – Enza Iannopollo

Stephanie Balaouras

Forrester’s Security & Risk Analyst Spotlight - Enza Iannopollo

All Forrester S&R analysts consider the security and privacy implications of how today’s digital businesses collect, store, use, and transmit sensitive data about their customers, but Enza Iannopollo has made it her mission to understand these implications in detail. Her research focuses on the impact of Internet regulations and data privacy issues on digital business models, as well as the technologies that underpin them. Her research coverage also includes privacy implications in the context of cloud computing, analytics, and the Internet of Things. When you get a chance, please schedule an inquiry with Enza and ask her if privacy is dead.

Enza Iannopollo Image

Read more

Automated Malware Analysis Wave - Call for feedback

Rick Holland

We are in the planning stages of a new Forrester Wave on automated malware analysis/sandboxes. As we prepare for this research, we are looking for research interview candidates to discuss your experiences with automated malware analysis solutions. Please note we are not seeking feedback from vendors at this  time. We are focused on the buyers of these offerings. We would like to talk to you about: 

  1. The most useful features
  2. The least useful features
  3. The most significant challenges
  4. Preferred deployment model (physical appliance, virtual appliance, cloud)
  5. Most useful integrations (e.g. endpoint integrations that validate sandbox alerts)
  6. Feedback on vendors (e.g. FireEye, Trend Micro, Palo Alto Networks ...)

You don't have to be a Forrester client either. If you are willing to participate in a confidential research interview, we will provide you a free copy of the research when it publishes. If you are interested in speaking with us please contact Kelley Mak (kmak at forrester dot com) and Josh Blackborow (jblackborow at forrester dot com) 

In the meantime, if you are interested in learning more about Forrester's perspective on automated malware analysis, please check out Pillar No. 1: Malware Analysis from Targeted-Attack Hierarchy Of Needs: Assess Your Advanced Capabilities

Help Us Define The Data Security Market In 2015!

Stephanie Balaouras

To help security pros plan their next decade of investments in data security, last year myself, John Kindervag, and Heidi Shey, researched and assessed 20 of the key technologies in this market using Forrester's TechRadar methodology. The resulting report, TechRadar™: Data Security, Q2 2014, became one of the team’s most read research for the year. However, it’s been a year since we finalized and published our research and it’s time for a fresh look.

One can argue that the entirety of the information security market - its solutions, services, and the profession itself - focuses on the security of data. While this is true, there are solutions that focus on securing the data itself or securing access to the data itself - regardless of where data is stored or transmitted or the user population that wants to use it. As S&R pros continue to pursue a shift from a perimeter and device-specific security approach to a more data- and identity-centric security approach, it’s worthwhile to hyper focus on the technology solutions that allow you to do just that....

Last year, we included the following 20 technologies in our research:

  • Archiving
  • Backup encryption
  • Cloud encryption gateways
  • Data classification
  • Data discovery
  • Data loss prevention (DLP)
  • Database encryption and masking
  • Database monitoring and auditing
  • Email encryption
  • Enterprise key management
  • Enterprise rights management
  • File-level encryption
  • Full-disk encryption
  • Identity and access management 
  • Managed file transfer
Read more

Forrester’s Security & Risk Research Spotlight: Application Security and IoT Security

Stephanie Balaouras

Once a month I use my blog to highlight some of S&R’s most recent and trending research. This month I’m focusing on application security and asking for your help with some of our upcoming research into the security and privacy risks associated with Internet of Things (IoT). IoT is any technology that enables devices, objects, and infrastructure to interact with monitoring, analytics, and control systems over the Internet. The illustrious and debonair, Tyler Shields (@txs), will lead our research into IoT security, but as the risks become more and more concrete for various verticals, you can expect the entire team to engage in this research.

Take our IoT security survey and talk with our analysts! If you contribute to the emerging IoT market, please fill out this brief survey ( Participants will receive a complimentary copy of the completed research report and we'd be happy to interview anyone who would like to discuss IoT and security in detail. Be sure to reach out to Tyler ( or Jennie Duong ( if you’re interested.

Read more

Microsoft Acquires Cloud Access Security Intelligence vendor Adallom

Andras Cser

Microsoft is doubling down on its cloud strategy and announced the acquisition of Adallom. Adallom offers transparent, cloud-based monitoring and alerting of cloud application use. It can detect if a user is performing suspicious actions (e.g. downloading the CRM database on a Friday afternoon). This signifies that cloud service provider vendors can no longer only offer IaaS security (see our Wave at ) but also help with understanding risks around non-sanctioned and sanctioned SaaS applications. Microsoft's success of incorporating Adallom's assets into the Azure portfolio will depend on the following:

1. How well will Azure AD premium work with Adallom?

2. How well will Office 365 work with Adallom?

3. How well  will Azure IaaS work with Adallom?

4. How Adallom will be able to support data protection and encryption?

5. How well Adallom will continue to work vendor agnostically with non-Microsoft IaaS and SaaS envrionments?

We will be publishing a Market Overview on Cloud Access Security Intelligence vendors (including Adallom) in Q3 of 2015. Stay tuned!

Mobile Security Technologies 2015

Tyler Shields

Today, I'm officially kicking off the 2015 version of the Mobile Security Technology Radar and I need your help! 

Mobile security is one of the fastest changing, most dynamic markets that I have ever seen in my life (and I've been around the block a few times). Just when enterprises think they have it all figured out, a new shiny blinking toy is released that promises to secure mobility better than ever before. I began formally tracking the mobile security space for Forrester in the summer of 2013. One of my early reports was the 2013 Mobile Security Technology Radar which I slightly updated in the winter of 2014. Both enterprises and vendors alike responded very positively to these reports, citing the valuable insights that allowed them to predict the movements of a market that changes faster than Katy Perry at the super bowl halftime show.

What isn't always evident in the reports that we write at Forrester is the depth and details in the research we do. For example, the graphic below represents quantified survey results of industry experts, vendors, and customers of mobile device management technologies that offers insite into the market sentiment on MDM solutions in 2013. MDM was a pretty hot technology in the summer of 2013 and the lack of red market sentiment helped us predict that this technology would thrive in the near future (see graphic below). Things really get interesting when we have year over year trending data to help us gain additional insite into the future market movements.

Read more

Forrester’s Security & Risk Analyst Spotlight – Nick Hayes

Stephanie Balaouras

He declined to live tweet his upcoming wedding from the altar, but there is no doubt that Nick Hayes is the social media expert on Forrester’s S&R team. He has extensive knowledge of the security, privacy, archiving, and compliance challenges of social media, as well as the technical controls used to address them. He also specializes in the tools that monitor and analyze social data to improve oversight and mitigation tactics of myriad reputational, third-party, security, and operational risks. He is certainly aware of the reputational risk of staring at your cell phone when you’re supposed to say, “I do”, but maybe if you follow him (@nickhayes10), you might get lucky with a pic or two -- and some good risk thoughts to boot.

Read more

How To Go From Dinosaur To Eagle - Or Risk Being The CISO That Got Hit By The Comet

Peter Cerrato

Peter Cerrato is a principal consultant for Forrester's Business Technology consulting practice.  

A very strange and sudden thing happened 66 million years ago. A comet crashing into the Mexican Yucatan peninsula near Chicxulub put an end to the long reign of the dinosaurs. But not so fast. We now know that some of those dinosaurs survived the massive Cretaceous-Tertiary extinction event: the smaller, faster, feathered and headed-toward-warm-blooded early ancestors of our eagles and hawks.


Read more

Some vendors just cannot let go of their "precious appliances!"

Rick Holland
We just published my latest research, the Forrester Wave: SaaS Web Content Security, Q2 2015. Forrester categorizes web gateways/forward proxies into this web content security category. I did something different with this evaluation, instead of looking at on-premise appliances; I only evaluated the SaaS deployment model. If a vendor didn't have a SaaS delivery model, we didn't include them in the Wave. 
The decision to focus this wave on the SaaS model, wasn't popular with some of the vendors we evaluated. The majority of vendors who sell web proxies lead with the on-premises delivery model and relegate SaaS to a niche deployment option. As users, their endpoints, and their applications move outside the perimeter and into the cloud, the traditional web gateway model is being disrupted; yet many vendors are still very attached to their appliances.  Instead of evaluating a very mature on-premise market, I wanted to focus this Wave on the future.

Read more

The State Of The Cyberthreat Intelligence Market

Rick Holland

If the RSA Conference was any indicator, threat intelligence has finally joined the ranks of cloud and advanced persistent threat as ambiguous/overused terms that mean many different things to many different people. If you were given a dollar, pound or euro every time you heard "threat intelligence," there is no doubt you could fund your security budget for decades to come. Your biggest challenge would be determining how to invest some of that money into threat intelligence capabilities.

To help Forrester clients navigate the threat intelligence market I have several pieces of research underway. The first report, "The State Of The Cyberthreat Intelligence Market" has just published. In it I discuss the frenzied venture capital and vendor investment in the threat intelligence space.  I also provide guidance on how security and risk professionals should navigate the marketing hype to make the best investment of their limited resources. I am currently writing the second report "Market Overview: Threat Intelligence Providers." Here is a snippet from the latest research that illustrates just how much vendor focus we have seen. Since October of 2014:


  • There have been three acquisitions and eight fundraising rounds.
  • iSight Partners (Critical Intelligence) and Lookingglass (Cloudshield) have each raised funds and made an acquisition.
  • Of the acquisitions, only one company publicly disclosed the acquisition amount: $40 million (Proofpoint.)
  • The eight fundraising rounds raised a total of $102.5 million dollars.
Read more