Many of you will have noticed that I have moved back into an analyst role over the last few weeks. I had an immensely rewarding time working in the European research management team with a talented group of analysts on our European tech research coverage, whom I’m incredibly thankful to for their hard work and dedication over the past few years. As I move back into the analyst role, I’ve had a lot of questions on what I’ll be focusing on as I return to the role. My new coverage can be broadly summarized as covering enterprise and cyber risk management and maturity assessment.

In my prior role, managing the risks of introducing AI into the organization and managing against operational, cyber, and broader resilience, geopolitical, and regulatory risk have been common areas of concern for technology leaders. Over the last few years, risk has permeated all of the epoch-making investments in everything AI-related, from the infrastructure powering it to the large language models and data underpinning it all. Organizational environmental sustainability has been challenged by the substantial power and physical infrastructure needed to scale up AI.

Here are the key technology areas and services markets that I’ll be working with my colleagues Alla Valente and Cody Scott on to support the broader enterprise and cyber risk management research agenda:

  • Governance, risk, and compliance (GRC) platforms. As stated in Cody Scott’s research, the GRC market has seen something of a renaissance over the last one to two years, as the volume of global regulation and compliance mandates make it impossible to rely on cottage-industry Excel spreadsheets and the ever familiar email. The power of AI in this space and the potential to automate aspects of compliance and assurance workload has some potentially transformational implications for risk organizations, and I look forward to exploring how GRC software platform providers will support this broader transformation as I join Cody in looking at this market.
  • Cyber risk ratings. This is the one area of my prior analyst coverage that I take back over. In 2021, I wrote with Alla Valente that the cyber risk ratings market wasn’t ready for prime time. Since then, it has advanced considerably and thankfully has shifted its thinking away from the pure act of collecting data to calculate a rating to now understanding how that data and insight can help security practitioners manage and reduce risk. I look forward to picking this market back up and running the next Forrester Wave™ evaluation in this space beginning in the winter of 2025 and onward.
  • Risk managed services. One broad trend that has accelerated in the security and broader risk services world is both client demand and vendor interest in offering risk managed services. Clients have interest in getting support in managing not only their GRC platforms but other aspects of their enterprise risk management programs as they run into the familiar challenges of not having the internal skills, resources, or scale required to run complex enterprise risk management programs. I’ve even heard anecdotally of a few organizations talking about setting up risk operations centers to bring the same discipline, scale, and industrialization approach traditionally found in security or network operations centers. I will start researching trends in risk managed services in the market, matching what enterprise clients need with what the market can provide.

Vendors can brief me via the regular Forrester briefings process, and Forrester clients are welcome to schedule an inquiry or guidance session with me to discuss further.