security risk management
With the proliferation of data and the ubiquity of connected devices, organizations can move with unmatched efficiency, but simultaneously incur increased risks. Read our insights on how security & risk professionals can succeed in this environment.
Discover how Forrester supports IT and security and risk leaders.
Insights
Blog
OpenAI’s Daybreak Promises To Improve AppSec But Introduces A New Pricing Model: Five Buyer-Side Implications For CISOs
OpenAI recently announced Daybreak, its vision for making agentic application security faster and more capable. While promising, Daybreak will also make security more expensive per unit of work. In this model, customers will pay for tokens and multiagent workflows burn tokens. CISOs and CIOs should budget for application security (AppSec) line-item inflation, not deflation, with […]
Blog
Drowning In Rules: Navigating America’s AI Regulatory Patchwork
US companies are drowning in AI rules. With a labyrinth of conflicting state laws and no single federal requirement, even the most responsible innovators are struggling to stay afloat. California’s landmark Transparency in Frontier Artificial Intelligence Act proved that states can regulate AI without killing innovation, but it also underscores a hard truth: The current […]
Blog
Brussels Takes Seven Member States To Court Over CER, And The Consequences Land On You
If you are a CISO at a critical-infrastructure organization in Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain, or Sweden, your Critical Entities Resilience (CER) Directive enforcement clock just shortened. On May 7, 2026, the European Commission referred all seven member states to the Court of Justice of the European Union for failing to transpose the CER Directive more […]
Blog
Not A Vendor, Still A Breach: Vercel’s Third-Party Risk Failure
Some security incidents are complex. The Vercel incident is more troubling because it was predictable. The attackers did not exploit a procurement gap. They exploited a definition gap. Here’s what happened. A Vercel employee signed up for Context.ai’s AI Office Suite using a corporate Google account and clicked something effectively equivalent to “Allow All,” granting […]
Blog
Game Over For Trust: A Roblox Cheat Gives Attackers The Advantage
A cascading supply chain attack did not start with a zero-day exploit, an unpatched vulnerability, or a brute-force attack. It started with a bored employee wanting to get ahead in an online game. A Context.ai employee downloaded a Roblox game cheat, an unofficial script for an online game that came bundled with Lumma Stealer malware […]
Blog
How CISOs Can Thrive Amid Geopolitical And Economic Uncertainty
Amid escalating geopolitical conflicts, economic turmoil, and ongoing tariff chaos, chief information security officers (CISOs) are operating in a prolonged state of uncertainty in which cyberattacks have become a new component of armed conflict, expanding the attack surface just as organizations are struggling to secure AI and critical infrastructure. Security leaders are also facing budget […]
Blog
Project Glasswing: The 10 Consequences Nobody’s Writing About Yet
Anthropic’s Project Glasswing and Claude Mythos Preview prove that autonomous zero-day discovery now operates at scale. We evaluate the immediate, medium-term, and structural consequences for security teams, vendors, insurers, regulators, and future careers.
AI Access: For Every Role. And Every Decision.
AI Access democratizes decision-making. With AI-powered access to Forrester’s insights, data, and advice, every team member — from early-career pros to senior leadership — moves with confidence, speed, and clarity. Equip your organization to take action fast.
Blog
What To Know When Evaluating Sensitive Data Discovery And Classification Solutions
The ability to identify sensitive data in your organization, gain visibility into where it is located, and tag it to inform controls for data access, data use, and the data’s lifecycle underpins your efforts to protect that data. Sensitive data discovery and classification is foundational for Zero Trust data security, privacy, and AI governance. The […]
Blog
When Cyber Insurance Meets Cyber War, Coverage Becomes Conditional
For years, cyber insurance relied on generic war exclusions that rarely shaped enterprise decisions. That changed when NotPetya, a Russia‑linked attack, caused billions in collateral damage in a blast radius of unrelated but affected organizations and triggered prolonged legal battles over whether traditional war clauses applied to cyber events. The result was landmark settlements for […]
Blog
CISOs Have Plenty Of Work To Do In An AI-Driven Future
As AI becomes more embedded in fundamental business processes, organizations can no longer settle for “secure enough.” Learn how AI is redefining the CISO role — and actions that they can take today.
Blog
The Expanding Universe Of GRC For AI: Key Questions From Technology Leaders
In 1929, astronomer Edwin Hubble discovered something unsettling. The universe isn’t static; it’s expanding everywhere, simultaneously, at every scale. His simple equation (Hubble’s law) shows that galaxies are accelerating away from each other, and the farther they are, the faster they recede. Eventually, galaxies become so distant that they cross our observable horizon entirely — […]
Blog
Geopolitical Volatility Has Become A Technology Leadership Test
Geopolitical volatility is testing and redefining technology leadership, demanding sharper trade-offs, stronger resilience, and faster decisions from CIOs and CISOs. Read guidance from our new research to help navigate these challenges.
Explore Forrester AI Access For Faster, Smarter Decisions
Forrester AI Access delivers clear, credible answers from proprietary research, reports, and data — helping teams validate direction and plan next steps with confidence.
Blog
No, You Can’t Just Vibe Code Commerce — Yet
“What coding?” Vibe coding is the cute term for using genAI systems to create, debug, or update programming code. People can use it without knowing how to write a line of code themselves. What this means: Lots of people are generating code they don’t understand. It’s not just developers using these tools to code faster; for example, it’s schoolteachers writing their […]
Blog
From Operating Rooms To iPhones: What The Stryker Attack Reveals About Third-Party Risk
A recent cyberattack on a global medical device manufacturer shows how third-party failures can cascade from enterprise IT into patient-facing operations. This post unpacks what the incident reveals about concentration risk, vendor dependencies, and real-world impact.
Blog
White House Announces The 2026 Cyber Strategy For America
On Friday, March 6, the Trump administration released the latest US national cybersecurity strategy, President Trump’s Cyber Strategy for America, alongside an executive order on combating cybercrime and fraud. The document, focused on six core pillars, is the briefest cybersecurity strategy released by the US in the last decade. The biggest challenge with the document […]
Blog
Practical Quantum Computing By 2030 Is Likely — And So Is Q‑Day
Forrester’s report, “The State Of Quantum Computing, 2026,” shows that quantum computing is advancing faster than expected, making business utility and Q-day security risks plausible by 2030.
Blog
The Mandela Effect In TPRM: Why Companies Still Misremember Their Third-Party Risk Exposure
What do the Monopoly man’s monocle, the Fruit of the Loom cornucopia, and “Luke, I am your father” have in common? None of them actually exist the way you remember. That glitch is the Mandela effect, a collective misremembering of facts or events, and it is the same mental bug that convinces executives that their […]
Blog
2026 Really Is This Risky: Our Top Recommendations For CISOs
Security leaders entered 2026 with little expectation that uncertainty will ease … ever. Economic pressure, geopolitical instability, accelerating artificial intelligence adoption, and renewed technology consolidation have turned volatility into a structural condition rather than a temporary disruption. This is life now, and CISOs are being asked to move faster, support aggressive AI initiatives, and protect […]
Blog
What We’re Looking Forward To At The RSAC 2026 Conference
The annual RSAC Conference in San Francisco is the cybersecurity industry’s biggest event of the year. For the analysts attending, RSAC Conference week provides an opportunity to learn about cybersecurity trends and topics, meet with vendors and clients, and share our insights and observations. It’s also an excellent opportunity to meet our daily step goals […]
Blog
When A Hosting Provider Becomes A Hostile Provider: The Notepad++ Compromise
The detailed writeup from cybersecurity vendor Rapid7 about the Notepad++ compromise gives CISOs a clear demonstration of how a single failure in the distribution process for a widely used utility can become an enterprise-scale software supply chain event. Developers, analysts, automation engineers, researchers, IT operators, and security teams use this editor as part of their […]
More posts