As of August 2019, I’m an analyst on Forrester’s security and risk research team. I’m super-excited to be at Forrester and to join a team that is challenging current cybersecurity thinking and providing analysis that helps security leaders make decisions and drive change in their own organizations.

Zero Trust security is one of the things that attracted me to Forrester. Even a decade ago, it was clear that conventional security methodologies were failing to keep attackers at bay, and Forrester’s original Zero Trust trilogy of papers prescribed a better path forward. Today, Forrester is rapidly adapting Zero Trust from the original concept into a framework and an ecosystem, and I’m signing up to help with the effort.

Outside of Zero Trust, my coverage areas for Forrester are predominantly around network security.

  • Firewalls
  • Distributed denial of service (DDoS) attacks
  • Intrusion detection and prevention systems (IDS/IPS)
  • Automated malware analysis (sandboxing)
  • Encryption
  • Network access control
  • Microsegmentation
  • Network security policy management
  • DNS security

Coverage areas evolve as the industry changes and new analysts are added to the team. Keep an eye on my bio page for my latest coverage areas and upcoming research.

My short-term research priorities are to:

  • Analyze enterprise and cloud firewall technologies and markets.
  • Evaluate the DDoS protection market for 2020.
  • Explore the intersection of Zero Trust and multicloud environments.
  • Quantify the impact of TLS 1.3 on legacy security controls.

Connect with me at Forrester for briefings, inquiries, and advisories if you’re curious about any of the aforementioned research or anything within my coverage areas.

My Alma Mater - the University of Colorado at Boulder
Photo credit: University of Colorado at Boulder (Wikimedia Commons)

I’ve been in cybersecurity my entire career. In the early ’90s, I was writing code for early service providers like CompuServe, Prodigy, and (“You’ve got mail!”) America Online. Then this new network appeared at the University of Colorado Boulder, where I was studying. It connected all the universities, the military, and government research labs. It was called “the internet.” I was 22 at the time and ruminated on three things:

  1. This internet thing was going to be big.
  2. From a security perspective, it was totally broken.
  3. The internet was going to need security people forever.

So, at 22, I decided to go into cybersecurity, and it was literally the only good decision I made in college.

For the next 20 years, I was a C/C++ developer specializing in authentication and cryptography: Kerberos, GSS-API, SSL, RADIUS, etc. In my thirties, I wrote a paper on the comparative merits of early authentication systems (MS-CHAPv2 was the surprise winner for its creative use of nonces). That’s when I realized that I was a better writer and speaker than I was a coder. For the next seven years, I toured the world for a vendor, meeting with the directors of security for practically every bank and telco in 20 countries.

I am deliriously excited to join Forrester, a company I’ve admired for years, and to be part of an amazingly talented team of security and risk analysts. Find me at a conference, and let’s talk Zero Trust, baseball, fly-fishing, and craft beers!