In February 2025, I transitioned to the role of vice president and research director for international security and risk. With the change, I’m extending my remit from successfully leading our APAC Security & Risk Forrester Decisions business to our well-established EMEA function. I also move from an individual contributor role to one where I’m leading a team of extraordinary people, and I’m now responsible for our collective research agenda across EMEA and APAC. As I deep-dive into our backgrounds, existing research, and capabilities, I feel a sense of pride, hope, and joy at the opportunity ahead. As a team, we cover a multitude of security and risk priorities (see figure below). We’re also geographically distributed across six countries in EMEA and APAC — no one else is as uniquely positioned to add this level of global perspective to our research and our clients. In my excitement and anticipation, I’d like to introduce you to our newly formed team and our 2025 priorities:

  • Paul returns to the analyst chair, supporting Forrester’s global enterprise and cyber risk management and maturity assessment. Luckily for us, Paul McKay made the decision to get back in the analyst chair as VP and principal analyst, working with Alla Valente and Cody Scott to globally support cyber risk management research. Paul has already delivered some hardhitting research and blogs that have the potential to move our clients to do important things. This includes refreshing Forrester’s Information Security Maturity Model (FISMM) and an informative blog outlining the key risks in the 2025 WEF Global Risks Report. Paul will also be working on key technology and service markets, including governance, risk and compliance (GRC) platforms. He’ll also reclaim his prior cyber risk ratings coverage, leading a Forrester Wave™ evaluation in 2026, and he’ll evaluate risk consulting services.
  • Tope leans into his background to deliver pragmatic Zero Trust, managed detection and response, and digital identity research. With an international background in security architecture, penetration testing, and advisory, Tope Olufon’s research reflects this background, leading Forrester’s efforts in the managed detection and response (MDR) space in Europe and soon to publish a new landscape and Wave evaluation in 2025. He works with our Zero Trust (ZT) colleagues with a focus on making ZT pragmatic, delivering our research on How To Build A Zero Trust Roadmap. Tope is currently writing research on how to think like an attacker in order to use offensive security techniques to uplift ZT capabilities. Leaping off his research on Europe’s fragmented, but hopeful, digital identity landscape, Tope will continue to drive our research on digital identity market trends and their practical applications in the workplace.
  • Madelein sets herself a broad and ambitious agenda, covering security org structure, consulting services, resilience regs, and API security. Madelein van der Hout has an ambitious agenda for 2025. She is ramping up to lead Forrester’s research on security organizational structure and operating models, a highly requested topic by our clients. (Heads up: We’ll be calling out for research interviews shortly.) She continues to lead Wave evaluation efforts on cybersecurity consulting in Europe, with a new Wave report to be published this year. Madelein will support Amy DeMartine’s research on operational resilience in 2024, focusing on regulations and mandates, especially DORA — a hot topic for our clients. She also has plans to double-click into her 2024 API security coverage with Sandy Carielli, giving our clients a wellneeded API security roadmap.
  • Enza and Meng enrich our international research, leading on privacy, trust, AI regs, identity and access management, and threat intel. Enza Iannopollo joined Forrester around the same time as I did, and it’s been an honor following her career path in becoming one of the world’s most soughtafter experts on privacy and trust ethics — one of the rare people who earns standing ovations at privacy keynotes. She has led significant research on the EU AI Act, how sellers can trust the use of generative AI, and synthetic data. Meng Liu heralds from a payments background, expanding his coverage in recent years to adjacent areas in fraud management, anti-money laundering, and identity verification in collaboration with Andras Cser. Meng saw his research as a natural transition to security and risk and will collaborate with Jitin Shabadu to expand his coverage in APAC to threat intelligence, especially given its adjacency to fraud-related issues such as impersonation and deepfake detections. Meng will also collaborate with Geoff Cairns to expand our most requested topics in APAC: identity and access management (IAM).
  • My career purpose of human-centered security, security culture, and security leadership will continue. I will still contribute to research that aligns to my purpose, which is making security human-centered, as well as focusing on the security and risk priority to lead a high-performing security organization and culture. In this capacity, I will lead markets and research on topics such as human risk management and security culture, as well as some select security and CISO leadership and career path research. Inevitably, I will have to relinquish some deeply loved parts of my agenda, which are critical to our clients, to very capable hands. Madelein will update our research on security champions networks, the CISO’s guide to successfully leading change, and human risk management metrics. Jess Burn will take over my plans for research on leadership and human skills in security to complement her existing cybersecurity skills body of work.

As a team, we continue to be relentlessly committed to our clients, our research, and each other. With our global security and risk colleagues, we look forward to serving you in the above capacities.

Forrester security and risk clients who have questions about the following risk, security, or privacy-related topics can connect viainquiry or guidance session to our experts:

  • Human-centered security, security culture, security leadership, or human risk management: Jinan Budge
  • GRC, cyber risk ratings, risk services, or enterprise and cyber risk management: Paul McKay
  • Building ZT roadmaps, MDR, or digital identity: Tope Olufon
  • Security org structures, consulting services in Europe, resilience regulations, or API security: Madelein van der Hout
  • Privacy, trust, AI regs and ethics, or synthetic data: Enza Iannopollo
  • Threat intelligence, fraud management, or IAM in APAC: Meng Liu