Next week, the Forrester security and risk (S&R) team will host the Forrester Security & Risk Forum on November 9 and 10. This will be the first time I have ever attended a Forrester event, let alone the Forrester Security & Risk Forum. And while I’m disappointed it isn’t in person this year, I’m also thrilled with the bold, powerful takes by my colleagues — and happy I won’t need to bathe in hand sanitizer every few minutes or don a Tyvek suit to attend.
This two-day event is packed with talks on risk, security leadership, Zero Trust, and application security, as well as opportunities to meet one-on-one with Forrester analysts and to network with fellow security leaders. I am most looking forward to the group networking sessions, which will include two Forrester analysts and a group of CISOs discussing a particular topic. I’m leading a discussion with another Forrester analyst from the infrastructure and operations team, Charles Betz, on how IT and the security operations center (SOC) can work better together.
One of the great things about the Security & Risk Forum is that it gives you the opportunity to hear from and connect with every member of the Forrester S&R team. There are talks by Renee Murphy, Alla Valente, Jess Burn, Andras Cser, and many more on the most cutting-edge work they’re doing within their coverage areas. It’s an opportunity to explore these risk, compliance, application security, detection and response, and Zero Trust topics in depth, while also getting the bigger picture.
There are over 25 talks at this event, and the ones I have had the privilege to hear about are going to blow you away. Every talk is arguably a must-see, but I’ve included some of my top recommendations (based on what I’ve seen so far) for talks to attend (including a shameless plug for my own) below, so please take a look!
CISOs And The Trust Imperative
Stephanie Balaouras kicks off the event by introducing the trust imperative, one of the most consequential pieces of research Forrester published this year. Following her introduction, Jeff Pollard drills down into what this means for CISOs. Steph and Jeff both pull no punches when it comes to making clear, actionable calls for what security pros should be focused on, and that is exemplified in this keynote. This talk is a must-see.
The trust imperative represents the greatest opportunity for transformation for CISOs since the creation of their senior roles. For decades, security, risk, and privacy leaders struggled to maintain alignment with their organization, to feel like they meaningfully contributed to their firm’s objectives. CISOs were avoided at best — ridiculed and scapegoated at worst — but the trust imperative proves that all the toil was worth it. This session will help these leaders understand the trust imperative, the levers of trust, and what to do about them. Establishing and preserving trust will move markets, and CISOs are uniquely positioned to contribute and maximize the firm’s chance of success and exponentially amplify the value they bring to their firm.
Set The SOC Free: Upending The Security Operations Model For A New Era
I have seen and read a LOT of content on what people imagine the future of the SOC will look like. To be honest, I’ve been disappointed with a lot of it. I am, however, very excited to give this keynote, as it will bring clarity to what CISOs need to focus on for the future of the SOC.
In this talk, I break myths on what security operations is “supposed to be.” This talk is a frank look at what policies and philosophies in the SOC must change to improve not only the experience of those in the SOC, but also those in the rest of the business. It will leave you with a clear picture of what the SOC of the future should look like, how to measure quality in the SOC, and the five key tenets on what the future of the SOC must include to get there. We will explore a new, adaptable way of thinking about security operations and a pragmatic path to get there.
Secure What You Sell: Becoming A Top-Line CISO
Sandy Carielli, an expert on application security, is driving some incredible research on the importance of securing what you sell. I have been so impressed by everything she puts out and look for any opportunity to collaborate with her, so I highly recommend attending this talk.
She will discuss the CISO mandate to evolve the security organization from cost center to revenue driver. While application security has overlaid security on the software development lifecycle, product security goes a level higher and overlays security on the full product lifecycle, long before the product even exists. Sandy will introduce the Forrester Secure What You Sell (SWYS) Model and discuss how to integrate it into your organization’s top-line strategy to help the business build and sell trusted products.
There Is No Try: Implement Zero Trust, You Must
Steve Turner is a veteran practitioner turned Forrester analyst, and he uses his experience to communicate what Zero Trust means for those on the ground. His perspective on the industry is completely unique, and I highly recommend attending this talk for a gut check on what’s actually possible with Zero Trust.
He’ll also be diving into a new way to look at Zero Trust that matches how practitioners are actually implementing it, tools to measure your Zero Trust technology capabilities, and the new operational reality after you’ve implemented Zero Trust architecture and what that means for your day-to-day. As a bonus: Come for the nostalgia, with some choices about what side of the force you belong to.
The Forever Breach: Avoiding The Ever-Present Scourge Of Ransomware
This research is the culmination of several months of anxiety over ransomware. Steve and I have met with countless practitioners to try to help alleviate some of these concerns, and we are finally able to release a complete report and accounting of the steps you need to take to stop ransomware. Attend this talk to hear from Steve and me about the realities of ransomware defense and get prescriptive recommendations on how to stop ransomware by using capabilities you already have in your environment today.
Ransomware is like a slasher movie killer with more lives than Michael Myers and Jason Voorhees combined. If the killer’s body is never found, the character is not dead. Ransomware has the strongest plot armor available, rising to become cybersecurity’s number one villain. Businesses have more technologies and processes than they can manage to combat this and similar threats. This talk will cover ransomware strategy and introduce a toolkit — standing out as the MacGuffin that security and risk pros desperately need for their final battle — with tactical recommendations on how to detect, prevent, respond, and limit exposure to ransomware and other threats.
Why This Matters
These talks are just a smattering of the great content we have lined up. This is your opportunity to see the most cutting-edge research the S&R team has been working on this year before much of it is even available as a report. Further, you have the opportunity to set up one-on-one meetings and chat as a group of peers. If you’re interested in joining in on the fun, head to the Forrester Security & Risk Forum to learn more.