On April 26, Marvel fans finally received an ending to an 11-year saga when “Avengers: Endgame” premiered in theaters. Without revealing too many spoilers, the Avengers were tasked with undoing a finger snap (yes, a snap) executed by the villain from the previous movie. This snap was so substantial that it caused half of the universe’s population to vanish. The avengers then spent the entire “endgame” movie discovering a way to reverse this half-of-life-ending snap and preventing the villain from decimating the entire universe’s population.

While watching this movie, I began to contemplate what would happen if we eliminated all or even half of current security measures. What if organizations made no effort to train their employees on secure practices or if we allowed both government and the private sector to have free reign on personal consumer information? What if no efforts were made to prevent new threats posed by drones or to enhance application security? Though this thought didn’t conjure the final battle seen from “Avengers: Endgame,” in which the characters are surrounded by fire, screaming, bullets, and aliens while fighting in a crater where upstate New York once stood, the vision of a world where security isn’t a priority is a worrying one. At the risk of sounding corny: We’re in the endgame now, and you must continually and actively keep your data and organization secure or risk losing it all.

So what should S&R pros do to avoid any of the above scenarios? In the past month, the security and risk team has written various reports addressing the variety of ways that CISOs can continue to keep their organizations secure. Below are some highlights:

  • Historically, security awareness and training efforts have been halfhearted, and investment in more sophisticated solutions has been limited. CISOs struggle to justify security awareness and training initiatives, and many employees do not receive security training — a worrying fact given that many employees are unsure of their company security policies. In their recent report, “The Business Case For Security Awareness And Training,” Jinan Budge and Claire O’Malley show S&R pros how to measure the benefits of SA&T to justify more investments, as these initiatives can help CISOs instill a culture of security awareness among their employees.
  • Though governments have typically been associated with surveillance, the private sector is now also a major participant in the practice of collecting, analyzing, and storing personal data. It is fully engaged in economically endorsed spying. In their report, “Avoid Corporate Scandal Caused By The Surveillance Economy,” Jeff Pollard and Claire O’Malley explain how to remain on the side of the data economy and steer clear of surveillance practices.
  • Though application security is a top priority for global security decision makers, developers don’t have the skills or resources to code securely. In their report, “Show, Don’t Tell, Your Developers How To Write Secure Code,” Amy DeMartine and Trevor Lyness contend that security pros need to work within developer constraints to empower secure coding.
  • As drones become more common in commercial use, they introduce new enterprise risks. S&R pros need both a strategy to protect their organization from drones and to ensure that their own drone use is compliant with applicable laws and doesn’t interfere with others’ business operations. In their new report, “Protect Your Firm From Drones,” Merritt Maxim and Salvatore Schiano discuss the ways in which organizations can better prepare themselves for increased commercial use of drones.
  • Zero Trust continues to be a hot topic. Paul McKay, Chase Cunningham, and Enza Iannopollo write about Zero Trust adoption in the European market. CISOs in Europe face a unique set of challenges in implementing Zero Trust, which requires more upfront planning than would be necessary in some other regions. For more information, see the report: “How To Implement Zero Trust Security In Europe.”


(Written with Kate Pesa, senior research associate at Forrester)