Press "Enter" to skip to content

Forrester’s planning guide for CISOs gives focus areas

A planning guide from Forrester for 2023 – security and risk.    Pulling from Computer Weekly, here are the recommendations for CISOs. 

  • API security is increasingly the de facto approach to modern development, enabling organizations to build new business models and engagement methods, but prone to breaches due to unprotected APIs and API endpoints.
  • Bot management, actively profiling incoming traffic to determine intent and protect from malicious bots – which comprised 25.6% of internet traffic in 2020 – by delaying, misdirecting, or blocking them.
  • Industrial control system (ICS) and operational technology (OT) threat intelligence which is becoming a non-negotiable buy for organizations working in sectors such as energy, manufacturing, utilities, or transport.
  • Cloud workload, container, and serverless security to protect the compute, storage, and network configurations of cloud workloads in infrastructure- and platform-as-a-service (IaaS/Paas) environments. This market is still immature and a challenge to address.
  • Multifactor authentication (MFA) , or even passwordless authentication, is one of the quickest and cheapest ways to align security strategies around zero-trust principles.
  • Zero-trust network access (ZTNA) is a more appropriate and agile solution to secure remote workers in a post-pandemic world than the traditional VPN.
  • Security analytics platforms replace legacy rules-based security information and event management (SIEM) offerings that are too easily overwhelmed by the rapidly evolving threat landscape.
  • Crisis simulations and purple teaming.

Why do we care?

It’s a very good list.  It will require some adaptation for different size businesses, of course.  API Security is a great example, as that’s for organizations who develop software… and most don’t.   

I wanted to highlight “protect the compute, storage, and network configurations of cloud workloads”.    This is not something most small providers are addressing effectively, as this is configuration management rather than device management.     That’s a key distinction, and why I wanted to highlight it.    Big opportunity for sure – and why I like the space.   My guidance is to focus on changing your methodology and thinking first rather than searching first for a tool.     You’ll build your requirements list that way. 

Be First to Comment

Leave a Reply