Category: Forrester Blog


SCA Vendors Are Leading The Way On Diversity, Equity, And Inclusion

It’s no secret that the security industry has a DEI problem. Yes, I just linked to six different articles or social media posts supporting that point, and I’ve barely scratched the surface. My colleagues, Jinan Budge, Jess Burn, Allie Mellen, and Alla Valente, authored a blog about gender bias in the security industry last month, and I’m proud to be joining them in our upcoming research in this area.
But it’s not all bad news. During the demos for The Forrester Wave™: Software Composition Analysis, Q3 2021, many of the vendors shared their goals and investments around improving diversity, equity, and inclusion (DEI) within their organizations and in the industry. Whether through the head of HR or a dedicated DEI leader, DEI programs at several of these vendors are formal, funded initiatives that go far beyond platitudes on a website. I’d like to take a moment to highlight some of the great things that these vendors are doing to promote a more diverse and inclusive security culture:

Hiring. One vendor spoke proudly of its Arabic-language hiring campaign. Another stated that it is targeting to double the percentage of Black and Latinx workers by 2030. A third spoke of a program to move underrepresented candidates from outside of the tech sector into internships, many of which extend or convert into full-time positions.
Industry partnerships. External partnerships include Girls in the Game, Women in Tech, PowerToFly, and the MassTLC Tech Compact For Social Justice. A few vendors mentioned donations to Black Lives Matter and other organizations that promote racial and social justice.
Employee support and training. A couple of vendors spoke of unconscious bias training, particularly for interviewing and performance reviews. One mentioned accommodations and tools for neurodiverse employees. And kudos to the vendor that performs annual pay equity reviews.
Inclusive products. Some vendors are localizing their products for languages other than English and have invested in 508 compliance to ensure accessibility. More than one software composition analysis (SCA) vendor has removed terms such as “blacklist” and “whitelist” from its product UI and documentation and replaced them with more inclusive terms like “allowlist” and “denylist.” A couple of other vendors are in the process of doing so.
Events and affinity groups. Almost every vendor in the Wave spoke about companywide events to celebrate Pride Month or Black History Month. Employee affinity groups around gender or race are equally common. Such programs are becoming table stakes, and firms will be expected to continue these as they take on the more advanced initiatives described above.
Metrics. The vendors with the most mature DEI programs are not only talking the talk and walking the walk, but they are being transparent about it by sharing their metrics publicly and holding themselves accountable. A number of vendors provided metrics and goals, particularly around hiring and leadership — some were able to compare themselves very favorably to the local or industry averages. Others spoke of regular employee feedback surveys and tracking against stated goals.

Several of the vendors in The Forrester Wave™: Software Composition Analysis, Q3 2021 have public-facing sites that highlight their DEI work — this level of transparency must become the norm. Firms with more nascent DEI initiatives: Remember that 65% of consumers won’t buy from a brand that stays silent on an issue they expect it to address.
For more on SCA and the key vendors, check out The Forrester Wave™: Software Composition Analysis, Q3 2021, or reach out for an inquiry.


Software Composition Analysis Is A Core Tool To Protect Your Software Supply Chain

Over the past year, breaches such as SolarWinds and Kaseya have woken us up to the realities of software supply chain risk. Whether through infiltrating the software delivery pipeline, deliberately uploading malicious components to popular repositories, or taking advantage of existing vulnerabilities in open source components, attackers are leveraging gaps in supply chain controls to compromise organizations and their customers. Protecting the software supply chain is a multifaceted challenge that includes code signing, identity and access management, policy … and software composition analysis (SCA).
SCA has always played a role in protecting the software supply chain, historically by identifying vulnerabilities and licensing risks in open source libraries and advising security and development teams on upgrade paths. During the writing process of The Forrester Wave™: Software Composition Analysis, Q3 2021, I had the opportunity to hear about how today’s SCA vendors are extending their supply chain integrity features. Many SCA vendors have leaned into their role as supply chain protectors, with some expanded capabilities to look for:

Component control and repository integrations. Integrations with source code and binary repositories let SCA restrict use of components that don’t meet security standards or corporate policies. The top vendors have browser plug-ins that notify developers of at-risk components and suggest alternatives.
SBOM support. Even before the Executive Order on Improving the Nation’s Cybersecurity mandated that government suppliers provide a software bill of materials (SBOM), government and industry partners were collaborating on SBOM terminology, evangelism, and proofs of concept. Some SCA vendors already produce SBOMs directly in the UI in CycloneDX or Software Package Data Exchange formats; others rely on external tools. Some only produce PDF or CSV files but are looking to add support for the top SBOM formats.
Dependency confusion protection. Dependency confusion attacks gained prominence earlier this year when a researcher discovered that dependencies in public packages can get priority over those of the same name in a private build and demonstrated a supply chain attack on more than 35 large tech companies. Several SCA vendors referenced dependency confusion protection directly in their Wave responses, describing source location and other integrity checks.
Malicious component discovery. Attackers trying to poison the supply chain by adding malicious components to popular repositories are running up against new defenders. Some SCA vendors have gone into proactive mode and are leveraging their tools and research teams to find and remove these malicious components before too many unwitting developers download them. Top SCA tools quarantine new or suspicious packages for review before releasing them to developers.

There is still work to be done. Look for those vendors without native SBOM support to add it in the next year. I’d also hoped to find more out-of-the-box integrations with governance, risk management, and compliance and third-party risk platforms to give the risk teams a better view into software supply chain issues — only a couple of vendors had any such integrations. Supply chain security is a popular roadmap item, so ask current or prospective vendors about their plans to expand their offering in this area.
For more on the SCA market and vendor capabilities, please check out the full evaluation, The Forrester Wave™: Software Composition Analysis, Q3 2021, or schedule an inquiry to talk to me about it.

Connected Insurance: Reality Or Hype?

I speak often with clients about the role of technology in insurance.  Of the many innovations we discuss, connected insurance may be the most polarizing. Connected insurance (CI) is nascent across most insurance lines. But evolving consumer preferences and increasing competition from digital-first startups require forward-thinking insurers to harness emerging technology and invest in CI capabilities. We’re past hype.  Consumers, insurers, and regulators all see CI’s value and potential.
The Business Case For Connected Insurance
Connected insurance provides a means for digitalizing how your customers engage with you. It can also help you drive higher revenues, lower costs, and improve conversion. As insurers look for opportunities to innovate, connected insurance promises bespoke solutions that digitize customers’ buying journeys, from purchase decision to claims initiation. Furthermore, connected insurance can automate workflows like underwriting and claims handling.
Connected Insurance Brings Opportunity But Be Mindful Of Constraints
Customer focus and business strategy will determine how and where CI fits within your product portfolio.  As you chart your path, you must develop competencies in data, IoT and machine learning.  Deploying a CI strategy will help you engage more frequently with customers, expand the products and services you offer them, settle their claims faster, help them avoid loss, and live safer lives. But before you get to widespread adoption you’ll have to clear some hurdles like data security and privacy protection, cyber threats, and AI ethics and transparency.
Next Steps: Your Connected Insurance Journey Begins Now
The velocity of change in insurance is only going to increase. Insurers must create new products and services that improve customer and agent experiences, increase operating efficiency, reduce costs, and drive business growth. Connected insurance offers a way to meet these goals.  If you are interested in learning more about how to begin, Forrester clients can access my recent report on connected insurance here or schedule an inquiry. For nonclients, if you want to keep this conversation going, learn more about my research and how we can help you build your connected insurance strategy, please visit us here. Take care.

Zero Trust For Healthcare Orgs Is Just What The Doctor Ordered

Whether it’s a ransomware attack, data breach, or another unnamed method that exposes and exploits private, sensitive, or proprietary data, 2021 is shaping up to be the “year of the breach” with healthcare orgs among the prime targets. Last week, Humana became the latest healthcare org to fall victim to cyberattack when hackers leaked medical data of over 6,000 patients, acquired through a third-party app for Medicaid Advantage members and agents.
In the first half of 2021, 360 breaches exposed almost 23 million patient records – which is higher than any other 6 month period since the US Health and Human Services Office for Civil Rights (OCR) began keeping track.  This shouldn’t come as a surprise because healthcare organizations:

Manage and store lots of valuable data; vast amounts of data is shared between an increasing number of physical and virtual entities both inside and outside the entities’ IT network.
Maintain large expanded third-party networks that can be exploited (physicians, researchers, business associates, insurers, payers, etc.).
Rely heavily on technology for virtual care, connected medical devices, diagnostics, and patient engagement.
Struggle to secure sensitive data as it flows between their hospital clinical engineering/IT networks, clinician remote access points, virtual care platforms, third-party healthcare partners, and even patient home networks.

The considerable amount of blind data sprawled across the healthcare ecosystem, sitting on flat, vulnerable networks with poor access controls has made healthcare the low-hanging fruit for hackers who’d rather work smarter, not harder.
While there’s no single remedy, adopting Forrester’s Zero Trust strategy can help most healthcare delivery organizations. In our recently published report,  The Zero Trust Security Architecture For Healthcare my colleague Alla Valente and I discuss how new risks the post-COVID delivery model puts Zero Trust front and center in healthcare delivery organizations. Among the recommendations are the need for an overarching security strategy, visibility into the risk associated with third-party party data sharing relationships, and accelerating innovation without jeopardizing safety, privacy, and security.
If you are responsible for security at a healthcare provider and would like to learn more about this, please schedule an inquiry call with myself or Alla today.