TBT: The Top 10 Executive Responses From Hackers Versus Executives

Each year at our Privacy and Security events, we run a session called Hackers Versus Executives.  In this session, we ask a hacker to cause mayhem and then stop at different points in the attack to ask executives what their responses are.  This year we attacked applications including containerized and serverless applications.  Two months ago we closed our London event with our Hackers Versus Executives session.  As a throw back, here’s a look at my top 10 favorite responses our executives gave both in London and Washington D.C. (Note: at times, responses were edited for brevity):

  1. AMY: Shaun, as a CISO, how do you prioritize application security with everything else you must do?SHAUN: I like to take a risk based approach in general, where I enumerate all of my security risks, rate them, and then really focus on the ones with the highest real risks. Having said that, application security, I find, tends to fall, or end up at the top for several reasons. Primarily because it’s a much harder problem to solve.  In network security we have lots of good tools and lots of experience in that space. Application security is constantly evolving the way we’re developing applications. It’s very people based. The people who can make mistakes and the developers can make mistakes. It’s very labor intensive and we tend to dedicate a lot of resources to application security.
  2. AMY: What are you doing to defend against a exploited vulnerability?KELLY: We’ve prepared for it. The bigger problems arise when you are unprepared. So we would do some threat modeling and some scenario planning and runbooks. We would have the people and the decision makers ready for when we encounter an issue like this. Hopefully nothing as bad as this. But the key is that you have to be prepared for it and plan for the eventuality of it happening.AMY: Are you ready to pull the plug on this app? Are you ready to go that far?KELLY: Absolutely, yes, completely.
  3. AMY: Andy, what’s the role of developers in security? And do they even care?ANDY: We try and make them care. You make them care with your security awareness campaigns and the whole culture of security and why it’s important. I think one of the problems is that they probably do care, but they’ve got conflicting messages. So they have someone who’s their line manager who tells them all about the time scale and to deliver to a certain point of competency, a certain point of functionality by a certain depth, so they’ll make compromises to reach that because that’s their priority. We need to make sure they realize these are quality issues as well. You can’t deliver that functionality without the quality because that’s going to endanger the organization and our reputation and effectively their bonus and their jobs eventually. So it’s about having those conversations and to bring that security message to the very front line of developers so they realize that the company cares about more than just the functionality and the date.
  4. AMY: So, Kris, how concerned should the average CISO be about the basic exploited vulnerability scenario?KRIS: So, my question is, why did this happen? And so from a CISO’s perspective, obviously, you should be worried about just basic hygiene. This shouldn’t have happened. You might need more than just traditional intrusion detection tools to detect this attack and also just to double down on vulnerability patching because at the end of the day, that’s how these bad guys making their way through the organization and executing exploits on vulnerable systems.
  5. AMY: Guy, the next time that an app is exploited and the customer data is stolen, should the director of app dev be fired and not the CISO?GUY: I’ll not accept the premise of the question. If firing somebody if your primary response when you get breached, then you’re guaranteeing yourself that good security people will not want to come work for you. This is really about broad ownership and clear responsibility.  If your primary action is to fire somebody when something goes wrong, people’s natural reaction would be to not take ownership because then their job is on the line. I don’t think either of them should be fired in case of a breach as much as they should pull together and inspect why this happened, be transparent about it to their users, and internally, and talk about how to set up a system, so that it doesn’t happen again.
  6. AMY: What do you think practitioners wish their execs understood most?
    GUY: There’s only so many hours in the day. If you want me to do everything, I can’t do anything well.SHANNON: I think that everybody would like to see executives understand the difference between an exploit and hygiene. Not everything is useful for a hacker, and prioritizing as if it was is very detrimental to creating value for your organization.SHAUN: I’m going to turn the question around. I think it’s the wrong question. I think the question is: what do the security professionals need to know about the execs and what’s important to them? You’re not going to be able to have a successful security program unless you know what motivates the execs in your company.KRIS: I’d say it’s that compliance does not equal security, especially when it comes to privacy protection. I don’t think that they realize complying with HIPPA is not the same thing as actually having security protections in place.
  7. AMY: Shannon, how are you defending apps today?
    SHANNON: Defense has become an active defense capability for us. The way that we look at it is very game theory based, and ultimately, what we’re trying to achieve is blocking out bad guys by getting to the vulnerabilities and weaknesses first that have the most impact on our organization. Essentially, blocking out the exploits before somebody else can do something bad with them.
    AMY: And you have how many people on your team?
    SHANNON: I probably have one of the largest red teams in the world. I have about 45 people that are dedicated to finding and exploiting before the bad guys do.
  8. AMY: How would you defend against this serverless attack Shaun?
    SHAUN: I can answer that a couple ways. First, I’d almost go back to fundamentals. And this has nothing to do with the fact that this is serverless or not. The original entry was a known vulnerability. I think the key thing for me is having an effective vulnerability program. That involves really three things. One is having some way to identify when something really is vulnerable. As much as we like to discuss zero days and they’re sexy and everything, the reality is that most of these attacks that succeed are not zero days. They’re vulnerabilities that have been known for a long time. You have to then figure out who to assign these vulnerabilities to. Who has to fix the code and do the work? And then you have to have a mechanism that actually holds people accountable for doing that.
  9. AMY: Kelly,  a new critical vulnerability is announced, and it impacts your applications. How are you going to manage that?
    KELLY: You need a cross-functional group of people to analyze the impact of that vulnerability across your whole estate. What do we need to do in terms of patching all the different layers? How fast can the cross-functional team respond?  What mitigations can you put in place and in what time frames? Is there anything you can do instantly? Or what can you plan out in the weeks and months ahead?
  10. AMY: Arnaud, what have you done ahead of time to protect these very vulnerable applications?
    ARNAUD: So it’s a set of measures which are on the technology side, but also which needs to go outside of the technology. The technology side is very classical, not easy. First, you need to know what you have to protect. You need to know the list of the applications you need to protect. So when you are in a larger organization, for which a number is thousands, for sure it’s more complex that for a small organization.  When you are entering with a such amount of data which to protect, you need to identify the criteria of prioritization. So for example, maybe you can consider the externally facing applications, instead of the ones which are purely internal.  You have to make a link between your IT asset, your application, and the business process you are supporting. And, it’s a long journey, but this is how you go beyond IT in order to bring this discussion to a board discussion.

You can view the full recordings here: Washington D.C. and  London.

Are these your same favorites or were there others that you liked better?

Thanks again to my panel of executives and my hacker: Arnaud Brenac, Shaun Gordon, Shannon Lietz, Kris Lovejoy, Kelly McKillen, Guy Podjarny, and Andrew Rose.  A huge thank you to my Research Associate, Kate Pesa, who made this blog possible by transcribing both events.

Cybersecurity In India: Reflections And Learnings From A Visitor

Last week, I had the immense pleasure of traveling to India for the first time. It quickly became one of my favorite trips of 2019. This is in spite of a punishing schedule during which I toured Bangalore, Pune, Delhi, and Mumbai and met with/presented to a couple of hundred of our clients, vendors, and extended ecosystem. The smells, colors, people, energy, and activity were very uniquely India, and I will always treasure them.

I will also treasure my learnings of the business and security landscape in the region. We’ve all heard the hype about India as a growth market and a tech hub. But nothing prepared me for what I saw and learned. This trip was a great reminder not only of our differences in practicing security around the world but also of how much we all have in common.

As always, I want to share with you what I learned and the opportunities and challenges we have in our vast APAC “region” (from a cybersecurity perspective). I say “region” in quotes because, of course, APAC is so vast and diverse from geographic, culture, business, economic, and regulatory standpoints. To do it justice, one really has to understand each of the various geographies within the region. Here are my observations and learnings from my brief yet intense India experience:

  • Boards of directors in India are starting to prioritize cybersecurity, but not enough. There was a consensus among most security and tech leaders whom I spoke to that their boards take cybersecurity seriously, but it is not yet a top priority. Questions about security from the board are still occurring in a reactive manner, and there is still an unspoken feeling that organizations in India may be invincible from cyberattacks. This was of course different for more mature organizations (e.g., FS). For those of us in regions where cybersecurity is now at long last in the top three priorities for boards, we can all reflect back and remember the journey our own boards took (and are still taking) in truly understanding and prioritizing this topic.
  • The importance of the human firewall and security culture change is not yet understood by senior executives. The importance of human-related controls and embedding security culture are not yet a priority for many boards and executives. At senior levels, security is still seen as the domain of technology. This is certainly different here in Australia, where many boards that I have spoken to are aware of the importance of the human firewall and are well and truly on their way to recognizing that security is not only a technology issue. It is worth noting that embedding a positive security culture is a priority for many of the CISOs and CIOs who we interacted with.
  • The CISO in India (similar to global CISOs) still predominantly reports to IT, with dotted lines to the CEO/CRO. Some CISOs we met reported to CEOs and CROs, whereas many others still report to CIOs and CIOs’ direct reports. This is very much in line with global trends, in which we still see about 60% of security leaders reporting into IT. The debate as to where security should report raged (as it does in all geographies). Many security and tech leaders noted that reporting lines become less relevant with more mature and uplifted governance and reporting.
  • Increasingly, security in India is transforming to a business-focused, risk-aligned discipline. We spent a lot of time discussing the importance of transforming security from a reactive, IT-focused issue to one that is business-aligned and has culture change at the heart of that transformation. This message was unanimously agreed upon by all participants in the discussion. There is a sense that security needs to be addressed holistically, considering all areas of people, process, technology, business, and customer trust. There was a general agreement that, to be taken seriously, security needs to be positioned as a business risk and embedded at all levels of the organization.
  • A culture of pride may be contributing to organizations not seeking help. Most vendors I met with discussed a skill and talent shortage in India in security. The vendors unsurprisingly see themselves as helping organizations bridge that gap, yet they acknowledge that in India, anecdotally, only about 35% of organizations use security services (this is compared to a global average of about 55%). Many mentioned that to seek help could be admitting defeat, and therefore some are reluctant to do it. Some also mentioned that this same cultural nuance may be driving a slower journey for communicating with the board, as the full state of the gaps is not yet reported.

Overall, it was a great trip. I can’t wait to return and dive deeper into many of the above topics and more with our vendors and clients in the region. I want to acknowledge our India sales team for making this trip possible and so enjoyable and successful. I was in awe, yet not surprised, at the level of hospitality I received from them and our clients.

‘Til next time!

“Crap” Content Continues To Describe B2B Marketing — Don’t Let It Describe Yours

In 2013, Doug Kessler and the crew at Velocity Partners published “Crap: the single biggest threat to B2B content marketing” — a work of thought leadership genius that I still tell marketers to read today. In just 50 PowerPoint slides, Velocity Partners explains why the current deluge of marketing “content” won’t serve buyers and what you need to do to survive it. This SlideShare story has been viewed more than 5.5 million times to date and remains as relevant as ever.

You would hope that marketers would learn from Doug’s advice and change their ways . . . well, your hopes would be in vain. Consider this finding from a Forrester survey on what technology buyers think about the materials they get from their technology suppliers:

B2B Content Fails To Impress Global Technology Decision Makers

If a picture is worth a thousand words, this one shows how badly B2B marketers struggle to produce marketing content that matters to buyers. For the third consecutive year, B2B marketing content continues to underwhelm business consumers — most say vendors give them too much material and much of that material is useless.

It’s sad that buyers disdain marketing content so completely. Part of the explanation is that marketers haven’t kept pace with buyers’ preferences. Forrester has shown, for example, that 60% of B2B buyers don’t want to interact with a sales rep, and 62% say they can finalize their purchase selection criteria based solely on digital content. That means your content must fill that interaction gap — or your competitors’ will.

B2B firms are engaged in a content arms race, trying to achieve competitive advantage by producing any possible content that any possible buyer could possibly need at any possible time. However, as Velocity points out, battling for numerical content superiority means nothing if your content isn’t relevant or interesting to buyers.

Top marketers are surrendering the content volume battle and are instead choosing to deliver less content that more buyers value: content that is authentic, credible, and empathetic. To ensure that your content doesn’t get relegated to the digital trash bin, here are some highlights from our most recent report about what buyers want and don’t want.

Buyers Want:

  • Customer/peer examples. Business buyers want content featuring your customers — their peers — who share experiences, pain points, and success stories. Buyers say industry or peer case studies are the most valuable type of content when exploring and making buying decisions.
  • Content from credible sources. We asked 610 business and IT leaders what they rely on most when making technology buying decisions — and most said content developed by industry analysts/experts.
  • Short content. Buyers prefer content that is concise, with shorter formats capturing two out of the top three spots for content types that buyers prefer to interact with.

Buyers Don’t Want:

  • Product features. It’s an old analogy, but buyers want to learn about how to build that swing set their children will love rather than hear about the features of your spiffy new cordless drill. Good content focuses on how a solution goes about addressing customers’ needs and leading them to positive business outcomes.
  • Articles written by people who have yet to prove their substance. On the opposite side of the spectrum, buyers say they rely least on content developed by independent bloggers or consultants. (Hint: Work with independents who have both a track record and following instead.)
  • Long content. Sixty-minute webinars, long-form videos, and long-form reports (10-plus pages) all fell outside the list of top 10 most engaging content types, while their short alternatives were all in the top 10.

Credible, Empathetic Content Wins Over Elusive B2B Buyers” has many more insights, illustrated examples, and data into the content attributes that buyers value and how marketers should activate content to engage those buyers. The report also recommends what to do right away to make sure that your marketing assets become a focal point for starting business-focused dialogues with your customers. Marketing has a long way to go to meet B2B buyer content preferences and expectations, but we would love to help you get there and make sure your content never ends up in the trash.

Trends In Marketing Measurement You Need To Follow In 2019

Marketers are held to an ever-higher standard of accountability to ROI and business impact. But many marketers struggle to meet these expectations, hampered by long-established habits and lack of knowledge about new data- and analytics-enabled measurement approaches. In this short video, I take apart these misperceptions, describe trends that leading marketers have pioneered, and point you to the resources Forrester has to help you update your marketing measurement approach.

Be sure to check out the marketing measurement and insights playbook, take the marketing performance measurement maturity assessment to prioritize steps for your organization to get started, and schedule an inquiry with myself or Tina Moffett to get customized advice.

There’s No “Data Strategy” — Align Insights Priorities To Your Business Strategy

Greetings from sunny but cold Orlando, where the inaugural Forrester Data Strategy & Insights Forum just wrapped up. During the event, I spent time with a seasoned data professional who joined me as a panelist in my session and who took advantage of the wealth of wisdom dispensed in keynotes and deep dives throughout the event.

The feedback on the event was overwhelmingly positive, but one observation struck a chord — particularly given the title of the event. There is no such thing as “data strategy,” he argued adamantly; it’s not a strategy per se, he explained, but rather the execution of initiatives that support a broader business strategy. While not in those words, I’ve been saying the same thing for some time and hope that the sentiment is reflected in my recently published report, “Prioritize Data And Analytics Requests” — although I suspect it’s not that clear.

The genesis of the report was an inquiry in which a client asked, “Is a dollar of cost savings the same as a dollar of revenue generated?” My response was a resounding “no.” Data and analytics initiatives must align with business objectives. If a company is in growth mode, hell-bent on capturing mind and market share, insights teams prioritize revenue generation over cost savings. In a downturn, when survival mode kicks in, priorities might look a little different. This exercise is not about defining a data strategy but about identifying, prioritizing, and executing initiatives that best support a company’s business strategy and strategic objectives.

To Prioritize, You Need Priorities

On Monday, I presented the new report to Forrester’s Customer Insights & Analytics Council members. We discussed the proverbial jar, which represents time, with piles of rocks, pebbles, and sand that represent strategic initiatives, urgent but smaller projects, and more routine tasks or even busy work, respectively. At the end of the session, members were asked to share their “rocks” for 2019. One of the council members shared that his “rock” for 2019 was to identify a “rock.” When teams are busy responding to a flood of requests from across the business, they risk not taking the time to identify those larger, more strategic projects that can drive transformation, competitive advantage, and differentiation. It’s time to find those rocks that support the business strategy.

But Prioritization Is As Much About What You Won’t Do As What You Will Do

Another point from the report that’s worth noting is that part of the prioritization process is to determine what not to do. As one of our council members put it, “It’s useful to have an accelerator, but sometimes you need a brake.” It’s important to take a step back and make sure all the things you are currently doing still deliver value. Business insights teams get inundated with requests for dashboards and reports. Over time, however, interest wanes and these “derelict dashboards” no longer deliver value. “Know when to hold ’em; know when to fold ’em.”

And maybe more importantly, “Just because you can doesn’t mean you should.” Another council member shared a story of an initiative that would have improved one metric but might have had an impact on the reputation of the company; the firm didn’t act on the insights.

The Bottom Line: Ensure That The View Is Worth The Climb

A formal prioritization framework ensures that initiatives are evaluated equally and transparently, that insights initiatives support business strategy, and that resource requirements and expected outcomes align.

Video: Busting The Two Myths Of Low-Code Platforms

Video: Busting The Two Myths Of Low-Code Platforms



“Crap” Content Continues To Describe B2B Marketing — Don’t Let It Describe Yours

Laura Ramos

In 2013, Doug Kessler and the crew at Velocity Partners published “Crap: the single biggest threat to B2B content marketing” — a work of thought leadership genius that I still tell marketers to read today.

Read More

Trends In Marketing Measurement You Need To Follow In 2019

Jim Nail

Marketers are held to an ever-higher standard of accountability to ROI and business impact.

Read More

Subscribe to updates

Thanks for signing up.

Stay tuned for updates from the Forrester blogs.

Video: Why Everyone Needs To Know About Low-Code

Video: Why Everyone Needs To Know About Low-Code



“Crap” Content Continues To Describe B2B Marketing — Don’t Let It Describe Yours

Laura Ramos

In 2013, Doug Kessler and the crew at Velocity Partners published “Crap: the single biggest threat to B2B content marketing” — a work of thought leadership genius that I still tell marketers to read today.

Read More

Trends In Marketing Measurement You Need To Follow In 2019

Jim Nail

Marketers are held to an ever-higher standard of accountability to ROI and business impact.

Read More

Subscribe to updates

Thanks for signing up.

Stay tuned for updates from the Forrester blogs.

Quantifying Vendor Efficacy Using The MITRE ATT&CK Evaluation

I’ve been extremely excited about the MITRE ATT&CK evaluation since it decided to open it up to vendors earlier this year. The endpoint detection and response (EDR) market represents the direction of endpoint security, yet the state of endpoint efficacy testing has been underwhelming.

• Antimalware testing has become a standard part of the endpoint protection (EP) space, but it’s frequently been observed that a majority of vendors score over a 99% in efficacy testing. This isn’t a comparison; it’s a benchmark.
• NSS Labs has done some testing of EDR products, but its latest report failed to include multiple noteworthy vendors. Correlation is not causation, but it should also be noted that NSS is currently involved in a lawsuit against many of these conspicuously missing vendors to block attempts by the Anti-Malware Testing Standards Organization (AMTSO) to create what AMTSO claims is a standardized and transparent testing methodology.
• Analyst firms, such as Forrester, don’t do rigorous efficacy testing. When I do a Forrester Wave™, I’m comparing features, strategy, client satisfaction, and providing demo scripts to allow me to infer the efficacy of these solutions, but I’m not creating test environments and throwing exploits at the systems.

I was disappointed at the lack of fanfare that accompanied the release of these results last week. My initial excitement for this testing was that I would have fair and transparent test results that I would be able to use as an individual evaluation criteria in my upcoming Forrester Wave evaluations on EDR. I got exactly what I wanted from these test results: a detailed and technical assessment of how these products performed under attack simulation that would allow me to make my own assessment of the efficacy of these products. I also realized that without a scoring or ranking system, this evaluation was inaccessible to many buyers. Beware the gypsy curse, “May you get everything you want.” To support the community at large, and hopefully bring more visibility to what MITRE has accomplished with this evaluation, I’ve gone through the results and have developed a repeatable methodology for scoring the vendors based on the 56 ATT&CK techniques analyzed using 195 procedures in the evaluation.


I began the process by parsing out the JSON-formatted data that was provided with each of the evaluations and dumped the qualitative descriptions provided for each of the procedures. Using these qualitative descriptions and the documentation available on the evaluation website, I developed the following scoring criteria (similar to how I would approach a Wave):

5 – Alerting. An adversary attacks your system, is detected, and an alert is generated in response. This is what you expect to be paying for when you invest in these products.

3 – Delayed detection or real-time enrichment. The product couldn’t generate an alert in real time, but they bring your attention to the issue eventually. This is probably coming from a managed service or some other post processing to generate alerts. Alternatively, an operation didn’t warrant its own alert, but detection did happen in real time, and this information was associated with another alert for further context.

1 – Threat-hunting capabilities. The telemetry exists to allow a threat hunter to detect the adversary after the fact. There’s no alerting because there’s no detection, but at least the data exists to reconstruct the crime scene while you’re sending out breach notifications.

0 – No detection or requires configuration changes to expose data not usually available to the user. These types of configuration changes have value but are frequently only deployed during an active digital forensics investigation by the vendor itself. Since you’re not making these configuration changes in your day-to-day environment, I’m not providing additional credit for this nuance.

It should be noted that all vendors were scored against the same number of procedures, but in some cases, multiple scores were provided in a single procedure in which there were multiple detection types. An example of this may be found here, in which Endgame generated telemetry and alerted on a particular event. While it did not change the ranking of the vendors to additively apply the above quantitative score for each reported detection type, I elected to score the vendors strictly based on their highest-scoring detection type to keep the scale between 0 and 5 for each procedure.


I’m not revealing results in this blog, but I am making the code available on GitHub that I used to quantify solution efficacy based on the MITRE ATT&CK evaluations so you can run the checks and see the results yourselves. Keep in mind that efficacy testing is a bit of a Holy Grail in that the results only tell you part of the story. For instance, due to the nature of this evaluation using positive testing to check for alerts, this evaluation favors false-positive-prone solutions that are going to alert more frequently. Look forward to a report in the coming weeks with a detailed analysis of the scoring, other findings, and a deeper dive into the importance of what MITRE has accomplished for the industry with this round of testing.

The TV Industry Is Stumbling Toward Customer Centricity

I’ve just returned from a few days in the sun, having once again participated in Beet.TV’s annual Beet Retreat. (Wonderfully, we returned to Puerto Rico this year.*)

The theme was “It’s Consumer-First in TV Land,” which I really hoped the conference would pay off on. Why? Well, we know that consumer attitudes about advertising are not great at the moment. And why should the TV industry care? Digital advertising’s rep is pretty dismal, while television still fares OK. But if we’re not careful — with all the innovations in data and technology exploding across the growing number of TV advertising models — we could make the same mistakes in television that we made in digital: frequency run amok, brand safety concerns, ad personalization that feels annoying or downright creepy, or simply just putting too many ads everywhere.

The good news: Consumers did make their way into the conversation. A Turner executive rightly pointed out that Facebook and Google made it easy and attractive for consumers to use their platforms, and so people came, en masse, and kept coming back. But he also warned, rightly, that we all need to be careful, that simply “turning on the data fire hose” that’s now so readily available across the industry could be a recipe for disaster. So followed three days of discussions on ad load, ad frequency, relevancy, data, and the voice of the consumer from media buyers, sellers, and technology companies alike. Good. Because this group clearly — and repeatedly — acknowledged that we are an interconnected ecosystem which will move forward, or backward, together.

This group is ready for things to be easier for everyone, but they aren’t naive. These conference goers are the ones itching for, and pushing for, change within their own organizations and at the industry level. They want less friction in the buying and selling process, more operational seamlessness and automation, and a TV ecosystem that thrives. But they know all the barriers that still remain, from legacy infrastructure to siloed client organizations. So there was a lot of talk about the role industry initiatives such as OpenAP can play in moving things along. But the reality today is that, while there was universal agreement that OpenAP’s premise is strong, execution is still onerous (think calling up each OpenAP member to actually transact on that cross-network audience you want to buy) . . .

. . . which is a perfect segue to another big theme for this year.

A clarion call for converged buying. Representatives from most of the major holding companies bemoaned the fact that doing the very kind of media planning, buying, and measurement they say they want to do remains a huge pain in the rear. This felt new to me this year: this very real call for a more converged, platform-based model of buying digital and traditional media together. Their palpable frustration made me smile from ear to ear. Why? Progress inevitably follows this kind of buyer frustration. Noted Omnicom’s Jonathan Steuer: “TV is a platform, and we need to be able to think about it in a more granular way next to everything else we buy.” Or as Mike Law of Dentsu Aegis Network explained: “Trying to manage the complexity that still remains . . . understanding frequency on air, avoiding overlap, etc. These are real areas of concern. And the consumer doesn’t care [about our industry’s complexity problem].” YES! What he said!

But what needs to happen to really push this forward?

Marketers need to commit. Perhaps the biggest challenge of them all? Marketers, en masse, aren’t acting like they’re preparing for a new reality of what “television” advertising will need to be to meet the demands of their rapidly evolving consumer base. They’re waffling. As one senior TV executive noted: “The biggest issue is that many marketers are in it for the wrong reasons — they’re doing it to check an innovation box. You have to come out of an addressable TV initiative saying, ‘It worked, or it didn’t and here’s why.’ But they don’t.” They treat advanced forms of TV buying (whether advanced linear, addressable, OTT, or all of the above) as small, discreet, time-bound tests. That’s a problem. And the sad part is that we know that those who do buy these new forms of TV believe in it and want to do more of it. So why are there still so many noncommittal buyers sitting on the sidelines?

Be on the lookout for forthcoming research from my colleague Jim Nail and I that dives deeper into the practical realities of buying audiences in an omnichannel way. While the answer might be that it’s not a perfect process today, perfect here may be the enemy of good.

Or maybe the real enemy is inertia.

*It was a privilege to visit the Boys & Girls Clubs of Puerto Rico’s new charter school in San Juan. They are changing the world one kid at a time.

The Future Of Mobility Is Data, Not Cars

Having worked in and with the automotive industry for around 25 years, the challenges that OEMs face given their size and structures often inhibit the business agility needed to provide lasting customer value in an age of digital disruption. The focus has always been more skewed toward the product experience and product features and defining greatness by “number of cars.”

Mobility as a driver for change has existed for more than 10 years, but the increased competitiveness from nontraditional players has created new challenges for OEMs and forced them to rethink their role. It has produced more service-oriented ideas such as car-sharing schemes, partnerships with ride-hailing services, and closer collaboration with urban planners.

Despite these changes, I think that the focus is still on the “number of cars.” The recent merger of Mercedes-Benz car2go and BMW DriveNow highlights the need to increase fleet size to be able to compete with nontraditional automotive players, and the main message I took away from the MQ! The Mobility Quotient 2018 Innovation Summit was that autonomous cars, smarter service offerings around cars, and better working together with urban planners would somehow manage the mobility expectations of the future. Considering that the physical format of mobility remains unchallenged — it still looks like a car — the future seems secure for the OEM.

Dr Dieter Zetsche, chairman of the board of management of Daimler AG and head of Mercedes-Benz Cars, is quoted as saying the following after the merger of car2go and BMW DriveNow: “As pioneers in automotive engineering, we will not leave the task of shaping future urban mobility to others. There will be more people than ever before without a car who will still want to be extremely mobile.”

The desire of the OEMs to still define the terms of what mobility will be may make business sense, but mobility is more than just the car. Mobility is about convenience and empowerment, and it is a commodity to be used rather than something to be owned. Making mobility convenient will depend on how well companies work together and manage and share data within mobility ecosystems.

In February 2018, 15 technology companies (BlaBlaCar, Citymapper, Didi, Keolis, LimeBike, Lyft, Mobike, Motivate, Ofo, Ola, Scoot Networks, Transit, Uber, Via, and Zipcar) signed the “Shared Mobility Principles for Livable Cities.” Some of the objectives of the shared principles are to place people before technology, work together, move toward zero emissions, and share data. Is it a coincidence that there are no automotive brands in this list? It seems the pioneers are not alone.

Data and the capability to manage and share data will be the differentiators in the future of mobility, and managing the data from the first mile to the last mile will provide incredible insight and power. This capability will be the OEM’s most significant challenge to overcome, and it will also challenge the OEM’s position and influence in an industry that will likely not be called the automotive industry anymore but will take on the term “mobility industry.”

To remain relevant, an OEM must learn how to share and participate more proactively rather than defer to its automatic response to new challenges by building walls to protect itself. Trying to defend itself will only isolate the OEM from the mobility industry, its data, and customers. For an OEM, the following three areas are crucial.

Car Ownership

Sustainability, commoditization of mobility, hyperadoption, and increased mobility offers are changing the perception and need for car ownership. More solutions for the first and last mile are connecting people to mobility networks that make their commute more productive. Deloitte’s report on the future of mobility estimates that as much as 66% of new vehicle sales in urban areas will be shared by 2030.

The OEM may still build cars, but the reduction in ownership has a massive impact on its distribution network: the car dealerships. Dealerships must be transformed to be less dependent on the OEM and more connected to the mobility ecosystem through platforms that enable the exchange of data using APIs and microservices. Given the current state of technology and technology capabilities at dealerships, few will survive if nothing is done.

The impact for the OEM is the loss of data. No more ownership means no more data and no more managing of a customer relationship in the ownership lifespan. OEM car-sharing services have shorter relationships and have higher challenges to maintain loyalty, and the data silos of car-sharing services continue to frustrate customers. Consolidating data and providing easier management of mobility should be a priority.

Future Mobile And Digital Landscape

The transformation of mobile and digital is causing a shift in managing experiences with customers. The possibility to isolate brand experiences is changing because digital devices, whether they be mobile phones, consoles, home electronics, or cars, become smarter and can orchestrate content more intelligently. Customers also expect seamless experiences across channels and devices.

An OEM must transform the way content is produced and managed to be able to communicate in an environment of intelligent device orchestration. It also needs to make content available for orchestration through ecosystem platforms and APIs. Self-defining the rules for content delivery disappears, and remaining relevant depends on the capability to manage content in a more agile and dynamic manner.

Customer Ecosystems

The changes in mobile and digital, together with customer choices and access to services, redefine the way customers solve the jobs that need to be done to fulfill their needs. Customers do not rely on the linear journeys provided by brands anymore but orchestrate their customer value and experience ecosystems by themselves.

The OEM and dealers alike need to expand their understanding of customer journeys beyond the brand and incorporate the whole customer ecosystem. Understanding the value an OEM has in the ecosystems allows for more personal experiences and also identifies further opportunities to remain relevant in customer value and experience ecosystems.

Ecosystems are different for individual customers, and it is not possible to manage ecosystem journeys the same way as today. The implication is that an OEM needs to access more data and use technologies such as artificial intelligence and machine learning to analyze and dynamically adjust to changes in the customer ecosystems.

Sharing Is The Only Real Choice

The red thread in the areas described above is data. The capability to access, manage, and share data will define the role an OEM has in the mobility industry. Digital disruptors that build services on data are becoming bigger players in a mobility industry determined by data, and they provide experiences that an OEM is traditionally not able to provide.

This is also where the opportunity exists, however. OEMs and dealerships have infrastructure that complements the offerings of digital players. The combination of established infrastructure, data exchange, and dynamic digital services enable the promise of future mobility. Sharing and working together will have the most significant benefit for customers, and hopefully, that is the same objective the OEMs have, too.

(Click to access high-resolution version)

DAM Or Web CMS? Part 2: Find Out Which DX Technology You Need For Workflow And Delivery

In the second part of our series, we take a look at workflow and delivery and where digital asset management and web content management systems excel. If you haven’t seen the first part of our analysis, make sure you check it out.

Do you need more help? Forrester clients can set up an inquiry with us.

Emphasize Emotion In Your Holiday Customer Service

This blog post is part of Forrester’s Holiday 2018 retail series.

As the holidays approach and the post-holiday return rush quickly follows, a few things will occur simultaneously: Hundreds of millions of customers will make purchases, total holiday retail sales will push the $720 billion mark, and millions more will send odd, ill-fitting, or unwanted gifts back from whence they came.

It’s in this frenzy of purchasing where empathy is often lost — and it’s all the more important when customers can actually find it. When your partner or spouse’s gift is a month late for the third holiday in a row or Grandma’s gift was never processed by the fulfillment center and you call customer service for a solution, there’s an emotional need to make sure that the agent on the other end gets it. This need, multiplied by the millions of customers who will undoubtedly face a myriad of retail issues this holiday season, presents an opportunity for customer service organizations to inject emotion and empathy into each conversation.

Ease, effectiveness, and emotion all contribute to a positive customer experience, but often brands will focus too narrowly on effectiveness. Customer service interactions are emotional for the customer — brands must consider those emotional needs when building their service strategy, and there’s no better time to start than during the predictable spike in emotional interactions during the holiday season. The good news? You’re already prepping for the volume. Now is the time to step up and meet those emotional needs with:

  • Technology to guide both agent and customer. Speech analytics solutions can give you real-time insights into the emotional needs of the customer, and predictive routing technology can match a customer with the agent best equipped to handle their communication style or personality type. While those solutions may not be feasible until the next holiday season, in the meantime, revisit your approach to right-channeling customers. The best channel for them to resolve their issue may depend on their emotional needs.
  • Hiring and onboarding practices to help agents empathize and understand. Brands are planning for an influx of seasonal agents to handle increased interaction volume during the holidays. It’s the perfect opportunity to explore new ways to inject emotion into customer interactions — and may even help with the seasonal churn. Prioritize emotion in the first daily stand-up: Give your agents room in their scripts to relate to customers’ experiences, prepare to offer more concessions to frustrated customers, and look at how well agents empathize with customers. Take advantage of the fact that your agent is, in fact, also human.

Ease and effectiveness are critical components of a customer service and customer experience strategy, but incorporating customer emotions into your holiday service planning — whether through optimized analytics, predictive routing, or updated hiring and onboarding processes — is the key factor that will set your organization up for success in 2019.

For more information on how to approach customer service interactions through the lens of customer emotions, set up an inquiry with me, and look out for our upcoming research on how to inject emotion in customer service, publishing in January 2019.

In the meantime, for more insights on how we think customer service will change next year, check out our recently published report, “Predictions 2019: Customer Service And Sales.”

(Sarah Dawson contributed to this blog.)

Almost 50% Of US Companies Lack CyberAttack Insurance

Are You Covered For CyberAttack ?

BLOOMFIELD, Conn.—A recent study from NTT Com Security, found that 49 percent of the U.S. companies surveyed currently do not have insurance specifically for cybersecurity attacks.


NTT Com Security surveyed 1,000 “non-IT business decision makers in organizations in the U.K., U.S., Germany, France, Sweden, Norway and Switzerland,” for the report.

“Faced with risks every day, it’s easy for organizations to look for quick-fix solutions rather than focusing on building a solid security and risk management strategy,” Garry Sidaway, SVP security strategy and alliances for NTT Com Security, said in a prepared statement.

“Rather than relying solely on an insurance policy to cover losses, businesses need a different game plan. Buy insurance by all means, but ensure that you can demonstrate that you have put controls in place to reduce your risks, and, what these controls cover. This way you know what is being insured,” he said.


While a majority of global organizations believe information security breach insurance is crucial, less than half—41 percent—are fully covered for both security breaches and data loss, and just over one-third have dedicated cybersecurity insurance, according to the company’s 2016 Risk:Value report.

U.S. businesses are the most likely to have this type of insurance, 51 percent, compared to 26 percent in the U.K.

“Security needs to be embedded into the culture of an organization, from top to bottom, championed by the CEO, designed and executed by the CISO and communicated effectively so that every employee takes responsibility for ensuring that good practices are followed,”

Do You Need CyberAttack Incident Support? We Can Help. Contact Us Now!