The security endgame: How to actively keep your data and organisation secure

7 Jun 2019

Image: © Koonsiri/

Examining recent Forrester reports reveals top suggestions for security measures organisations need to start exploring.

In April, Marvel fans finally received an ending to an 11-year saga when Avengers: Endgame premiered in theatres. Without revealing too many spoilers, the Avengers spend the entire Endgame movie discovering a way to reverse a villainous snap of the fingers that decimated the entire universe’s population.

While watching this movie, I began to contemplate what would happen if we eliminated all or even half of current security measures. What if organisations made no effort to train their employees on secure practices or if we allowed both government and the private sector to have free reign on personal consumer information? What if no efforts were made to prevent new threats posed by drones or to enhance application security?

Though this thought didn’t conjure the drama of the final battle scene from Avengers: Endgame, the vision of a world where security isn’t a priority is a worrying one. At the risk of sounding corny, we’re in the endgame now, and you must continually and actively keep your data and organisation secure or risk losing it all.

So, what should security and risk pros do to avoid any of the above scenarios? The security and risk team at Forrester has written various reports addressing the variety of ways that CISOs can continue to keep their organisations secure. Below are some highlights.

Security awareness and training

Historically, security awareness and training efforts have been half-hearted and investment in more sophisticated solutions has been limited. CISOs struggle to justify security awareness and training initiatives, and many employees do not receive security training – a worrying fact given that many employees are unsure of their company security policies.

In the recent report ‘The Business Case for Security Awareness and Training’, Jinan Budge and Claire O’Malley show security and risk pros how to measure the benefits of security awareness and training to justify more investments, as these initiatives can help CISOs instil a culture of security awareness among their employees.

Avoid data surveillance scandals

Though governments have typically been associated with surveillance, the private sector is now also a major participant in the practice of collecting, analysing and storing personal data. It is fully engaged in economically endorsed spying.

In the report ‘Avoid Corporate Scandal Caused by the Surveillance Economy’, O’Malley teamed up with Jeff Pollard to explain how to remain on the side of the data economy and steer clear of surveillance practices.

Empower developers to code securely

Though application security is a top priority for global security decision-makers, developers don’t have the skills or resources to code securely.

In their report ‘Show, Don’t Tell, Your Developers How to Write Secure Code’, Amy DeMartine and Trevor Lyness contend that security pros need to work within developer constraints to empower secure coding.

Be prepared for drones

As drones become more common in commercial use, they introduce new enterprise risks. Security and risk professionals need both a strategy to protect their organisation from drones and to ensure that their own drone use is compliant with applicable laws and doesn’t interfere with others’ business operations.

In the new report ‘Protect Your Firm from Drones’, Merritt Maxim and Salvatore Schiano discuss the ways in which organisations can better prepare themselves for increased commercial use of drones.

Zero trust

Zero trust’ continues to be a hot topic, and Paul McKay, Chase Cunningham and Enza Iannopollo write about zero trust adoption in the European market in the report ‘How To Implement Zero Trust Security In Europe’.

CISOs in Europe face a unique set of challenges in implementing zero trust, which requires more upfront planning than would be necessary in some other regions.

By Stephanie Balaouras, with Kate Pesa contributing

Stephanie Balaouras is a vice-president and research director at Forrester, serving security and risk professionals. She leads a team of analysts who provide research and advisory services on topics such as IT security frameworks; governance, risk and compliance; identity and access management; application security; data security; and IT infrastructure security. Kate Pesa is a senior research associate at Forrester.

A version of this article originally appeared on the Forrester blog.