Forrester’s mic-drop HRM report: Unpacking what it all means for you
Okay, okay, we know what you’re thinking. Another report? Really?
We get it. 2024 is a big year for big reports. Like the one in which analyst firm Forrester declared SA&T passé, crowning HRM as the new champion of people-centric security.
And this whopper, the largest ever report looking at the cybersecurity attitudes and behaviors of technology users.
But hear us out, because six months on The Human Risk Management Solutions Landscape, Q1 2024, Forrester has dropped another report: Forrester Wave™ Human Risk Management Solutions, Q3 2024. And this one takes it to the next level.
The question is no longer “What is Human risk management (HRM)?”
It’s who’s leading the pack and, more importantly, how should organizations be adopting HRM into security programs?
It’s not a moment too soon, either. Because HRM has been the rising star in cybersecurity for a while, owing to its ability to do what security awareness and training (SA&T) only claims to do: reduce risk.
So here, we’ll reflect on Forrester’s wisdom for organizations looking to embrace HRM.
In Part 1, check out the three big things organizations should be laser-focused on before embarking an HRM strategy.
Then in Part 2 we’ll gawp unreservedly at the vendor landscape, before wrapping it all up with some next steps that are as impactful as they are easy.
Part 1: 3 golden rules for HRM success
Whatever an organization’s priorities, challenges, and current situation, there are three key things to consider before embracing a HRM strategy.
1. HRM is not just shiny new tools
Any of us could buy a lightsaber on Amazon. But we’d all agree that the purchase doesn’t make you a Jedi.
So let’s be real—anyone can buy software. But splashing the cash on a fancy tool and checking the box has never cut it.
Adding yet another gadget to your security toolbox won’t cut it either. What will? Embedding human risk management into the DNA of your entire strategy.
It’s one thing to buy a platform, but another to truly adopt HRM practices that integrate deeply into your organization’s existing infrastructure. A robust HRM solution should show you how to integrate human risk into every layer of your processes, from policy updates to behavioral insights, to real-time interventions. Having the data is one thing; knowing what to do with it is a whole other thing.
If you choose to go the vendor route to support a HRM program, your vendor should guide you in turning insights into action, making HRM a core part of daily operations. Otherwise, you’re just paying for bells and whistles without any real change.
HRM is more than just tools—you need adoption.
2. Be prepared to boldly go beyond phishing simulations
Sure, simulations can be a component in a broader strategy. But if you’re still just running phishing simulations and patting yourself on the back when people catch and report them, you’re living in 2010.
HRM is about tracking risky behaviors across the board, from how people manage their credentials, to who’s ignoring software updates, and who’s googling “Is MFA contagious?”. In other words, much deeper than who’s clicking, reporting, and completing training.
Not only do top-drawer HRM solutions detect risky actions. They will immediately respond with interventions tailored to the behavior in question. Whether it’s a timely nudge to prompt someone to update their pwned password, or adjusting security policies on the fly, it’s about real-time, risk-based actions—not just reactive training sessions after the fact.
That’s the difference between a solution that sees problems and one that actually solves them. And that, reader, is everything.
3. HRM is about real risk metrics (not vanity metrics)
Click rates? Quiz scores? Engagement stats? Come on. You’re better than that. No—you deserve better than that.
If those are the only metrics being measured, it ain’t HRM. Not really. You’ve been sold a duff. You’ve been sold cybersecurity vanity metrics.
Genuine HRM goes deeper, looking at actual human behaviors, identity risk, and personal attack exposure.
How often are high-risk users being targeted? What critical security behaviors are they failing at?
Evaluate these together and you’ll get a clearer picture of which individuals pose the greatest risk to your organization and take the necessary steps to mitigate those risks in real time.
Let’s face it, the real threat isn’t someone who flunks a pop quiz. it’s the person with a poor security posture, an overinflated confidence, and high access privileges!
So, forget focusing on who passed the quiz. Look for solutions that monitor behavior over time, analyze risk exposure, and enable you to respond in real time to mitigate threats.
Keep in mind: true HRM is about understanding who poses a risk, why, and what to do about it, at that exact moment in time.
Boom! Part 1 done. You’ve now got the fundamentals of ‘how’ locked and loaded.
But to paraphrase Sean Bean, one does not simply start “doing HRM”. You need a trusty partner who can give you HRM solutions that suit your organization.
And handily, that’s where we’re heading next.
Part 2: The vendor landscape: Who’s going HAM on HRM?
Which vendors are truly spearheading HRM…and which ones are still stuck in the old SA&T world?
Well, we don’t want to toot our own horn, but…yeah, we’re one of ‘em. *Nonchalantly inspects nails* 💅
Forrester highlighted CybSafe as one of two HRM leaders of the HRM the pack. This means CybSafe has been a leader in the last three SA&T/HRM Forrester Wave reports.
What’s more, this year, we knocked an industry giant off its pedestal. KnowBe4 is no longer named as a Leader, but as a Strong Performer.
What solidified CybSafe’s place as a go-to HRM vendor? Well, for the full data-dive you’ll need to hit the report, but our relentless focus on HRM can’t have hurt. And, Forrester called out our laser focus on data-driven, science-backed, real-world risk management here, and clearly when it comes to HRM, this stuff all really matters.
Forrester said it:
“CybSafe is ideal for firms that are serious about their security culture and about data-led behavioral change.” 😏
But anyway, we’re getting ahead of ourselves. We promised you a rundown of the vendors with a flavor of their pros and cons, and that’s exactly what you’re getting.
This list is not exhaustive of all vendors in the HRM space. Some vendors appear in the Forrester report, others don’t.
It is also not representative of the Forrester rankings. The vendors below are listed in alphabetical order.
CultureAI is a small company based in the United Kingdom. Their platform educates employees at the point of risk, automates fixes, and reports on risks.
[LEADER] CybSafe identifies human risk hotspots, automates tasks that improve employee security behaviors, and scientifically manages human risk in real time.
CybSafe is powered by the Security Behavior Database (or SebDB), an open-source database that maps risk-outcomes to security behaviors. It’s a significant differentiator, allowing CybSafe to objectively measure 100+ security behaviors.
CybSafe has been announced as one of two leaders in the HRM space, with its scientific, data-led approach to HRM. Forrester considers CybSafe as leading the charge in turning data into actionable security strategies.
Hoxhunt is known for their gamified phishing simulations, but they’re now eyeing a pivot to AI-driven training. Their HRM functionality is still relatively slender, but they’re making some initial moves to expand into broader risk management.
Still a behemoth in the training space, KnowBe4 is gradually pivoting toward HRM. They’ve got the AI-powered AIDA initiative, but their customer base is still mostly focused on traditional SA&T.
[LEADER] Living Security was also announced as an HRM leader. Using their Unify platform to track behaviors across key tech categories, they’ve made progress in driving HRM adoption, but critics say they’re slow to release content for emerging threats.
After buying Elevate Security, it’s clear that Mimecast is on a mission to roll out human risk scoring across their customer base. They now have the infrastructure to make big moves—especially if they’re able to successfully integrate HRM with their wider security tools.
Based in Europe, SoSafe has built its brand on privacy and psychology—which makes sense, given their origins in behavioral science. SoSafe users highlight the realistic phishing simulations and engaging training content.
OutThink delivers tailored learning experiences. They allow security teams to make all content company-specific, and they use data from their platform and existing security systems to identify patterns of risk across an organization.
Proofpoint’s People Risk Explorer is a decent HRM tool, but it’s only as powerful as the number of Proofpoint products you’ve invested in. They’re also still largely focused on the delivery of learning content and email security. They have strong individual capabilities, but HRM adoption is still a work in progress.
Ready for HRM? Let’s talk next steps
You’ve got the key insights. You know which vendors are worth your time.
But…how do you actually get started with your organization’s HRM journey?
If you’re looking for a walkthrough of taking your SA&T program and transforming it into a full-blown HRM strategy, we’ve got you covered.
CybSafe’s Oz Alashe and Forrester’s Jinan Budge (the analyst who led the report we’ve been unpacking here) sat down for a discussion on maturing Security Awareness & Training programs to HRM strategies.
Watch the webinar here: Maturing SAT Programs into Human Risk Management Strategies
And hey, don’t stop there. Witness an industry-leading HRM solution in action:
And if you want to wade into the deliciously deep data of the full Forrester report, you can get it here.
Until the next pivotal report (which’ll probably be along next week, given how 2024’s going),
CybSafe
