Forrester’s mic-drop HRM report: Unpacking what it all means for you
Okay, okay, we know what you’re thinking. Another report? Really?
We get it. 2024 is a big year for big reports. Like the one in which analyst firm Forrester declared Human risk management official.
And this whopper, the largest ever report looking at the cybersecurity attitudes and behaviors of technology users.
But hear us out, because six months on from The Human Risk Management Solutions Landscape, Q1 2024, Forrester has dropped another report: The Forrester Wave™ Human Risk Management Solutions, Q3 2024. And this one takes it to the next level.
The question is no longer “What is Human risk management (HRM)?”
It’s who’s are the most significant providers and, more importantly, how should organizations be adopting HRM into security programs?
It’s not a moment too soon, either. Because HRM has been the rising star in cybersecurity for a while, owing to its ability to do what security awareness and training (SA&T) only claims to do: reduce risk.
Forrester recognized CybSafe as one of two HRM leaders in their evaluation. *Nonchalantly inspects nails* 💅
What solidified CybSafe’s place as a Leader among evaluated HRM vendors? Well, for the full data-dive you’ll need to hit the report, but our relentless focus on HRM can’t have hurt.
And, Forrester cited our scientific, data-led vision for behavioral change, and clearly when it comes to HRM, this stuff all really matters.
Forrester said it in their report: “CybSafe is ideal for firms that are serious about their security culture and about data-led behavioral change.”
So here, we’ll share a few reflections for organizations looking to embrace HRM.
In Part 1, check out the three big things organizations should be laser-focused on before embarking an HRM strategy.
Then in Part 2 we’ll gawp unreservedly at the vendor landscape, before wrapping it all up with some next steps that are as impactful as they are easy.
Part 1: 3 golden rules for HRM success
Whatever an organization’s priorities, challenges, and current situation, there are three key things to consider before embracing a HRM strategy.
1. HRM is not just shiny new tools
Any of us could buy a lightsaber on Amazon. But we’d all agree that the purchase doesn’t make you a Jedi.
So let’s be real—anyone can buy software. But splashing the cash on a fancy tool and checking the box has never cut it.
Adding yet another gadget to your security toolbox won’t cut it either. What will? Embedding human risk management into the DNA of your entire strategy.
It’s one thing to buy a platform, but another to truly adopt HRM practices that integrate deeply into your organization’s existing infrastructure. A robust HRM solution should show you how to integrate human risk into every layer of your processes, from policy updates to behavioral insights, to real-time interventions. Having the data is one thing; knowing what to do with it is a whole other thing.
If you choose to go the vendor route to support a HRM program, your vendor should guide you in turning insights into action, making HRM a core part of daily operations. Otherwise, you’re just paying for bells and whistles without any real change.
HRM is more than just tools—you need adoption.
2. Be prepared to boldly go beyond phishing simulations
Sure, simulations can be a component in a broader strategy. But if you’re still just running phishing simulations and patting yourself on the back when people catch and report them, you’re living in 2010.
HRM is about tracking risky behaviors across the board, from how people manage their credentials, to who’s ignoring software updates, and who’s googling “Is MFA contagious?”. In other words, much deeper than who’s clicking, reporting, and completing training.
Not only do top-drawer HRM solutions detect risky actions. They will immediately respond with interventions tailored to the behavior in question. Whether it’s a timely nudge to prompt someone to update their pwned password, or adjusting security policies on the fly, it’s about real-time, risk-based actions—not just reactive training sessions after the fact.
That’s the difference between a solution that sees problems and one that actually solves them. And that, reader, is everything.
3. HRM is about real risk metrics (not vanity metrics)
Click rates? Quiz scores? Engagement stats? Come on. You’re better than that. No—you deserve better than that.
If those are the only metrics being measured, it ain’t HRM. Not really. You’ve been sold a duff. You’ve been sold cybersecurity vanity metrics.
Genuine HRM goes deeper, looking at actual human behaviors, identity risk, and personal attack exposure.
How often are high-risk users being targeted? What critical security behaviors are they failing at?
Evaluate these together and you’ll get a clearer picture of which individuals pose the greatest risk to your organization and take the necessary steps to mitigate those risks in real time.
Let’s face it, the real threat isn’t someone who flunks a pop quiz. it’s the person with a poor security posture, an overinflated confidence, and high access privileges!
So, forget focusing on who passed the quiz. Look for solutions that monitor behavior over time, analyze risk exposure, and enable you to respond in real time to mitigate threats.
Keep in mind: true HRM is about understanding who poses a risk, why, and what to do about it, at that exact moment in time.
Boom! Part 1 done. You’ve now got the fundamentals of ‘how’ locked and loaded.
But to paraphrase Sean Bean, one does not simply start “doing HRM”. You need a trusty partner who can give you HRM solutions that suit your organization.
And handily, that’s where we’re heading next.
Part 2: The vendor landscape: Who’s going HAM on HRM?
This list is not exhaustive of all vendors in the HRM space. Some vendors appear in the Forrester report, others don’t.
It is also not representative of the Forrester rankings. The vendors below are listed in alphabetical order.
CultureAI is a small company based in the United Kingdom. Their platform educates employees at the point of risk, automates fixes, and reports on risks.
CybSafe identifies human risk hotspots, automates tasks that improve employee security behaviors, and scientifically manages human risk in real time.
CybSafe is powered by the Security Behavior Database (or SebDB), an open-source database that maps risk-outcomes to security behaviors. It’s a significant differentiator, allowing CybSafe to objectively measure 100+ security behaviors.
Hoxhunt is known for their individualized and gamified phishing simulations. Their platform also provides in-the-moment micro-trainings to drive engagement and safe behaviors.
KnowBe4 provides AI-powered security awareness and compliance training and testing, simulated phishing, real-time coaching, and security orchestration tools to reduce human risk.
Their Unify platform identifies cyber risks across your workforce, protects with nudges, training, & AI orchestrations, and reports results showing increased workforce vigilance.
Mimecast recently bought Elevate Security, a platform that integrates with leading security technologies to identify users most likely to cause a security breach and automatically orchestrate additional security measures to minimize the likelihood of an incident.
Based in Europe, SoSafe reduces human risk by leveraging behavioral science to sharpen employees’ security instincts.
OutThink delivers tailored learning experiences. They allow security teams to make all content company-specific, and they use data from their platform and existing security systems to identify patterns of risk across an organization.
Proofpoint’s People Risk Explorer addresses human risk in cybersecurity, focusing on identifying, assessing, and mitigating people-based threats. Their approach combines advanced threat intelligence with behavioral science to create a robust HRM program.
Ready for HRM? Let’s talk next steps
You’ve got the key insights.
But…how do you actually get started with your organization’s HRM journey?
If you’re looking for a walkthrough of taking your SA&T program and transforming it into a full-blown HRM strategy, we’ve got you covered.
CybSafe’s Oz Alashe and Forrester’s Jinan Budge (the analyst who led the Wave report) joined CybSafe’s Oz Alashe as a guest speaker, for a discussion on maturing Security Awareness & Training programs to HRM strategies.
Watch the webinar here: Maturing SAT Programs into Human Risk Management Strategies
And hey, don’t stop there. Witness an industry-leading HRM solution in action:
And if you want to wade into the deliciously deep data of the full Forrester report, you can get it here.
Until the next pivotal report (which’ll probably be along next week, given how 2024’s going),
CybSafe