The Days When SA&T Operated Solely To Train People About Security Are Vanishing
I’ve been living and breathing the security awareness and training (SA&T) market since joining Forrester 3.5 years ago, working closely with most vendors in this market, as well as our clients. I have seen a significant elevation in the conversation and client expectations, with vendors rushing to innovate and disrupt to meet these new expectations. I look back at our first review of the SA&T vendor landscape in 2019 and wonder how on earth a market evolves so much in such a short period of time. The latest research is out; Forrester clients can follow this progression here.
In those early days of 2018 and 2019, my vendor briefings were full of information about features, extensive (yet dull) content libraries, and almost zero focus on behavior or culture change. It was as though we trained people for the sake of training them only, and by all accounts, the absence of any useful ROI or metrics supported this picture. In those early briefings, I saw non-diverse, non-differentiated, 1990s PowerPoint-style content, reminding me why so many in the cybersecurity community (myself included) were so skeptical of SA&T. During 2020, as I was doing the extensive research and analysis for my Forrester Wave™ evaluation, I was shocked and dismayed by what I discovered, compelling me to write that “The security awareness and training market is full of legacy vendors whose offerings are out of date and out of touch with users.” I also felt compelled to write in the report that behavior and culture needed to reign supreme over awareness and punishment — a scathing picture of the market, and, obviously, I was not popular with anyone.
We are proud to have made those calls, as 1.5 years later, after receiving possibly hundreds of briefings, strategy days, multiple discussions with my CISO clients, and sifting through thousands of lines of vendor responses to my questions, I see well-needed disruption — I love disruption! The key disruption is that SA&T is no longer solely operating to train people for the sake of training them — behavior and culture change have moved beyond being performative to fostering real action, and this is what you need to do about it:
- Understand that modern-day SA&T solutions now have multiple purposes beyond training. Some SA&T solutions now measure the human risk, NOT based on whether people passed or failed quizzes but based on their actual behavior. This gives CISOs invaluable data about the risky behaviors they need to manage, allowing them to focus training resources or uplift security capabilities if required. These solutions are also starting to be recognized as fundamental in shaping security culture and brand.
- Select from the four distinct, unexpected, and crucial functionality segments. These segments are extremely helpful for the CISO, and each serves a different purpose. They include the following: 1) human risk quantification vendors that provide a data-driven approach to behavior change; 2) security culture mapping vendors that measure sentiment and emotions about security; 3) content- and experience-driven vendors that lead with excellent content; and 4) comprehensive SA&T vendors that continue to provide a one-stop-shop.
- Use data from SA&T solutions to drive behavior, culture, AND security program change. Select the right provider, or a mix of providers, to open your security program to opportunities such as using behavioral risk data to focus security program improvement — we can, and are, doing so much better now than by using perfunctory metrics such as training completion rates and Net Promoter Score. Some solutions, for example, now measure the actual human risk score based on actual behavior extracted from security tools (such as password manager adoption or VPN use), not just whether they passed or failed a test. Others can help you measure how your SA&T solution is contributing to your overall security program (by reducing incidents relating to phishing, for example).
- Use this disruption to develop right-size responses and interventions. Bombarding all users with the same amount of training, on the same topics and at the same frequency, is wasteful of employee time and productivity. Choose vendors that demonstrate your ability to create individualized learning paths or those that curate training OR interventions depending on the user’s behavior. Also, there are now vendors that help you map the security culture so that you can influence the required change only where it’s required and nowhere else.
Some vendors in the market are so focused on behavior change now, pivoting so far away from training that they are calling for us to rename the market. Other vendors want to self-select out of the market due to its nomenclature and reputation. They have other valid reasons — such as that the budgets for their solutions are no longer coming from SA&T functions — but the human risk quantification they are providing is a security-program imperative. I’m calling for patience as we all navigate our way through this important disruption. I’ll shortly be commencing research for my “future of security awareness” (working title only) research, and I welcome all perspectives and experiences.