The security awareness and training (SA&T) market has been stagnant for so long, with the last major disruption as far as I can tell being the introduction of phishing simulations about a decade or so ago. Since then, the industry seems to have seen a slow and steady evolution from ticking boxes to meet a web of uninspiring security training requirements imposed by security frameworks and regulations to “better” content and ways to assess users via games, simulations, quizzes, and other “better” training techniques.

Evolution, in this case, simply means we’re doing the same thing that we’ve always done, just better and faster. The evolution that’s happened hasn’t addressed the elephant in the room, which is: Why are we doing the thing in the first place? (Hint: The “thing” in this instance is training, for the sake of training.)

I won’t lie to you: There wasn’t an abundance of innovation in The Forrester Wave™: Security Awareness And Training Solutions, Q1 2022. We still saw vendors bragging about features and extensive (yet sometimes dull) content libraries. While these feature additions are evolutionary, they are far from revolutionary.

You Say You Want A Revolution?

The Beatles famously sang:

You say you want a revolution
Well, you know
We all want to change the world
You tell me that it’s evolution
Well, you know
We all want to change the world

We certainly want revolution in SA&T — and so do the vendors — but change thus far has been more evolutionary than revolutionary. If we want to change the world, the vendors have to innovate.

The confusion between evolution and revolution is mercifully waning. And let me not underestimate the importance of innovation in this market to buyers and to security overall. Ultimately, the way the industry has long addressed SA&T has yielded nothing but frustration for employees, eroding security’s brand and goodwill. You need a different way to manage human risk, not better ways to train people.

So what does this new, and different, world look like? It’s a world where you’ll be able to answer these questions:

  • Am I really getting a return on my SA&T investment?
  • What is the impact of this solution that I’ve bought, beyond how many employees were trained?
  • Are my users’ cybersecurity behaviors actually changing?
  • Is my human risk lower? What is my human risk actually?
  • What is my security culture?
  • Where do I need to focus my training resources?
  • Where do I need to improve my security processes or technologies to create better sentiment about security in the organization?

Thankfully, the disruption that will answer the questions above is here! There are now some smaller, as well as well-established, vendors that offer (or will soon be offering) human risk quantification. They help you calculate risk based on actual user behavior, NOT quiz and simulation scores.

There are also vendors that have specific tools to map and manage security culture, the previously illusive nontangible measure. Suddenly, the focus moves from training for the sake of training to the ABCs: awareness, behavior, and culture.

Those vendors that are disrupting the market are moving away from program metrics such as training completion rates, quiz performance, and engagement metrics, as they are fundamentally flawed, ignoring how you can improve behavior (or even what behavior you need to improve), instill culture, or bolster your cybersecurity posture. Instead, they can help you measure your employees’ human risk, which will then help your training and gain valuable insights about where to improve your security program.

I would like to acknowledge all participating vendors included in this research. Participating is no small endeavor, and we greatly appreciate all the time and effort you invested. I also appreciate the respectful and collaborative way in which we continue to work together through these evaluations and some of our disagreements on where the market is heading.

I am now in my fourth year of doing this, and I’m always amazed at the relationships I’ve built, even though I am, at times, sharing difficult messages with the participating vendors.