I am thrilled to announce Forrester’s Human Risk Management (HRM) Solutions Wave which evaluates the nine most significant vendors in the HRM space. This Wave looks nothing like its predecessor, The Forrester Wave: Security Awareness And Training Solutions, Q1 2022, reflecting the fact that today’s HRM solutions look nothing like the Security Awareness and Training (SA&T) solutions of the past.
The Kleshas
Patañjali‘s Yoga Sūtras identifies poisons, or afflictions, which are said to be the causes of suffering – the five Kleshas. These are ignorance, ego, attachment, avoidance, and fear of death. While they’re natural human conditions, they can hold us back. In yoga, understanding the Kleshas means identifying the mental patterns that hold us back as the first step in overcoming them.
We started the evaluation in knowing that vendors and customers were at different stages of HRM adoption. What I didn’t realize then was how much resistance we would face, depending on where vendors were in achieving their own vision of HRM. As a leader, you need to understand the source of these five Kleshas to move towards a future that frees employees from security friction, influences security behavior, and instils a culture driven by data and evidence.
As a leader, you need to understand the source of these five Kleshas to move towards a future that frees employees from security friction, influences security behavior, and instils a culture driven by data and evidence.
The five Kleshas of HRM
1. Avidya / ignorance – “human risk management is just rebranded SA&T”. Far from the negative connotation, “ignorance” can simply mean to not know. I spent some time in this Klesha until I learned, and was able to articulate, the significant strategy, process, and technology shift of this new market. Many of my clients are in this Klesha, especially in parts of the world that lack more progressive HRM vendors and solutions. I proudly spend many of my hours helping them understand the new market.
But not all vendors (or “influencers”) got the memo that HRM is now a distinct, well-defined, and expanding market. Be wary of vendors that suggest HRM is simply a rename of an old market (SA&T). Look for those that had the vision 2 years ago to anticipate and evangelize a better approach and future. Some vendors have made significant community contributions to advance the strategic direction of HRM, and built differentiated, free-for-all tools, models, and databases that demonstrate what the future looks like in practice.
2. Asmita / ego – “we know what people need, and we’ve been very good at it – more training!” Ego is a person’s or entity’s sense of self-importance. Instead of focusing on asking questions about the purpose of training, and whether it is truly succeeding at changing behavior and instilling a culture, some vendors use their size or prior success as proof that the market can continue to focus on training.
Differentiate size from actual capability.
Differentiate size from actual capability. Look for vendors that assume that advanced HRM capabilities are suitable for every customer, have a healthy pipeline in these advanced offerings, and invest in driving adoption. Some vendors plan on offering human risk scores to each customer to show them what’s possible, while others are investing in educating and rewarding frontline staff such as sales and customer success who progress customers on a HRM maturity journey.
3. Raga / attachment – “we all know that training people results in better outcomes.” We don’t. As an industry we’ve shown that we’re terrible at demonstrating the effectiveness of training. Yet we attach ourselves to statements that make us feel good because they are easy, well-ingrained, or required by outdated regulations.
Rather than focusing on all the reasons you should continue with your SA&T, look for vendors that can show you HRM metrics which demonstrate behavioral change, risk reduction, or an improvement in overall security posture. Look for how security behaviors across the spectrum of security categories (email, social engineering, endpoint, etc.) have changed as a result of your interventions. Ask to see how behavioral change reduces the likelihood of cyber risks occurring, as well as how you can measure the impact of the risk or change the overall security posture.
4. Dvesha / avoidance – “customers aren’t asking us about HRM.” This affliction involves avoiding situations which require extra resources, hard work, or moving towards a new future. It’s normal human behavior, as it can protect us from over committing and over investing – not everyone can afford to be an early adopter. However, be aware that inaction has consequences.
Look for vendors that built their HRM capabilities long before you asked about them because they knew it was the right thing to do. They now use a comprehensive and accurate methodology to quantify human risk, which considers four key points – individuals’ actual behaviors, identity, personal attack exposure, and security knowledge and sentiment. These vendors invested in integrations to obtain data and drive interventions.
5. Abhinivesha / fear of death – “Hold on to well established slogans – they’ve served us well.” We can both reduce our reliance on people to protect themselves and our organizations and reduce the friction we’re imposing on them at the same time. For most of us, the thought of dying is scary and manifests as an instinctual survival drive. This means clinging to what’s familiar, even when these no longer serve one’s growth.
Look for vendors that have demonstrated a track record and investment strategy for innovation in the more strategic elements of HRM. For example, all vendors will be investing their generative AI budgets to produce more/better content, but fewer are investing in behavioral prediction, which is where we need to invest to move to HRM.
Originally posted on Forrester
