Analysis: Forrester’s Human Risk Management Solutions Landscape, Q1 2024

You probably noticed that, while Security Awareness and phishing simulations covered a lot of bases to address employee risk over the years and filled an important gap between purely technology-based solutions and behavior-based risks it was starting to fall short.

That made Security Awareness Training a check-of-the-box exercise, a compliance task that became more and more ineffective. Being so, it’s no surprise that Forrester’s Human Risk Management Solutions Landscape makes it official that Human Risk Management is the new (only) way to approach human risk.

It makes sense from an employee standpoint. From the security team’s standpoint. It also makes sense from the perspective of stakeholders ignored by traditional security awareness, like SOC teams.

But what is the report and what can we learn from it to move traditional programs into more effective ones?

First and Foremost - Human-Centric Security

In our experience we’ve always believed – and seen – a direct correlation between changing behaviors, reducing human risk, and improving overall cybersecurity. 

It’s obvious seeing that the vast majority of data breaches start with human behavior, but traditional security awareness mostly addresses human risk as a compliance issue, based on engagement and attendance, disconnected from the real issues that increased employee risk.

So, the most important conclusion of the Forrester’s Human Risk Management Landscape report – the future of cybersecurity is human. Not just human, but adaptive, tailored to real-life risk assessment and behaviors, and not to old one-size-fits-all notions of awareness learning.

The Changes Brought by HRM

Now that we’ve made it clear that HRM is first and foremost human-centric security, let’s keep it holistic. HRM is a way of doing things, not another tool in your tech stack. That’s why Forrester puts “people” and “processes” on the same shelf as “technologies.” 

At Right-Hand, we’ve always thought of processes as much as we’ve thought of solutions. SOC teams of all industries and sizes deal with an unmanageable amount of user-based alerts, and yet Security Awareness training was always disconnected from these events.

Our vision of Human Risk Management brings these events to the center of behavior change and risk prediction and prevention. It’s perhaps the most critical and inclusive shift brought by HRM and one step closer to full adaptive human protection.

Is Security Awareness Training Done?

Let’s say it is becoming part of a bigger methodology (HRM). “Security Awareness” is still a solid term to describe the output of a solid, well-rounded HRM program, which is users conscious of their role in security culture and an overall improved security posture by the organization. 

What has changed is the traditional security awareness training and phishing simulations, with their bias towards mass delivery, and with engagement-based metrics that don’t integrate human risk with overall cyber risk assessment is definitely done. 

Is the Market Ready for Human Risk Management?

CISOs and other security leaders are ready and eager for that. They have been for a while.

Forrester’s evaluation matches what we’ve seen in our customers, prospects, and conversations with key players, including other notable vendors featured in the report alongside us: CISOs are aware that they must move on from traditional Security Awareness into HRM. They do not see the value in mere compliance box-checking and addressing outdated policies. 

CISOs also need a methodology that addresses a dynamic landscape, and risky behaviors as they happen and evolve and that helps build policies, instead of playing catch-up.

What is the Main Challenge Now, Then?

As vendors move from traditional security awareness into HRM, CISOs are learning – or need to learn – how to clearly define what the methodology demands and what are the outcomes necessary to achieve their employee risk objectives. 

As with any transition in methodology, vendors are offering partial solutions, or adapting existing solutions to fit new definitions. Unless CISOs and other security leaders have a clear vision of what they want in the face of the new landscape, the resulting confusion may create new problems instead of remediating old ones.

The Business Value Presented on Forrester's Human Risk Management Landscape

A Forrester states in the Landscape report, “The era of training people to tick boxes of outmoded and confusing compliance requirements is drawing to a close.” Now, Human Risk Management is measured by the value it returns on training, on true behavior change (measured by SOC alerts reduction, for example), an improved security posture across the organization and an extended intelligence that goes from human risk into the broader cybersecurity infrastructure and strategy.

What are Security Leaders looking for in HRM?

Benefit How?
Gain deeper understanding of human risk
By integrating HRM solutions with their security tech stack, security leaders are able to identify and measure a much broader set of risky behaviors as they happen, instead of those based in simulations, reported security incidents or training outcomes.
Actionable and deeper insights on risk profiles, from the individuals to the organization
How does human risk affect risk profiles for cyber insurance premiums? Or for technology decisions? Or in SOC alert management? HRM provides measurable and quantifiable human behavior that can be distilled into deep-dive information.
Optimized policy application and review
With real-time policy interventions and learning nudges, CISOs have the opportunity to leverage HRM as a tool to have adaptive security policies that improve over time as threats, culture and other factors change.

4 Takeaways from Forrester’s Human Risk Management Report to Keep in Mind

The complete report gives a full idea of where we are going with HRM. Here’s our take on what’s important based on our experience, but we strongly recommend you read the full report (link at the end of this article).

Human-Centric Cybersecurity as a Vision

Forrester paints a not-so-distant future of adaptive human protection, where GenAI will adapt training, processes, and security policies to protect humans without disrupting productivity. That’s only possible if employee risk is integrated with cyber risk today. That happens by the integrations made possible now by HRM and the risk profiles and quantification that are created through them, the basis of proactive incident prevention. 

Right-Hand’s Human Risk Management platform integrates with an organization’s SIEM, EDR, Email Security, DLP, and other security solutions they already rely upon daily, to give visibility into which employees are most breach-prone based on the alerts they generate, trends, and risk appetite, at the individual, department and user group level. 

With the more data analytics we ingest and the more trends we can observe, we will soon be able to predict and prevent employee-caused security incidents before they even occur.

Change How to Measure Success

The report points out how the old ways of measuring success in traditional Security Awareness Training aren’t enough to touch the hearts and minds of C-level execs anymore, which in turn makes it harder to articulate the case for HRM to an audience weary of clicks in simulations and training completion.

Despite these metrics still having a place, risk-based metrics, extracted from real-life situations captured by security solutions, play a pivotal role in measuring success (or challenges) in HRM. In our experience, the power of all this data, and how our clients can use it to their advantage is a true measure of success.  

By understanding the full scope of all user-generated security alerts and which behaviors are more easily, or less easily influenced by training, security teams know where to invest in their security program, which controls and configurations need to be tightened, and where their remaining security gaps are.

Training to Change Behavior, not to Check the Box

Even before Human Risk Management had this market-changing validation by Forrester, we were talking about how compliance-based training was not enough to foster real behavior change. 

The results offered by simulations and hypothetical scenarios are limited when compared to real-time interventions and nudges, made possible by something that only HRM can deliver: integrations. 

Our HRM platform, once integrated to your security solutions, sends users real-time training nudges via Slack, MS Teams, or email the moment they exhibit a risky behavior (such as violating a DLP policy or visiting a malicious web page).  So now, user training is relevant to more effectively change behavior, delivered in real-time, and no longer only checking compliance boxes.

People, Processes and Technology: Accept no Less

Forrester points out an important occurrence whenever there is an industry shift as this one: vendors promising to be “the real thing” when offering partial solutions or retrofitted ones. That’s a challenge CISOs have to address, as they have to articulate clearly their goals and understanding of HRM, especially when it comes to the technology part.

Here, two main questions need to be part of any security leader’s vendor interview:

Question Reason
“How many risky behaviors can you capture with your platform?”
This question measures the number of possible integrations, but also how many different risky actions can receive intervention. The more the better. For example, Forrester points out more than 70 types.
“What is your process of training and policy intervention upon a risky behavior?”
Real-time interventions, from policy application and adjustments to training nudges, are the cornerstone of an HRM program.

How can Right-Hand Help You?

Our Human Risk Management platform helps organizations transition from traditional security awareness to proactive employee risk mitigation. The platform integrates with your security systems, delivers targeted training interventions, and provides centralized risk profiles and analytics.

How does our HRM platform support your organization?:

  • Security system integrations to ingest alerts
  • Adaptive training interventions delivered in the flow of work
  • Centralized risk profiles for individual employees and the organization
  • Detailed reporting and analytics to support risk-based decisions


This comprehensive approach enables meaningful behavior change across your organization. By ingesting security alerts and providing real-time training, the platform reduces the burden on your security operations center.

The detailed risk profiles and reporting also build a deeper understanding of cyber risks, empowering more informed decision-making. Ultimately, the platform fosters a stronger security culture that better protects your organization.

Conclusion

Forrester’s Human Risk Management Solutions Landscape, Q1 2024 is the conclusion of a process our industry has been going through for the better part of the last couple of years. 

CISOs felt that traditional Security Awareness Training was not solving their fundamental challenges anymore, and vendors like us at Right-Hand were working on solutions to address unique risk profiles, organizational needs security policies, and other specific case-driven solutions and customizations.

With Human Risk Management, the industry now has a north star to move towards: CISOs can articulate their business case with more purpose, vendors know what they need to deliver (and CISOs know which vendors are underselling, ultimately), SOC teams feel that employee risk will finally be addressed in a way that impacts the broader cyber risk, reducing burdensome alerts and employees will feel empowered and part of a strong security culture, one that addresses their security needs without disrupting their productivity.

Forrester’s report shows the way for all these audiences, so we strongly recommend reading it on this link.

Rodrigo Leme

Rodrigo Leme

Marketing Director for Right-Hand Cybersecurity, Rodrigo has over 20 years worth of experience in Technology companies in Brazil, US, Canada and other countries. He is based in Sao Paulo, Brazil, and loves everything tech, music, marketing, writing, and hockey (go Canucks!).

More collection from our blogs

Ally is engaging, different, flexible, automated, device agnostic and aligns with our goals to be a cutting edge bank that both finds ways to accommodate and empower our people.

See for yourself how to upgrade your security awareness

Schedule a demo today, and learn how to raise engagement, performance and reduce operational stress with our platform.