I am thrilled to announce Forrester’s Human Risk Management (HRM) Solutions Wave™ which evaluates the nine most significant vendors in the HRM space. Forrester clients can view here. This Wave looks nothing like its predecessor, The Forrester Wave™: Security Awareness And Training Solutions, Q1 2022, reflecting the fact that today’s HRM solutions look nothing like the Security Awareness and Training (SA&T) solutions of the past.
What Are The Kleshas And Why Am I Writing About Them?
Patañjali‘s Yoga Sūtras identifies poisons, or afflictions, which are said to be the causes of suffering – the five Kleshas. These are ignorance, ego, attachment, avoidance, and fear of death. While they’re natural human conditions, they can hold us back. In yoga, understanding the Kleshas means identifying the mental patterns that hold us back as the first step in overcoming them.
We started the evaluation in knowing that vendors and customers were at different stages of HRM adoption. What I didn’t realize then was how much resistance we would face, depending on where vendors were in achieving their own vision of HRM. As a leader, you need to understand the source of these five Kleshas to move towards a future that frees employees from security friction, influences security behavior, and instils a culture driven by data and evidence. The five Kleshas of HRM are:
1. Avidya / ignorance – “human risk management is just rebranded SA&T”. Far from the negative connotation, “ignorance” can simply mean to not know. I spent some time in this Klesha until I learned, and was able to articulate, the significant strategy, process, and technology shift of this new market. Many of my clients are in this Klesha, especially in parts of the world that lack more progressive HRM vendors and solutions. I proudly spend many of my hours helping them understand the new market.
But not all vendors (or “influencers”) got the memo that HRM is now a distinct, well-defined and expanding market. Be wary of vendors that suggest HRM is simply a rename of an old market (SA&T). Look for those that had the vision 2 years ago to anticipate and evangelize a better approach and future. Some vendors have made significant community contributions to advance the strategic direction of HRM, and built differentiated, free-for-all tools, models and databases that demonstrate what the future looks like in practice.
2. Asmita / ego – “we know what people need, and we have been very good at it – more training!” An ego is a person or entity’s sense of self-importance. Instead of focusing on asking questions about the purpose of training, and whether it is truly succeeding at changing behavior and instilling a culture, some vendors use their size or prior success as proof that the market can continue to focus on training.
Differentiate size from actual capability. Look for vendors that assume that advanced HRM capabilities are suitable for every customer, have a healthy pipeline in these advanced offerings, and invest in driving adoption. Some vendors plan on offering human risk scores to each customer to show them what’s possible, while others are investing in educating and rewarding front line staff such as sales and customer success who progress customers on a HRM maturity journey.
3. Raga / attachment – “we all know that training people results in better outcomes.” We don’t. As an industry we’ve shown that we are terrible at demonstrating the effectiveness of training. Yet we attach ourselves to statements that make us feel good, because they are easy, well-ingrained, or required by outdated regulations.
Rather than focusing on all the reasons you should continue with your SA&T, look for vendors that can show you HRM metrics which demonstrate behavioral change, risk reduction, or an improvement in overall security posture. Look for how security behaviors across the spectrum of security categories (email, social engineering, endpoint, etc.) have changed as a result of your interventions. Ask to see how behavior change reduces the likelihood of cyber risks occurring, how you can measure the impact of the risk, or change the overall security posture.
4. Dvesha / avoidance – “customers aren’t asking us about HRM.” This affliction involves avoiding situations which require extra resources, hard work, or moving towards a new future. It is normal human behavior, as it can protect us from over committing, and over investing – not everyone can afford to be an early adopter. Be aware, however, that inaction has consequences.
Look for vendors that built their HRM capabilities long before you asked about them, because they knew it was the right thing to do. They now use a comprehensive and accurate methodology to quantify human risk, which considers four key points – individuals’ actual behaviors, identity, personal attack exposure, and security knowledge and sentiment. These vendors invested in integrations to obtain data and drive interventions.
5. Abhinivesha / Fear of Death – “Hold on to well established slogans (human firewall / weakest link / etc) – they have served us well.” We can both reduce our reliance on people to protect themselves and our organizations and reduce the friction we are imposing on them at the same time. For most of us, the thought of dying, or killing something we’ve said for years or decades is scary, and manifests as an instinctual survival drive. This means clinging to what’s familiar, even when these no longer serve one’s growth.
Look for vendors that have demonstrated a track record and investment strategy for innovation in the more strategic elements of HRM. For example, all vendors will be investing their GenAI budgets in more / better content, but fewer are investing them in behavioral prediction, which is where we need to invest in to move to HRM.
Let’s Connect
Forrester clients who have questions about this significant change or how to select human risk management vendors can reach out to me via inquiry or guidance session.
A Small Note Of Thanks
As with every Wave™ announcement I’ve made, I want to re-iterate my thanks to the vendor community for the effort they invest in this process. Thank you for your patience as we all navigate and co-create a better future for our industry together.
Reminder About Definitions
As a reminder, Forrester’s latest definition of HRM can be found in this blog. When I refer to more advanced HRM capabilities, I am specifically referring to capabilities such as human risk quantification, integrations, security behavior and event detection, external integrations to respond to risky events and adaptive interventions.