Editor’s note: The following is a guest article from Jinan Budge, VP, Principal Analyst at Forrester.
For decades, firms have relied on security awareness and training to address the human side of security. Recommendations for dealing with human-related attacks were limited to this one silver bullet.
Despite 97% of organizations reporting that they undertake SA&T, human-related attacks, such as business email compromise, have quadrupled.
CISOs haven’t instilled security cultures in their organizations and training continues to cause friction for learners. No one knows what behaviors change because of this training.
In 2024, the idea of human risk management shifted from concept to reality, with frustrated CISOs and their teams looking for solutions that take away the reliance on humans to keep up with security and for alternatives to SA&T to make real change.
SA&T vendors now use HRM in their branding and major SA&T events have been renamed to incorporate HRM. Human risk management maturity models have emerged and job descriptions have evolved to focus on security behavior change, culture and managing human…
