Let’s face it: we’re only human.
We make mistakes, we break the rules, we fall for scams.
To address these risks created by people and their actions, security teams have for a long time used a silver bullet: security awareness and training. Large enough organizations would appoint someone to be their Security Awareness Manager, and this person would be requested to create and deliver mandatory training and communication material. There was little concern for the outcomes of such training, outside of compliance with various regulations and standards.
That’s precisely what was expected from me about 8 years ago when I worked as a security consultant for several global manufacturing companies. And that’s what I’ve tried to change relentlessly ever since.
Growing security awareness professionals into human risk managers
In the past few years, many security awareness managers have done a tremendous job going beyond security awareness and training. Collectively, a lot of progress has been made: in my experience, just 5 or 6 years ago, most people thought security was a boring or scary topic that did not concern them.
Today, a huge majority of people understand the importance of cybersecurity, and a significant part believe that this topic is everyone’s responsibility.
This is in part due to work from security professionals, who’ve made the topic more approachable and engaging, and in part due to how disruptive we’ve all seen cyber-attacks can be in an ultra-connected world. But with 80% of breaches still involving the human element, there is much left to do.
To address this, analysts like Forrester and Gartner, along with cybersecurity training organizations like SANS, and vendors like Hoxhunt have recently bet that the future will be all about Human Risk Management.
Security Awareness leaders should therefore become Human Risk Managers or Heads of Human Risk.
But is this change justified, or simply a marketing gimmick? To answer this question, we must understand what is meant by Human Risk Management.
What is Human Risk Management?
According to Forrester (February 2024), Human Risk Management solutions manage and reduce cybersecurity risks posed by and to humans, through:
- Detecting and measuring human security behaviors and quantifying the human risk
- Initiating policy and training interventions based on the human risk
- Educating and enabling the workforce to protect themselves and their organization against cyber attacks
- Building a positive security culture
[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]Satisfying requirements for security awareness training is a secondary use case for human risk management solutions while the focus stays on changing behaviors and promoting security culture.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Jinan Budge, VP, Principal Analyst, Forrester[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]
While this is an accurate description of the focus of new solutions provided by vendors, I would shift the focus away from solutions and describe Human Risk Management as a process instead.
More specifically, the process of identifying, evaluating, and addressing the cybersecurity risks associated with people:
- Human Risk Management starts by identifying, evaluating, and prioritizing risks that are associated with human factors. What are the most important human risks in your environment, and can you measure them? What is the level of knowledge, skills, attitudes, and behaviors of employees? Why do they act the way they do? And how do these factors affect the security of the organization?
- The second step is to design and deliver interventions aiming at improving human risk factors (such as attitudes and behaviors). These interventions include security awareness and training, but they must be much more. Of importance, they should look not only at creating skills or motivating people but also at reducing the frictions that hinder the adoption of secure habits.
- Finally, the impact of these interventions needs to be measured and reported. That way impact can be proven, risks re-prioritized, and interventions automated, improved, or canceled based on the results.
Why is the distinction between security awareness and human risk important?
Security awareness programs have traditionally been compliance-driven or activity-driven. They deploy training, communication campaigns, or security champions communities. They tend to focus on engagement or entertainment, and on measuring what they did (“4 simulations sent this year”) or how many people participated (“130 people joined our event”), rather than risk reduction results.
As such, a lot of security professionals and leaders might perceive Security Awareness Managers as in charge of just the annual, mandatory, computer-based training. In addition, there is sometimes a lack of measurable results, as we see with the latest breach statistics. Because of this, the problem with titles like Security Awareness Managers has become mostly a problem of perception. Security Awareness programs have then often been categorized as of lesser importance than other security initiatives, and had to make do with a tiny portion of the overall security budget.
On the other hand, Human Risk Management programs focus on risks and results, topics understood by the entire security team. They implement science-led and data-driven behavior and culture change interventions with experts, and measure their outcomes. They show empathy and make everyone’s jobs easier. And they are part of the overall security team strategy.
[.c-quote-box][.c-quote-wrapper][.c-quote-icon][.c-quote-icon][.c-quote-right-col][.c-quote-text-wrapper][.c-quote-text]If your goal is to go beyond awareness and training, a change of title signifies a change of focus. It is a clear message that you are working not merely to entertain but to reduce risk.[.c-quote-text][.c-quote-text-wrapper][.c-quote-name-wrapper][.c-quote-name]Maxime Cartier, Head of Human Risk[.c-quote-name][.c-quote-name-wrapper][.c-quote-right-col][.c-quote-wrapper][.c-quote-box]
While not a silver bullet, it can make your job easier. In addition, if your role is to manage 80% of the risk (since 80% of breaches involve the human element), and you work hard to report on the impact of your interventions in terms of actual behavior change and risk reduction, it will be much easier for you to obtain more resources and budget.
The exact title does not matter much. "Security Behavior and Culture," for example, (which Gartner reports as a key area of focus for CISOs in 2024) might better fit your organization, and that’s fine.
What does a Head of Human Risk do?
Once you’ve changed the packaging (the title), or ideally even before, you must change what’s inside. So is a Head of Human Risk responsible for?
As we said before, the Head of Human Risk is a more strategic role that goes beyond security awareness and training:
- He/she is responsible for developing and executing a human risk strategy that aligns with the organization's objectives, risk appetite, and security policies
- He/she takes a comprehensive and proactive approach to managing the human factor in cybersecurity, by considering the psychological, behavioral, and organizational aspects of human risk
- He/she uses data and analytics to identify the root causes and drivers of human risk, and to design and deliver human risk interventions that are customized, relevant, and engaging for different audiences and contexts
- He/she measures and reports on the impact and outcomes of their initiatives and programs, and how they contribute to the organization's security goals and culture
- He/she often leads a diverse team of experts, for example including a cyber-psychology practitioner, a learning instructor, a data analyst and a project manager
- He/she should ideally report to the CISO
I strongly believe that the Head of Human Risk is a key role in any organization that wants to improve its cybersecurity and reduce its human risk exposure.
If you agree and are thinking of changing your role to Head of Human Risk, or creating this position in your team (please do!), I’ve prepared a job description example that you can download below. You can easily use this template and adapt it to your organization!
The final word: is Human Risk Manager all marketing hype?
The skepticism around new roles and vocabulary in cybersecurity is understandable. The industry has seen its fair share of rebranding pushed by vendors for marketing purposes and without substantive change. However, I believe the Human Risk Manager role represents a significant evolution of security awareness responsibilities.
It's not just a title change; it's a change in how we choose to address risks caused by and to people. This role embodies a deeper, more strategic approach.
It goes beyond awareness to continuously assess, measure, and integrate behavior change and cultural transformation. It goes beyond the scope of a single team with limited responsibility to join the core of an organization’s cybersecurity strategy, as the answer to human risk is not always “more training!” and therefore cannot be mitigated without working with the rest of the security team and of the organization at large.
So, to answer the question: Yes, the Human Risk Manager role is meaningful and necessary for cybersecurity. And while not all organizations might not yet be ready for it, I’d recommend everyone prepare for it and integrate it into their cybersecurity strategy.