In September 2022, Forrester’s guide to global SA&T regulations and standards revealed an impetus for a better future, and I shared with you all a sneak peek into the future of security awareness and training (SA&T).

And today, I am THRILLED to finally announce to you The Future Of Security Awareness And Training report (client access only). The research examines the major expected changes in security awareness and training in the short, medium, and long term. Without further ado, here’s the situation:

  • In the long term, adaptive human protection will create freedom for employees. A widely accepted cybersecurity mantra is that “Security is everyone’s responsibility” — but the goal of adaptive human protection is to move past that. This starts by instilling a security culture, eliminating needless compliance activity, and adding capabilities so that humans will be hard-pressed to make wrong decisions. This allows you to imagine a future where you can safely jettison practices that were once required but are now superfluous. Once cybersecurity is no longer everyone’s responsibility, employees can get on with their daily activities and meet their digital aspirations while remaining protected from cyberthreats — even if they make a mistake.

The thing is, this future is realistically years in the future for most, so in the meanwhile, cue human risk management …

  • The medium-term focus on human risk management will overcome SA&T’s shortcomings. Make it the goal of the SA&T program to positively influence employee security behavior, instill a security culture, and manage human risk by taking six crucial steps: 1) Expand your behavioral baseline beyond phishing and incidents; 2) measure effectiveness, not completion; 3) quantify the human risk based on behavior (not scores!); 4) initiate real-time risk-based interventions; 5) if you must use content, be intentional and transformative; and 6) codify security culture.

In the meanwhile, though …

  • The immediate term has us focusing on the methods by which we train people, rather than the outcomes. The regulations and standards that have to date driven SA&T programs are often outdated, confusing, and indeed compel companies toward compliance as a strategy. Today, most organizations measure their success in SA&T by measuring completion or phishing click rates, instead of actual behavior or culture change, while providing perfunctory content-driven awareness programs. This leads to a learn-and-dump approach to security, does not address underlying security process and technology issues, wastes everyone’s resources (including and especially your employees), and perversely increases risk (due to being so hated by everyone).

Two decades of well-intentioned focus on the human side of security has inadvertently created a status quo that’s difficult to break. While well meaning and at times sorely needed, the many people, companies, and vendors that benefit make the status quo difficult if not impossible to disrupt. But disrupt it we must. We don’t have the luxury to ignore the human element in security — every security control has a human element. And we certainly can’t continue to address it in the way we have been, by training all the people on all the things all of the time. We all have limited resources in this life, at work and beyond, and we need to be smart, creative, and adaptive about it.

I welcome any inquiries or guidance sessions on this topic. I will be doing a big reveal of both the medium- and long-term future at both our flagship Technology & Innovation APAC and Security & Risk Forums in Sydney and Washington, D.C., respectively!