The 11 Providers That Matter Most And How They Stack Up
In our 30-criterion evaluation of security awareness and training (SA&T) solution providers, we identified the 11 most significant ones — Cofense, CybSafe, Elevate Security, Infosec Institute, Kaspersky, KnowBe4, Living Security, Mimecast, Proofpoint, SANS, and Terranova Security — and researched, analyzed, and scored them. This report shows how each provider measures up and helps SA&T professionals select the right one for their needs.
SA&T Solutions Are Evolving To Encompass More Than Training
With the COVID-19 pandemic forcing employees to spend unprecedented hours online, CISOs can no longer continue to burden already anxious and distracted workers with lengthy yet perfunctory training. Budget and board pressure to demonstrate value for money still challenges CISOs, who want to know if they’re getting a return on their SA&T investment and understand the impact of solutions beyond how many employees were trained: Are user behaviors changing? Is our human risk lower? With employees operating remotely or physically, security awareness is now borderless — so it’s paramount to instill a “security everywhere” culture. All of this is causing well-needed disruption in a long-stagnant market. Fortunately, many vendors have risen to the challenge, creating solutions that no longer function solely to train people for the sake of it. In 2022, behavior and culture change are a reality — a far cry from 2020’s market, which was full of legacy vendors that were out of date and out of touch with users.
As a result of these trends, SA&T solution customers should look for providers that:
- Focus on the ABCs: awareness, behavior, and culture. Our Forrester Wave™ briefings were full of vendors paying lip service to awareness, behavior, and culture change. This is pleasing in that it shows that they got the memo. However, many had a limited vision of how to change behavior or instill a culture and quickly reverted to describing their content and quizzes as ways to measure employee engagement and behavior. To achieve all three, make reducing human risk your goal. Look for vendors that offer human risk quantification and calculate risk based on actual user behavior, not quiz and simulation scores. Then use SA&T to shape security culture. To do this, select vendors with unique and scientifically proven culture mapping tools.
- Provide meaningful human risk and security culture metrics. Traditional SA&T program metrics such as training completion rates, quiz performance, and engagement metrics are fundamentally flawed. At best, these input metrics only tell you how to improve training, ignoring how you can improve behavior, instill culture, or bolster your cybersecurity posture. Choose vendors that can help measure your employees’ human risk score. Once you know the risk profile of an individual or department, you can adjust your training and gain valuable insights about where to improve your security program.
- Offer innovative and disruptive solutions aligned with SA&T’s future. The days of vendors bragging about features and extensive (yet dull) content libraries are mercifully waning. Our evaluation found well-needed disruption in the market, where behavior and culture change have moved beyond the performative to fostering real action. However, innovation isn’t consistent across the board; incrementally improving existing products or adding features is evolutionary, not revolutionary. Innovation is important to the buyer because the way the industry has long addressed SA&T has yielded nothing but frustration for employees, eroding security’s brand and goodwill. You need a different way to manage human risk, not better ways to train people. Look for vendors that can show you what is possible, not only what you think you need, or ask for.
The Forrester Wave evaluation highlights Leaders, Strong Performers, Contenders, and Challengers. It’s an assessment of the top vendors in the market and does not represent the entire vendor landscape. You’ll find more information about this market in our Now Tech: Security Awareness And Training, Q4 2021 report.
We intend this evaluation to be a starting point only and encourage clients to view product evaluations and adapt criteria weightings using the Excel-based vendor comparison tool (see Figure 1 and see Figure 2). Click the link at the beginning of this report on Forrester.com to download the tool.
Figure 1Forrester Wave™: Security Awareness And Training Solutions, Q1 2022
Figure 2Forrester Wave™: Security Awareness And Training Solutions Scorecard, Q1 2022
Forrester included 11 vendors in this assessment: Cofense, CybSafe, Elevate Security, Infosec Institute, Kaspersky, KnowBe4, Living Security, Mimecast, Proofpoint, SANS, and Terranova Security (see Figure 3).
Figure 3Evaluated Vendors And Product Information
Our analysis uncovered the following strengths and weaknesses of individual vendors.
- KnowBe4 brings size, an established product, and a strong vision. As one of the largest and most established vendors in this space, KnowBe4 has an enviable growth trajectory. Its security awareness training app is in the top five in the Microsoft Azure AD App Gallery. In 2021, the vendor continued investing in a team of strategists and evangelists whose valuable ears to the ground enabled acquisitions such as that of Security Advisor. This acquisition will transform KnowBe4’s offering by completing the trifecta of awareness, behavior, and culture for clients. It also adds what KnowBe4 calls “human detection and response” to its portfolio — a long-held ambition. KnowBe4 targets small and medium-size businesses (SMBs) as well as the enterprise market. It has a strong sales process and go-to-market strategy for client acquisition. KnowBe4 has one of the largest content libraries of firms we evaluated; as customer references confirmed, its learner content is unique, varied, and engaging. KnowBe4 supports 34 languages and invests significant effort in language, cultural localization, and content accessibility. The Security Advisor acquisition will enable clients to recognize unsecure behavior in real time and immediately correct it. KnowBe4 defines what security culture means by conducting research, creating an industrywide culture maturity model, and offering its clients a culture survey. This survey, created by culture specialists using peer review and multiple iterations of testing and analysis, covers seven dimensions of security culture. Prospective customers who are seeking innovation in training, behavior, and culture change but who value the stability of an established vendor should evaluate KnowBe4.
- CybSafe disrupts with a data-driven approach to managing human risk. Having pioneered a new approach to SA&T that uses data and metrics to change behavior and instill a security culture, CybSafe is working toward a future where SA&T measures and manages security behaviors. At the same time, it understands that many firms’ training requirements remain basic and caters to those as well. CybSafe aims to collect more event data from security information and event management systems, endpoints, and productivity suites. While the firm has clients around the world, its go-to-market approach currently targets customers in the UK, relying on organic growth in other geographies. While CybSafe lacks a dedicated R&D team, it builds innovation into its existing teams — evidenced by the fact that it has one of the most innovative products in the market. It’s disrupting the space with innovation in behavior and data science. CybSafe purposely restricts training modules to topics it deems essential for changing behavior. Its unique content is developed by not only former law enforcement cybercrime specialists, copywriters, designers, and security professionals but also behavioral and data scientists. CybSafe collects behavioral event data and analyzes by comparing it against 70 security behaviors. This approach surfaces important data about learners’ behaviors and how to change them. CybSafe has a scientifically evaluated security culture survey and data analysis tool that maps eight dimensions of culture. Transformational CISOs looking for an entirely new way to solve the human risk problem should investigate CybSafe.
- Living Security builds on its content roots to tackle human risk management. Living Security began in 2017 as a content- and experience-driven vendor with the goal of making security awareness more engaging. Its content vision has always been differentiated; customer references note the vendor’s innovation, ability to think outside the box, and view of the market’s possibilities. In 2021, it shifted its to human risk quantification services using its new Unify platform and plans to move toward measuring and tracking large numbers of behaviors and articulating their risk. Living Security has had strong revenue and team growth in the past 12 months and focuses on a strong, diverse, and inclusive team culture as a cornerstone of its growth. This busy small company has attracted multiple rounds of venture capital and has an R&D budget of more than 100% of revenue. Currently, Living Security has a limited number of partners and relies primarily on direct sales. Living Security offers excellent content and training experiences; its highly diverse content library includes video content and assessments, computer-based training, interactive puzzles, simulations, marketing material, and gamified learning such as virtual escape rooms. In 2021, the vendor partnered with 10 enterprise customers to build Unify, a data-driven approach to measuring security behavior and creating targeted, individualized training. At this stage, Unify’s human risk scoring is still largely based on learner performance. To measure security culture, Living Security enables clients to assess culture, conduct surveys, and evaluate the perceived risk of cyberthreats. Security leaders who want to work outside of the box and are willing to cocreate solutions should consider Living Security.
- Proofpoint’s SA&T power is best realized when integrated with its other offerings. Despite its recent acquisition by a private equity firm, Proofpoint renewed its focus on its SA&T offering; it has a new leadership team and the general manager for the SA&T product sits on the board, raising the product’s profile. Proofpoint has clarified its vision: It wants to create adaptive risk reduction for the enterprise, with threat-driven training, focusing on the most prevalent threats, attacked and privileged people, and targeted training. The vendor’s execution roadmap is more evolutionary than revolutionary, containing items such as increased content, a CISO dashboard, new reports, and further language support. Reflecting its integration with the broader Threat Protection Platform, Proofpoint’s market approach focuses on upselling and cross-selling SA&T to existing email security customers and attaching awareness to new customers. Proofpoint’s extensive training library covers a broad range of security topics and is available in a range of engaging formats. It offers global translations in 41 languages, is globally inclusive across language and culture, and is reviewed for compliance with accessibility guidelines. What really differentiates its offering is the concept of Very Attacked People. The integration with Proofpoint’s email security and threat intelligence offerings allows customers to enroll these targeted people in tailored education based on the threat targeting them. However, it falls short of achieving targeted training when customers do not have the full Proofpoint suite — a point reinforced by reference customers. Proofpoint has come a long way in repositioning its SA&T product to be human-centric and instill a security culture. Customers who are interested in a more threat-based approach to training should evaluate Proofpoint.
- Elevate departs from ancient employee training rhetoric but is still maturing. Consistently pushing the envelope of why the SA&T market actually exists, Elevate Security eschews the term “training” and focuses on behavior and culture. It was one of the first vendors to introduce concepts like behavioral science, social proof, and nudging to influence behavioral change. Its vision has evolved to focus on obtaining data and quantifying human risk with insights that firms have never had before. Elevate is one of the few vendors to recognize that understanding and solving the problem of quantifying and managing human risk requires engineering, operations, and the entire security team. Its roadmap focuses on building out its human risk quantification platform, expanding integrations to obtain data, and investing deeply in data analytics. Elevate does not provide traditional training content. Rather, employees receive Pulse, a personalized monthly scorecard informing them of their risk score and what they need to improve. The scorecards are available in a limited set of languages; scores are based on a wide range of observable behaviors such as password manager adoption. To obtain data, Elevate integrates with hundreds of enterprise and security solutions, such as endpoint detection and response and data loss prevention. It also identifies the specific risks posed by individuals, like the risk of ransomware attributed to a particular person. The solution automates mitigation and targets responses like notifying employees and managers, creating tickets to monitor access, or changing individual policies in security technologies. Security leaders with mature security programs who want to automate their response to human risk should explore Elevate.
- SANS’ vision, foundation, and reputation promise to go beyond training. SANS is a recognized brand and a mission-driven organization with a vision, roadmap, and team reflecting its mission to contribute to the security industry. Customers references recognize SANS’ brand and mission-driven aspirations and engage the vendor for precisely those reasons. SANS has made significant contributions to the SA&T market; it has the largest user community seen in this evaluation, the industry’s most prominent security awareness maturity model, and a decade’s worth of annually published research into the human factor. That community and research guide SANS’ vision. The vendor has added a security culture course and is expanding its offering to include better secure coding training. These are both sound and important concepts, albeit hardly revolutionary. As a global organization, SANS has a diverse go-to-market approach, with dedicated SA&T sales teams on multiple continents. SANS has made notable investments in learner content; it covers a broad range of security topics, content types, and languages. Content quality is good but not differentiated; customer references indicated that they would like more creativity. While SANS has the right idea when it comes to measuring security behavior, its behavioral risk assessments are questionnaires that only relate to data risk analysis. SANS is seeking future differentiation in an integration roadmap that incorporates human risk data into security platforms. It also has a packaged security culture assessment; while this is standard, what impressed customer references are the actionable steps to manage and instill a security culture. Security leaders who want to work with a stable, reputable, mission-driven vendor should evaluate SANS.
- Infosec provides a comprehensive, customer-focused solution for today’s market. Long-established Infosec Institute bases its vision on three pillars — learner engagement, human risk measurement, and exceptional customer experience — that are all fundamental to present and future market needs. This vision is standard, rather than leading, compared with others in this evaluation. With Infosec investing a mere 8% to 10% of its budget in R&D, the innovation it produces, such as Choose Your Own Adventure Security Awareness Games, may be better characterized as creativity. Employee strategy and technology alliances at the heart of Infosec’s execution roadmap. Infosec has a simple, two-tier subscription model, provides a freemium solution, and offers free student licenses to educational institutions. Infosec IQ’s library has thousands of resources; every module maps to NIST guidelines. Infosec has delivered on its promise of gamification: The award-winning Choose Your Own Adventure Games complement a set of creative, engaging, and inclusive content, including animation; customer references were delighted with the quality and variety of this content. Infosec IQ determines behavioral risk based on engagement, phishing simulations, and assessments. The vendor has had functionality to measure nontraining behaviors since 2017; while it’s currently underutilized, Infosec plans to increase that usage. Infosec has recently created a security culture survey. The vendor has a team dedicated to customer support that displays client obsession at all points and consistently gets rave reviews from reference customers. Security leaders interested in working with a vendor that deeply understands them and which provides a quality solution should investigate Infosec.
- Terranova Security has a safe offering but is missing a chance to revolutionize SA&T. Terranova Security is a long-standing SA&T vendor with a diverse leadership team and a meticulous focus on business execution. This business focus results in a well-defined execution roadmap, which includes clear, highly achievable three-year goals. These goals center on global growth via a strong reseller channel focused on Microsoft and Cisco resellers that targets the US, Canada, and French-speaking Europe. Customer obsession is one of its core values; all strategic initiatives map to customer milestones. Terranova Security’s vision feels like a continuation of what it has done in the past, rather than looking into the future into emerging or visionary customer requirements. This is set to change; the vendor has committed future innovation by creating a chief innovation officer role. Terranova Security’s training library is available in various formats; the vendor makes a tangible effort to ensure that the content is diverse, inclusive, and accessible. Customer references acknowledge the quality and attractiveness of the content, including high-quality graphics. Terranova Security delivers content in 40 languages; reference customers indicated that language support is a key reason they are delighted by the vendor. Assessment surveys determine security behavior. The vendor combines knowledge and risk into a Cyber Hero Rating that assesses how targeted users are and how they respond to various situations and then personalizes training for them. Terranova Security lacks a specific offering to measure, manage, or instill a security culture, which customer references noted as a shortcoming. Security leaders needing comprehensive, high-quality SA&T content can look to Terranova Security.
- Kaspersky stubbornly holds on to features and training, missing the bigger picture. Kaspersky has had time to mature its SA&T offering. But the vendor’s vision for this relatively recent product still centers on creating better content, features, and design principles rather than anything visionary. Kaspersky’s roadmap similarly focuses on improving features, content, and sales and marketing. The vendor’s SA&T solutions and market strategy target both SMBs and enterprises. While Kaspersky has a vast partner channel of 40,000 resellers in more than 200 countries and 24,000 active B2B partners, these partnerships have focused primarily on growth. Kaspersky’s training is still audience-specific. While content is available in multiple languages, it falls short of what is considered modern, diverse, and inclusive. Some of Kaspersky’s gamified content uses “casino mechanics” (gambling visuals like chips and casinos), which may have negative ethical implications for some individuals or cultures. The vendor does offer different content for certain regions. The gamified assessment tool we reviewed could be perceived as punitive. Kaspersky’s approach to measuring security behavior is to assess employees’ knowledge and uses their average security level to measure culture. Kaspersky has the largest presence in EMEA of all of the vendors we evaluated. Security leaders looking for audience-specific training or to assess their own security knowledge should consider Kaspersky. We included Kaspersky in and completed this evaluation because it was a key vendor in the market when the Forrester Wave process began, despite a ban on Kaspersky products in US government contracts. However, given the increase in geopolitical uncertainty introduced by the conflict in Ukraine, Forrester cannot recommend that clients consider Kaspersky at this time.
- Cofense uniquely and narrowly focuses solely on phishing and email security. Cofense is one of the largest, most established players in the phishing simulation market. A cornerstone of its vision is to address the failure of secure email gateways; the solution combines Microsoft and Cofense assets to reduce the risk posed by malicious email. To that end, Cofense’s innovation roadmap focuses on Triage, AutoQuarantine, and a new interface for PhishMe. These are important but don’t reflect the entirety of emerging SA&T market needs. Cofense continues to use PhishMe as proof of its innovation capabilities, even though it was originally released around 2011. Cofense also insists that its R&D budget is “equal to or on par with competitors” but does not provide any details. Cofense has a vast content library with thousands of pieces of content, many of which relate to phishing and email security issues. Due to Cofense’s technical capabilities in phishing and email security, this content is practical and aligned with the phishing and email security threat landscape. Cofense offers an expected range of content types, some of which is differentiated, particularly those created in partnership with Ninjio. Others look and feel somewhat dated. The vendor leverages extensive integrations to measure phishing and email security behaviors via simulation assessments and uses this ability to assess and report on susceptibility and repeat clicker rates. These are important but neglect a raft of other security behaviors required for complete human risk quantification. Security leaders looking for phishing and email security education and quantification should consider Cofense.
- Mimecast delights with content but falls short on behavior and culture management. While Mimecast delighted with its content in 2019, its current vision and execution roadmap addresses problems its competitors have already solved. Its 2022 roadmap includes launching an onboarding wizard, creating dynamic groups, and adding several training modules — none of which is revolutionary. Mimecast has launched a managed service for its Awareness Training (AT) product to integrate more tightly with email security solutions, which makes business sense but isn’t really innovation. Mimecast’s go-to-market strategy is largely defined by customer size, with minimal business insight or vertical expertise. Mimecast’s partner ecosystem is extensive but focuses on resellers and managed service providers rather than partnering to deliver differentiated intellectual property. Mimecast AT leverages engaging videos that use humor and microlearning principles. These videos are presented by two main characters, “Human Error” and “Sound Judgment,” bringing much-needed humanity and entertainment to the SA&T topic. While Mimecast leads with content and works hard to ensure that its content is globally inclusive and accessible, by virtue of it being humorous video content, it will not appeal to every audience. This was reflected by reference customers, who were either delighted with the content or noted many points needing cultural improvement. AT integrates with Mimecast’s email security tools to obtain data on click rates and other phishing-related risky behaviors, but that’s where it stops. Security leaders wanting to engage their workforce on the important topic of security in a differentiated way should evaluate Mimecast.
We evaluated vendors against 30 criteria, which we grouped into three high-level categories:
- Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic indicates the strength of its current offering. Key criteria for these solutions include learner content, risk quantification, reporting capabilities, and security culture betterment.
- Strategy. Placement on the horizontal axis indicates the strength of each vendor’s strategy. We evaluated product vision, execution roadmap, market approach, innovation roadmap, partner ecosystem, and commercial model.
- Market presence. Represented by the size of the markers on the graphic, our market presence scores reflect each vendor’s revenue and number of customers.
Vendor Inclusion Criteria
Forrester included 11 vendors in the assessment: Cofense, CybSafe, Elevate Security, Infosec Institute, Kaspersky, KnowBe4, Living Security, Mimecast, Proofpoint, SANS, and Terranova Security. Each of these vendors has:
- A global presence and customer base. We included vendors that get no more than 95% of their security awareness and training revenue from one continent or that earn revenue on at least three continents.
- Broad human risk management coverage. Each participant has a broad range of capabilities, with a specialization in one or more of the following: human risk management, security culture mapping, and content excellence.
- Significant amounts of enterprise clients and revenue. Each vendor has a significant number of direct enterprise clients (versus SMBs or managed service providers). Each vendor also earns at least US$2.2 million in annual revenue from its SA&T solution.
- Significant interest from Forrester customers. Each vendor has significant interest from our clients in the form of inquiries, advisories, interactions at events, and other conversations.
We publish all of our Forrester Wave scores and weightings in an Excel file that provides detailed product evaluations and customizable rankings; download this tool by clicking the link at the beginning of this report on Forrester.com. We intend these scores and default weightings to serve only as a starting point and encourage readers to adapt the weightings to fit their individual needs.
The Forrester Wave Methodology
A Forrester Wave is a guide for buyers considering their purchasing options in a technology marketplace. To offer an equitable process for all participants, Forrester follows The Forrester Wave™ Methodology Guide to evaluate participating vendors.
In our review, we conduct primary research to develop a list of vendors to consider for the evaluation. From that initial pool of vendors, we narrow our final list based on the inclusion criteria. We then gather details of product and strategy through a detailed questionnaire, demos/briefings, and customer reference surveys/interviews. We use those inputs, along with the analyst’s experience and expertise in the marketplace, to score vendors, using a relative rating system that compares each vendor against the others in the evaluation.
We include the Forrester Wave publishing date (quarter and year) clearly in the title of each Forrester Wave report. We evaluated the vendors participating in this Forrester Wave using materials they provided to us by November 2021 and did not allow additional information after that point. We encourage readers to evaluate how the market and vendor offerings change over time.
In accordance with The Forrester Wave™ And New Wave™ Vendor Review Policy, Forrester asks vendors to review our findings prior to publishing to check for accuracy. Vendors marked as nonparticipating vendors in the Forrester Wave graphic met our defined inclusion criteria but declined to participate in or contributed only partially to the evaluation. We score these vendors in accordance with The Forrester Wave™ And The Forrester New Wave™ Nonparticipating And Incomplete Participation Vendor Policy and publish their positioning along with those of the participating vendors.
We conduct all our research, including Forrester Wave evaluations, in accordance with the Integrity Policy posted on our website.
About Forrester Reprints
© 2022, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.