Research Report


Forrester’s 4-Step Plan for CISOs

This report lays out a four-step plan that CISOs should follow to manage human risk and create lasting behavioral change throughout their organizations.

Today, cybersecurity training programs focused solely on awareness fall short in these ways:

  • Create panic instead of deep understanding. Traditional user training campaigns may help employees pass awareness tests, but awareness without understanding can create a culture of risk aversion and panic as executives make assumptions based on fear.
  • Stop short of changing behaviors. Despite years of standards such as ISO 27001 requiring security awareness and training as part of a security program, training has not achieved desired results.
  • Spend the most money to simply tick a compliance box. Regulations such as ISO 27001 have elevated the importance of security awareness and training (SA&T); however, they remain vague about why or how to do it.

Forrester’s plan provides design principles for creating transformational cybersecurity awareness initiatives that will win the hearts and minds of senior executives, employees, and customers.

Access the report now!