It’s been a long road; but I’m happy to announce that this year’s MQ for Security Awareness Computer-Based Training is now available for Gartner subscribers!
My co-author, Joanna Huisman, and I learned a lot while speaking with the vendors, clients, security awareness program managers, and other experts. In general, there are a few interesting trends to take note of:
- Customers are actually pretty happy regardless of which vendor they choose! If you take a second to head over to the Gartner Peer Insights reviews for vendors in this market, it becomes pretty apparent customers for each vendor are actually very satisfied. This is in stark contrast to many other markets… just take a look around to see. 🙂 I believe that this is because the anti-phishing behavior management and security awareness CBT market are primarily content driven. This means that most customers will ‘vet’ the content appropriately prior to purchase. Additionally, the ‘deployment’ of the content is very easy and doesn’t entail the difficult integration paths that many other (more technical) markets face. The result is that customers really know what they are getting when they sign the contract.
- The market continues to grow… big-time! The market has experienced greater than 55% growth from 2014 through 2015 and is currently projected to continue at a similar rate as 2016 draws to a close, with projected 2016 market size of approximately $240 Million. Of the vendors rated in our Magic Quadrant, the vast majority (15 of 18) experienced year-over-year revenue growth of greater than 25%, with multiple vendors experiencing over 70% growth and 4 vendors with 100% or greater growth.
- SaaS-based Learning Management Systems are now the status-quo. In fact, only one vendor evaluated in this year’s MQ does not offer a SaaS based LMS. … and the majority of customers are using the SaaS-based LMS for at least a portion of their programs. There are a few reasons for this:
- The first is that it is just quicker and easier to spin-up the vendor offered SaaS environment, import users, set some rules and then begin training while simultaneously avoiding the complexity of scheduling with your own internal communications and training teams and dealing with the politics and pipelines — yes this is Security doing what we criticize other departments for doing…
- Secondly, the vendor supplied LMS’ are doing a decent job at presenting meaningful metrics… and tying together metrics/dashboards that span both phishing and training. This fidelity is generally lost when a client relies on SCORM export/imports into their own corporate LMS.
- For organizations using BOTH anti-phishing behavior management AND general security awareness CBTs, there will always be some element that is SaaS-based. Specifically, the phishing program will be run via a SaaS offering… and so using the same platform (essentially) to run both phishing and general awareness is not a difficult psychological barrier for potential buyers to overcome (particularly when coupled with the above rationale).
- Integration Partnerships and Possibilities are becoming reality: Some vendors are also beginning to partner with core security technology vendors, such as employee monitoring vendors, endpoint detection and response (EDR) vendors, endpoint protection platform (EPP) vendors, secure email gateway (SEG) vendors, and others The goal of such partnerships is to be able to leverage the real-time data as well as log data to provide injective, just-in-time learning based on observed unsecure behavior exhibited by an employee. Additionally, when unsecure or risky behavior is logged, the behavior could trigger auto-enrollment into a contextually-relevant training module. This is a natural evolution of the anti-phishing behavior management market – it is all about observed and individualized, behavior based training that is specifically relevant to the learner. This is an emerging area that Gartner will continue to track.
- Multi-Language Support is a Big Deal : Most long-standing vendors offer support for all major language groups. However, many vendors are now distinguishing themselves by offering out-of-the-box language support 20+ languages and with some offering more than 50 languages. However, Gartner recommends that organizations verify the accuracy of languages with their own in-country personnel before deploying pre-translated materials.
- Fully managed services for running all aspects of phishing and security campaigns are on the rise. This is catering to companies that don’t want to (or can’t) dedicate the time/resources to become awareness and campaign management experts.
- Content is king: Deployment of Security Awareness materials – in many ways – becomes the overt face and voice of the security department to the rest of the organization. As such, ensuring that the tone, production value, and overall look-and-feel of the solution is a good match for the specific target organization is fundamental to success. I generally tell potential buyers that, if the solution you are evaluating does not have content and an interface that is as-good-or-better-than anything else your company has released, other vendors should be evaluated. This mean that the fullness of the vendor’s content library can be a key decision-making criteria, especially for clients seeking content that will address multiple audiences using different tones, styles, etc.
- Many vendors are offering large supplemental content libraries to help support robust campaigns: In recognizing that CISOs and security awareness managers are not full-time content writers, graphic designers, or marketing experts, many Security Awareness CBT vendors offer large libraries of predesigned content to serve as additional/supplemental campaign artifacts or for ad-hoc communications. These can include materials for newsletters, intranet postings, emails, security alerts, security information for families, and so on.
Much more detail is available in the full report!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.