How do you evaluate a security awareness vendor?

If you search Google, the Internet will likely direct you to a G2 or one of the other SaaS review sites. These are essentially sites that rank really well for SaaS companies on search engines. They compile reviews and companies pay to improve their profiles, collect more reviews, get search and buyer intent data, and advertise on competitor pages.

G2 is a good starting point but, in an established market like security awareness, G2 tends to heavily favor the larger existing vendors because the number of reviews is a major driver for how companies rank. As a starting point, it is a good place to build a list of security awareness training vendors and to skim through reviews to see if users mention things that are either deal breakers or matter a lot to you.

Once you have your list of security awareness vendors, what criteria do you use to assess them and pick a winner?

You could use Forrester as a guide. Its Wave report on security awareness training has published criteria for assessing a security awareness training vendor. The criteria roughly fall into three categories - 1) offering / product, 2) strategy, and 3) market penetration (size). This is a helpful framework that’s worth a look.

When we are in a competitive process, we find the following criteria to be the most common.

• Price. This is always a point of discussion in a competitive process. Some security awareness training vendors have raced to the bottom on pricing and buyer expectations are that security awareness should be cheap.
• Catalog size. Forrester doesn’t agree with this in their report but buyers still often ask about how many courses are offered and how many pieces of content are available.
• User experience.This is a part of every discussion. Almost every vendor claims to have a great user experience so it is up to the buyer to be critical in their assessment. Security awareness does not have to be painful for users.
• Integrations. The most common integrations are with HRIS systems like Workday, auth systems like Okta, or learning management systems (LMSs).

The above are a good set of criteria to weigh in picking a security awareness training vendor. The one question we do not get asked about often that I wish we did is our roadmap and our vision for the future of security awareness. We often start our demos talking about our vision as it highlights the assumptions that drove our decisions to build a security training product that fully integrates into Slack and the flow of modern work. But, it is rare to get asked about what is coming in the future. Roadmap items sometimes come up in response to specific feature questions but there’s generally not a priority on the future product.

Given the rapid changes in technology, the way people work, and the way attackers target users and systems, security awareness training needs to evolve to keep pace. The vendor you sign with today should be prepared and even have opinions about what the product will look like in 1-2 years.

At Haekka, our product is not done. We’ve built the core set of features for what we call Haekka One, which is a complete security training and engagement platform for modern work. It has all the features to build and maintain a security mindset. But, we have more work to do in the form of new SaaS app integrations, new data sources, improved reporting, and better connection between users and security.

We hope all security awareness vendors are looking to the future.

‍