Building a Strategic Human Risk Function: Are You Ready for the Shift?

For years, human risk has been synonymous with cybersecurity awareness training: phishing simulations, compliance courses, and annual reminders to “think before you click.” The landscape, thankfully, is changing. Human risk management is no longer a checkbox activity—it’s becoming a strategic pillar in enterprise risk management, essential for organizational resilience in an increasingly digital and complex world.

What Is Human Risk?

At its core, human risk refers to the vulnerabilities introduced by human behavior in the workplace. According to Forrester, it’s about understanding how employees interact with technology, processes, and policies—and using that knowledge to reduce risk. Gartner echoes this, highlighting that human risk management is a growing priority for organizations as they recognize the critical role people play in mitigating cyber threats.

While these definitions provide a solid foundation, we believe human risk management, as part of organizational risk management, is even more nuanced. It’s not just about mitigating vulnerabilities—it’s about empowering employees, fostering a culture of security, and embedding human risk into the strategic fabric of enterprise risk management. The challenge for many teams today is this must done in context of your unique workforce and your unique business model. For many companies, there are major gaps to fill in the near future to meet the new challenges. 

What the Data Tells Us

The 2024 SANS Security Awareness Report sheds light on where organizations stand in their human risk journey. While the report highlights progress—such as the growing recognition of dedicated roles and teams—it also underscores a significant gap. Many organizations lack the budget, time and support for strategic thinking, and access to resources necessary for the innovation to push beyond basic awareness. This has left many teams stuck at levels 2 or 3 of SANS’ Security Awareness Maturity Model (out of 5).

Practitioners and the community have provided invaluable feedback on what works and what doesn’t. However, the consensus is clear: companies have historically underinvested in humans, treating them as the “weakest link” instead of a powerful line of defense. It’s time to change that perception.

Where Organizations Get Stuck

Many Human Risk Management and Cyber Culture teams struggle to move beyond the middle stages of maturity. Here’s why:

1. Lack of Vision
   Without a clear vision, human risk initiatives often remain reactive. Awareness programs are viewed as tactical, not strategic, leading to limited buy-in from leadership. Programs are often put on 'repeat' due to budget shortfalls and lack of executive buy-in. 

2. Lack of a Programmatic Approach
   Human risk management requires more than just once a year compliance training or phishing tests. A programmatic approach involves defining objectives, aligning with business goals, and continuously improving based on feedback and metrics.

3. Lack of Metrics and a Compelling Story
   Metrics like training completion rates or phishing click-throughs don’t resonate with executives. Without meaningful data and a narrative that connects human risk to broader business objectives, it’s difficult to gain support or secure additional resources.

Shifting Human Risk to a Strategic Function

Elevating human risk management requires a mindset shift—from “awareness” to “advisory.” Here’s how you can prepare for this transformation:

Adopt the Language of Risk
To gain credibility at the executive level, you need to speak the same language as your board and risk management teams. Focus on quantifying human risk in terms of its impact on business objectives and frame it as part of the organization’s overall resilience strategy.

Influence Decision-Making
Human risk programs can no longer exist only as a service function within IT or IS. To move the needle, you need to influence decisions that affect the workforce, from digital transformation initiatives to policies and processes that shape behavior.

Let Go of the “Doing”
Free up resources by automating compliance training, consider outsourcing phishing to a managed programs, or partner with experienced vendors for learning content development that goes beyond 'training modules'. This allows you to focus on strategic challenges and objectives, such as aligning human risk with organizational priorities and addressing systemic vulnerabilities.

The Long Game: Building a Resilient Digital Culture

Elevating human risk to a strategic function isn’t a quick win—it’s a long game. It’s about understanding your organization’s culture, identifying where influence and decision-making power lie, and embedding human risk into every aspect of enterprise risk management.

This shift will require more budget, more innovation, and more strategic thinking. But the payoff is worth it: a workforce that’s not just aware of risks but actively engaged in reducing them, a leadership team that views human risk as a vital component of resilience, and a business that’s better prepared to navigate the complexities of the modern digital world.

Are you ready to elevate your human risk program? Let’s talk about how to define, structure, and staff it for success—and ensure you have the data and tools to back it up. We can help.