Are Your Security and Privacy Education Programs Stuck in Silos ?

 

With Cybersecurity Month, Unleash World HR, IAPP and a number of security and privacy conferences wrapping up, it’s a great time to talk about alignment of security, privacy and compliance education programs. These topics overlap especially when it comes to users and their devices. Yet company education and compliance programs are often stuck in department silos with multiple learning management systems (LMS), vendors and subject matter experts working as training administrators. Many organizations are still using non-digital training methods such as classroom, PowerPoint and manual toolkits which do not scale and provide the frequency required to stay up to date and change behaviors.

In short, siloed education programs are inefficient - they add unnecessary vendor cost, require duplicate administrators, create data reporting fragmentation, training schedule conflicts and provide a poor employee training experience.

Our advice is to continue down the path of digital transformation - digitize and consolidate your education efforts where possible. After employees, look at your full community of IT stakeholders i.e. contractors, partners and 3rd parties. Do your IT stakeholders have sufficient and targeted training? In this article I’ll share why siloed training is problematic and tips to improve your security, privacy and compliance education programs.

As a beachhead let’s take a quick look at standards and regulations such as ISO, COBIT, GDPR, HIPAA and PCI. They call for employee security awareness training and reporting. For example ISO 27001 states in A.8.2.2 ”... All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function...”

In order to effectively cover these requirements, organizations need a centralized digital solution to ensure that “all IT stakeholders” are trained on a regular basis with general security knowledge and role-based training.

First and foremost, running multiple LMS' drives up costs, technical support and impacts the user experience. Non-digital training methods such as classroom are expensive and not practical for an organization-wide role out to IT stakeholders. They don't allow for the frequency and role-based training required to drive behavior change. That said, we recognize that technical and specialized training with a third-party may be more practical; such is the case for security engineers or data privacy officers.

Employee training is generally managed by the Human Resources (HR) department while programs manage their own industry specific training. While your CIO, CISO, Privacy/Compliance Officer or General Council may be responsible for security and privacy compliance programs, we believe that training administration should ultimately end up with a centralized training team.

Disadvantages of Siloed and Non-Digitalized Training

  • Having security and privacy professionals run training administration and an LMS is a poor use of their time which could be better spent on strategic security and privacy issues. The extra responsibility also contributes to workplace burnout;
  • Training managers are up to date on training technologies, vendor contracts, workforce users and training programs. They can manage coordination, communication and the timing of programs with other teams across the organization;
  • Logging into several learning management systems is a poor user experience. Better to consolidate content into 1 or 2 systems with simple access, single-sign on passwords and multi-factor authentication;
  • Purchasing content and learning management systems from multiple vendors is not cost effective. Finding vendors that can offer high-quality training content across multiple topics with contract discounts is beneficial to simplify management and lower cost;
  • Multiple training systems create data fragmentation related to publishing courseware, managing user databases, reporting, assessment and tracking compliance. Data from training systems such as courses and completions need to be fed to a centralized HR system for records management and transcripts;
  • Classroom and PowerPoint training do not scale, are expensive, hard to track and do not provide necessary training frequency. Training intended for the entire workforce is better accomplished with digital eLearning platforms.

Understandably it’s hard for security, privacy and compliance managers to let go of training but ultimately coordination with HR and the training team is the best path forward.

Quick Things to Consider

  1. Check internally within your organization and HR department to see if a training team and a LMS exist. Be aware of other training programs in the company and coordinate timing with HR and your internal communications team;
  2. Strive to build an integrated awareness education program that includes Security, Privacy and Compliance. These topics are interrelated and meet multiple compliance requirements so why not connect the dots;
  3. If your vendor’s content does not cover your requirements or the quality or depth is not there, then consider augmenting content a la carte via the Shareable Content Object Reference Model (SCORM) that can be loaded on your organization’s LMS;
  4. Offer shorter micro-courses and reinforcement activities on a more frequent basis (ex. monthly or quarterly) and re-train users on topics annually. Stay away from long boring courses that result in low rates of user retention and behavior change;
  5. Make sure your workforce is informed about company IT policies and that they are reinforced by training. Tell them where to ask questions, report mistakes or suspicious behavior and provide feedback. Put contact information in your content and training communications (ex. support, CISO, DPO/CO, HR).

Centralized education programs are worth the investment on many levels. The payoff will be there in terms of meeting compliance, saving costs and building a productive learning environment. Its important to help your workforce connect the dots between company IT tools, polices, compliance and best practices. Longer term, your organization will benefit from a stronger security posture, lower risk and improved workforce morale.

Stayed tuned for more discussion on this topic and feel free to send us your questions. We wish you success with your security awareness education programs.

 

Sources: https://www.sans.org/sites/default/files/2017-12/sans-compliance-requirements.pdf

https://www.iso.org/isoiec-27001-information-security.html

 

Adam Hoey

CEO – Founder | Potentia Concepts

adam@potentiaconcepts.com

info@potentiaconcepts.com

Amsterdam • The Netherlands • +31 6 15 36 06 91

Washington • USA • +1 202 460 3116 • info@potentiaconcepts.com