Guest contributor Naya Moss is an IT pro and infosec leader breaking down the basics of creating your own compliance training. If you missed her webinar on human-centric security, watch it for free here.
Security and compliance in the workplace can often seem complex to employees. Many may be unsure of what they entail. Before building your compliance training program, team members and responsibilities should be defined, a risk assessment should be completed, and security gaps should already be identified and prioritized. Ideally, there should be defined compliance plans, goals, and areas of improvement.
Compliance is vital for organizations of all sizes; however, teams and structures may vary. A startup seeking compliance certifications may have limited IT, Security, Legal, and Governance Risk & Compliance (GRC) personnel. In many cases, a GRC team may not exist at all. In this scenario, the training program and responsibilities can be split between IT, Security, and Legal—with at least one primary lead. There should be written documentation of those responsible, accountable, consulted, and informed, also known as a RACI matrix. This will contribute to having a responsibilities balance for training and prepare you and your team for conveying to employees what team member has what responsibility and who to contact.
1. Documentation of policies, procedures, and guidelines
The first step is to have all policies, procedures, and guidelines in a centralized and accessible place. Ensure that all employees can access policies, procedures, and guidelines. Prioritizing compliance training based on current company risk will help you see where you should start in your documentation process. Make all documentation readily available. Regularly inform of any changes. A nice touch would be to add document labeling and tags. For example:
- if the document is a policy, procedure, or guideline
- the owner
- its status, i.e., complete, needs revision, in review
- last revision date
When employees can easily access documents, it allows everyone to view them at any time. They can learn on their terms, and it sheds light on compliance exceptions. Having an intranet or database also means that if employees need further information or a refresher, it can help post-training initiatives.
2. Effectively communicate what compliance means for your company
The most common compliance standards, laws, regulations, and certifications are:
- Systems and Organization Controls for Service Organizations: Trust Services Criteria – SOC2
- Health Insurance Portability and Accountability Act – HIPAA
- General Data Protection Regulation – GDPR
- International Organisation for Standardization’s Information Security Management Standard – ISO 27001
- Payment Card Industry Data Security Standard – PCI-DSS
- Federal Risk and Authorization Management Program – FedRAMP
Many may not understand any of these terms or recognize their differences. It’s best not to assume most know the difference between rules, laws, and regulations. Explain the differences and to which the company has to comply. This gives employees insights into how compliance affects their daily activities. For example, in the eCommerce industry, online stores and retailers accept payments and comply with PCI-DSS—a standard enforced by central banks. In your training, help employees to understand what PCI-DSS is and why it’s essential to comply. Work with Security on a document that allows the development team to understand why and how customer card information and addresses must be protected, encrypted, and obfuscated.
3. Training strategy & content planning
Map current resources, people, and technology available. Your first instinct may be to go out and purchase training, but you can start with the resources you already have! Start with your documentation —use it to generate content in various forms such as:
- short-form videos by the compliance team
- internal newsletters
- automated Slack messages or team-based channel reminders
- gamified engagement
Compliance programs can be identical to security awareness, except for being slightly less technical. However, you can get creative, make it fun and interactive.
Take a page out of the marketing book—the drip campaign strategy! A drip campaign is a series of segmented time-based emails. In newsletter marketing, the creator, over time, may send a series of emails that include long-form writing, a link to a video, a survey, and perhaps an invite to an upcoming webinar. Compliance training can follow the strategy and schedule of a drip campaign. Over the next few weeks or months, the subscriber receives bite-sized information over time. This strategy leads to ongoing communication. Create a training journey, type, and segment. Provide employees bite-sized information over time. Make materials simple to understand, use wording that promotes an ongoing, engaging conversation around compliance and its importance. A compliance training journey can be assembled like Lego pieces. Choose a method and fit that is best, such as:
- Create a personalized 5-minute video for new hires
- Send a follow-up email 1-2 weeks post new hire start dates
- Host a lunch and learn or AMA
- Send a link to a folder or database of where to access documentation
- Follow up and inquire if anyone has questions about any documentation or changes
- Make the most common risk memorable by creating a jingle or song to share at a company all-hands
Provide employees bite-sized information over time—segment by knowledge level, department, engagement, and feedback. Use wording and questions that promote engagement, make frequent adjustments based on effectiveness.
Compliance training doesn’t have to be difficult, and it doesn’t have to be boring. Avoiding compliance training fatigue is possible with the right amount of communication, documentation, and strategy. Find your inner creativity and make learning about compliance enjoyable!