Your people are your most important resource in taking control of your compliance management. But if they aren’t trained up for the task, you’ll never slay the dragon of compliance chaos. Today, we’ll look at the kinds of training your people need in order to keep your compliance activities under control.
This is the seventh step in our series on taking control of compliance management in 2019. Just now joining the conversation? Check out the rest of the series:
- Survey the landscape of your compliance certification requirements
- Evaluate your vendors and auditors
- Build your budget
- Choose the best compliance tools
- Streamline compliance management
- Recruit your compliance team
- Train your people (this post)
- Automate ongoing compliance tasks
When you embark on staff training—whether it’s for the first time, or it’s the first time that you’re taking it seriously—the first attempt at training is going to be challenging. Everyone on your team will have a lot of on-the-job learning to do as they gain more expertise in directional guidance. It’s a substantial investment, but it will pay off in spades. And the following years will get progressively easier.
There are a number of realms of training that need to occur within your organization. The first, and largest in scope, is general security awareness. After that, specific groups will need specialized training. And as a CISO, you’ll need to invest in your own professional development. Here’s what that looks like.
General Security Awareness
No matter what certification you’re subject to, your company will need security awareness training. It’s a requirement of virtually every compliance standard. Every single person in your organization—from the janitor to the CEO—should receive this training. Many companies initially limit their training to the people who directly interact with sensitive data or security protocols, such as IT professionals, credit card handlers and HIPAA data entry personnel. It’s cheaper, it’s more efficient, and it’s a lot less hassle. But it’s also a big mistake.
Invariably, the administrative assistant who never got trained on email scams is the one who clicks on the ransomware attachment. Security awareness is everyone’s job, because anyone in your company can be the one who exposes your organization to risk.
You can provide this training in any number of ways:
- Find a standard presentation PDF off the internet and distribute it to everyone in your company. This method provides no real expertise, only the barest essentials, and extremely limited value.
- Provide HR-led training. While the content will be customized for your organization, it will still lack expertise.
- Provide IT-led training. This provides a greater depth of content, but even your IT personnel have limited expertise. And let’s be honest—your developers probably aren’t the best people to train non-technical staff.
- Get an outside security and compliance expert. Your assessment firm may offer this service. If not, TCT provides world-class training that’s designed for people at every level of your organization.
Not only does hiring a third-party expert provide a greater depth of knowledge, it takes a ton of prep time and effort off of your people’s plates. The time of your internal resources are better spent on their core responsibilities.
Everyone in your company should receive general security awareness training. A subset of those people will need to get specialized training as well. Anyone who is actively involved in sensitive data workflow should get next-level training and knowledge. This is departmentally specific training on issues that are relevant to them.
Who should be trained, on what? Good question!
Training for developers
If your company creates code—whether it’s a simple mobile app, web-based application or enterprise software—your developers should get two types of training:
- Generic, secure systems development. While your devs know how to write code, that doesn’t mean they know how to write code securely. You don’t want a big surprise down the road that your code inadvertently left an opening for an attacker.
- Specialized training for personnel in their specific language, systems and type of code. This is next-level training, and it can be added on once the generic training is humming along smoothly.
What if you have a ransomware attack, a lost USB drive, a breach or unauthorized physical access to your server room? If your specialized training includes incident response, your team can be more prepared to quickly and effectively mitigate damage.
Start off with quarterly tabletop sessions to get your team on the same page. Walk through potential incidents and develop the policies and procedures of your incident response plan. Play out scenarios during these sessions to ensure everyone knows their part. Do it quarterly to start, then back off as appropriate, but never less than annually.
As much as possible, make sure your legal resources have the right security and compliance training. If they aren’t properly trained, it’s like trying to fight a five-alarm blaze with a squirt gun.
Imagine your corporate law attorney trying to navigate the legal issues of a data breach emergency. You could find yourself in the middle of an incident that’s caught the attention of local or national media. As reporters descend upon your organization, how will your corporate lawyer with no cybersecurity experience guide your company through the barrage of questions?
Don’t assume your attorney is ready to handle that kind of situation. Don’t assume they can quickly get up to speed on the compendium of agreements you have with customers, vendors and contractors. Don’t assume they “know someone” that they can “pull in.” Make sure they are prepared, already have the expertise required, and that they’re involved with the regular training on all the ins and outs of these issues.
You’re bound to have some number of incidents occur throughout each quarter. Review these cases on a regular basis to find opportunities to improve your processes and reduce incidents.
You’ve got the chance to learn something new every time you declare an incident. Review what worked, what didn’t work, where the gaps were and why they were there. Than, make adjustments and build them into your procedures.
Business continuity and disaster recovery
Business continuity and disaster recovery helps ensure you stay in business if the worst happens and something goes sideways. In the event of a hurricane, fire or even an influenza breakout, you need the capability to keep the business going and implement disaster recovery.
This is a lot like incident response, so it makes sense to treat it similarly. Start with tabletop exercises and play out the likeliest scenarios. From there, build out your policies and procedures, and make sure the right people know their roles. This will give your organization a much better shot of adapting to the latest challenge if it comes to fruition.
It’s scary just how few vendors are adept at security and compliance. Don’t assume your partners are experts, but include them in your training. Invite them to participate with your organization, or require that they show evidence of their capabilities in security/compliance. Also confirm that they’re getting their own training.
Make it easy for them to be open and honest about their level of expertise (or lack thereof). You’re all in this together, and you can all improve together. This training benefits their value as a business, as well as your own organization.
Generally speaking, it’s better to raise the capabilities of a willing existing vendor than to replace them. That said, you also need to make the tough call when it’s time to end the relationship.
Professional Development for CISOs
Part of being open and honest means acknowledging your own room for growth. Every CISO, no matter how deep their expertise, should be continually learning and growing in security and compliance. It’s a dynamic area, and there is always more to learn.
Be a professional who is constantly learning. Keep your eyes on developments in the marketplace. Take security and compliance engagement seriously, and stay abreast of progress as that process unfolds within your company. Develop a relationship with an expert in the arena who can show you the ropes and help accelerate your learning.
Go to conferences, but beware of vendor pitches—especially any tech companies that claim there’s a silver bullet. There is no silver bullet in security and compliance. Connect with peers—ask questions, find out what has worked and hasn’t worked for them.
Finally, join security and compliance groups on LinkedIn. Follow industry thought leaders, and keep abreast of new content in the security and compliance world.
Now Slay That Compliance Dragon!
And with that, all your pieces are in place to slay the compliance dragon. Congratulations! This journey has been a long one, and it’s taken a lot of work—but you now have the knowledge, partners, tools, processes, people and training to take control of your compliance management process.
Even better: each annual compliance cycle will be progressively easier than the previous one—if you do it right. We’ll walk you through that in our next and final article of this series. As a result, you’ll keep that compliance dragon of chaos from coming back again.
Like what you’re reading? Subscribe to the TCT blog and get game-changing content delivered to your inbox each week! Enter your email in the form at the bottom of the page.