Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Training Your Compliance Personnel
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd talk about the importance of properly training your compliance personnel.
The impact on a variety for different areas throughout the organization is vast. For that reason, the CU guys talk about how tough it is to get the right person to train compliance personnel and how vital the role of the compliance training personnel becomes to the organization.
Curious if your compliance personnel are properly trained? Wondering how to identify the gaps in your compliance training program? All these answers and more, on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the drill to your compliance sergeant, Mr. Adam Gosling. How’s that for you, sir? I’m doing good, Todd. How are you? Man, I can’t complain. I cannot complain. You know, Adam, every single year, large companies specifically spend, you know, thousands of dollars, I think it’s over $1,400 per employee on training. And I’m curious, talk to me about your experience when it comes to training compliance personnel, and why that experience is so challenging at times. Well, when you’re in the compliance space, compliance personnel, they need to have a, you know, a great breadth of knowledge across an entire compliance engagement. I mean, if you figure, you know, I’ll just use PCI as an example, you know, you’re talking everything from, you know, firewalls to networking and system configuration and, you know, storage encryption, transmission encryption, antivirus, patching, and, you know, change control, code development, you know, role-based access control, access control, you know, physical security, security, you’re talking, you know, you know, logging and, you know, daily log reviews, security testing, policies and procedures, I mean, it’s literally like, it covers HR, it’s, it’s current things that relate to HR relate to legal, you know, it’s that you are, you are crossing an unbelievably broad spectrum of skill and capability that’s ultimately needed in the general compliance practitioner, where, you know, they may not, you know, some of them, some of them know the entire gamut, some of them, you know, kind of specialize, you know, etc. But, you know, it’s, it’s really a specialty skill. And, you know, it’s something that for organizations, I mean, you know, if you’ve got somebody like that, you know, that you’ve already got, man, don’t take those people for granted because people that are exceptional in the compliance space, they are a rare breed. They’re also in high demand. Getting to that level of capability isn’t something that just, hey, I went and I took a course and poof, I’m a compliance genius. This is the culmination of years, years and years of experience and in the trenches and having to interact on these various topics, etc. And it certainly doesn’t happen overnight. And in a lot of places, it doesn’t even happen at all. So that’s part of the reason why the whole notion of training and the compliance personnel ends up being the challenge that it is.
Now from your experience, are compliance teams appropriately trained? Well, I’ve worked with a large variety of organizations across a broad range of engagements with companies of varying sizes and da, da, da, da. And I’m continuing to find that the people that are involved in the compliance process, provisioning evidence, even those that are in the internal points for running engagements, etc, generally speaking, they’re certainly under trained, under experienced in the realm of security and compliance. For a lot of organizations, this is a realm that they’ll struggle with, especially I’m going to call it mid to upper level management at organizations. They tend to run on this tendency that, oh, well, I’ve got IT people. And so they must know how to do IT stuff. securely. Now I’ve got networking people, oh, they must be able to they must know how to do networking securely. And, you know, in a compliant manner. And the reality is, there is a broad chasm between, I can technically do the job, and I can technically do the job in a secure and compliant manner. And for a lot of those in leadership, they don’t, they don’t kind of connect those dots. So, you know, my, you know, my first experience with under trained people, is a story that I believe I’ve told on here, at least a couple of times, which was my first time going through PCI certification, you know, I’d been, I’ve been leading IT teams for, you know, the better part of 15 years at that point in the game, you know, but you know, it wasn’t until I had gotten completely through my first, hey, go get us PCI compliant, that I had the realization of just how little that I knew, which to me wasn’t as surprising, because I was in IT leadership. I didn’t need to know the nitty gritty of all of this stuff that wasn’t really what I envisioned as my job. Like I talked to you about a minute ago where I’m saying mid and upper level management, I was that guy that sat there and went, oh, well, I mean, I’ve got developers and I’ve got firewall administrators and I got all these really technical people that are really good at their job. So they must know how to do it. And that was the first engagement where it dawned on me just how little those folks knew about what it is that we needed to be doing and clearly understanding it, etc.
And it creates a huge disconnect between the folks that are in those positions of leadership and those that they falsely believe are just inherently have this knowledge. And through that process of going through that experience, that really cemented it for me, how little knowledge the folks that could operationally make the organization function, how little they extended that into how to do so securely and in a compliant manner. So it’s a big thing that I like to harp on, which I don’t want folks assuming that their people just know this stuff because the minute they do that, that is a huge, huge, huge mistake. And the reality, and here’s where the part of the truth challenge comes in, right? You know, people aren’t going to, you know, people aren’t gonna go and throw their hand in the air and throw whatever, throw themselves on the sword or whatever and go, geez, you wanna know what? I don’t know a damn thing about how to do this job securely. I mean, they’re not gonna do that, you know? The bosses already has this expectation in mind. They feel dumb for, you know, for having to raise their hand, etc. So, you know, they’re gonna try to do their success. They’re gonna try to do their job successfully. They don’t wanna lose their job. So what I’ve seen most of the time, they just keep their mouth shut and try to wing it, you know, type of deal. And meanwhile, leadership doesn’t have any clue that, you know, just how, you know, just how by the seat of their pants people are, you know, people are going through their, through this process, you know, and, and so, you know, the topic of today is important, you know, for those leaders because, you know, we’re, I want to, you know, have them avoid basically putting their, you know, putting their personnel into a tough spot, you know, by taking a, you know, a better or, you know, kind of more strategic approach, you know, to the, to the training needs.
Now, how does an organization figure out the training needed? I mean, is there readily accessible information on this? Yeah, so, you know, certainly, certainly for, for going, for, as you’re starting to go in and do that analysis, you know, for any organization, first thing, go in and look at the backgrounds of the people that are on your team, you know, whether it’s the person, you know, depending on the, on how you have your roles positioned in the organization, you know, you could have everything from kind of project managers to evidence specialists in certain realms, etc. But, you know, go in and look at the backgrounds of the people that you have.
It’s one thing to go in and look at somebody’s resume to find out if they can operationally do the job. And it’s another to put a specific eye toward did that past experience, was it gained at an organization that had to take security and compliance seriously?
You may very well find that there’s several people on the team that they’ve never been at an organization that’s had to undergo, you know, a real rigorous security and compliance style engagement. You know, for the technical folks, do they have certifications already in hand for security and compliance? You know, we touched on them, you know, whether they’ve worked at secure compliant organizations, you know, that’ll give you a… good sense of what types of training needs do we have, you know, and then also, you know, if you are interacting with, if your organization’s already interacting with a consultant or an assessor, I’ll guarantee you that if you kind of on the side go to them, say, look, I’m trying to bolster the skills and capabilities of my team. What do you think about the skill level of the folks on my team, who needs help, you know, who needs to, you know, who needs to get some more experience and, you know, and whatnot. I’ll say it this way, I would be willing to bet that, you know, within a couple weeks of working with your team, they know exactly who it is that’s on that team that needs to, you know, needs to go ahead and kind of bolster their position, if you will.
It comes out pretty quickly, when, especially when you start working, you know, kind of more closely with those individuals.
Well, any recommendations for training certifications? Well, here’s the problem. There are, no joke, a ton of different third party security training options that you could have available for the folks on your team. And many can just get lost down a rabbit hole. So for most of the folks that are on the team, a good, a basic overall security compliance training course is a good start. I’m going to put this into two categories. You’ve got the folks on the team that are going to go in and grab five elements of evidence for related HR, and you’ve got somebody else on the team that’s going to go pull contracts or something. Do they need to go through this battalion of training? Probably not. You’re really looking at more the folks that are involved on the technical side of the equation. But for those folks, certainly something general with a broad-based knowledge, something like a CISSP certification, it’s a general certification style that will get your feet wet, a whole bunch of different areas. That type of a certification would be especially helpful for those that are new to the compliance arena or that have never had to look at how they do what they do from a security compliance perspective. If you’re going up against a particular certification, so in this case, I’ll use PCI as an example. PCI has a internal security assessor, or ISA, qualification that they put on a training program. Basically, for the folks that are doing internal audit against PCI, again, that’s going to provide a broad spectrum of knowledge, but specific to PCI. So you can certainly look at certain specific training courses based on the security certifications or standards that you’re going up against. But at the end of the day, there is absolutely zero substitute for being able to gain years of experience in security and compliance.
Getting good at this stuff certainly takes time.
I have been neck deep in doing security compliance, consulting style engagements, probably closing in on about 20 years. And, you know, the reality is it takes time to develop that. I still learn stuff like, you know, every day, every week, you know, just keep learning new things. Now the volume at which I learned at this point in the game is certainly substantially less than when I was, you know, kind of first trying to, you know, drink from the fire hose. But, you know, you’ve got, you know, you’ve got a lot of things that are kind of at your disposal. Certainly the experience is one side of it. And, you know, the learning that you can do from those that are around you that do have more experience than you have. So if you have a consultant, if you have an assessor, you know, pay attention, you know, ask them questions, learn things, there will be a vast majority of folks that are in that consultant or assessor space, you know, they love, you know, they love it when they’ve got somebody that is willing to, you know, willing to learn and is interested in learning, you know, about it, they’ll share their knowledge with you.
You know, my take on it is at the end of the day, it’s less about what initials you have behind your name and a lot more, you know, what can you do with the knowledge or skills that you’ve got? You know, it’s really about you as a person and your experience and how you leverage that, that, you know, kind of, you know, street smart education and, you know, less about the, you know, kind of the initials at the end of their name. I can’t tell you how many people I’ve met with a whole bunch of initials at the end of their name that, you know, that really didn’t seem to know a whole heck of a lot, you know, that was, that was, we’ll call it leverageable in an operational sense.
Oh, that was polite of you. I like that. All right. What about the mentoring of new compliance personnel? Formal training is going to get expensive, right? It depends on the organization. You got a person or two, you got to go send for training, well that’s not going to be as big of a deal as, let’s say you’ve got 40 or 100 people that you’ve got to go send. The formal training is going to get expensive, but in many ways mentoring can be just as effective and a whole lot more affordable. Building into your organization a framework where some of your senior personnel are taking some of the junior personnel or it may not be like so much senior and junior in that traditional sense, but just more and less experienced in the realm. Folks pair them up. Um, you know, get them to, you know, take the, take the newbies under their wings. Uh, and, um, you know, and, and I can’t under, uh, under value, um, how important it is to get paired up with somebody that actually knows what they’re doing. Um, the rate of learning is really accelerated. Um, you know, so, you know, whenever you can, you know, partnering up and doing that cross training is a, you know, it’s a huge plus, um, you know, the, the person that’s been down the path before that’s gained the experience, you know, if you look at it this way, I mean, they’ve run into these walls before they’ve screwed up and done things wrong. Uh, you know, they’ve had to, you know, um, do something incorrectly, learn from their mistakes, make adjustments, etc, you know, what better person to, um, you know, to, you know, to, to be able to learn from, uh, than somebody that’s already been kind of been down the path, um, you know, in some organizations, though, I mean, people are, you know, people, some people are are reluctant to share that knowledge. You know, um, they go, they go under this notion that, you know, and I’ll call it an outdated belief that somehow withholding, you know, this knowledge and expertise is going to help to protect their job or, you know, their authority in the organization. And, you know, while that, you know, while that may have been true years ago, um, you know, today, you know, for most organizations, you know, you’re proving your value by, by sharing your knowledge. You’re proving your value by helping other people grow. Um, you know, that that’s really what makes for leadership qualities, uh, you know, for folks within an organization and gives you the potential for, you know, moving up the ladder because of the fact that, you know, you’ve, you’ve done such a great job with, uh, you know, with mentoring, uh, you know, mentoring others and not the least of which is if you’re somebody that’s at the top end of the food chain, you guess what your job is made a whole hell of a lot easier when you’ve got other people that can help carry the load because now they know what they’re doing, you know, and whatnot. You know, certainly as you, you know, as you’re going through the process, you know, doing it in a manner that, you know, where, you know, for the folks when they’re new to certain realms and areas, you know, having that kind of peer review, you know, peer review style approach in play, you know, will certainly, certainly go a long way to help them with, you know, with learning as they go.
Sure. Now, everybody can use a little training now and again. So what do you do or what should you do about the training for the specialist that you have on your team? Well, I mean, if you’ve got a decent size team and the notion of specialists is probably going to be in a larger scale organization. So, you know, for that larger organization, you know, you’re definitely going to end up with some people that have their own specialties. You know, maybe one person, you know, kind of specializes in on the policies where somebody else is, you know, is working on the network administration. You know, another person is handling a lot of the elements surrounding, you know, security testing, maybe somebody else does security training, you know, etc. You know, when you lose a specialist on your team, you know, you’re going to feel that impact more acutely than losing a generalist as long as you’ve got another generalist there, you know, but, you know, you can lessen the impact of, you know, the impact of the, you know, by cross-training folks on related areas, expanding their, you know, their breadth of coverage, certainly having somebody that is a specialist paired up, you know, with someone for redundancy, that’s going to build up, you know, build up business continuity, certainly creates redundancy, you know, if somebody leaves, you know, leaves the team or is out of commission for a while. It’s at this point in the game, I feel compelled to note to the listener that we’re going to have a, we’re going to have a topic on the next podcast that’s going to be very closely related to this notion of redundancy and business continuity. But, you know, sit down, look at the compliance team, look for those single points of failure, and that really is going to drive your roadmap for training. You know, certainly, you know, certainly the, you know, the TCT portal itself, that can be a valuable tool for cross-training. You know, the workflows within it are, you know, are flexible and dynamic, customizable, so you could certainly assign somebody, you know, as… as that first step in the workflow, so if their new, if you will, have them go take their crack at it and then set up an internal QA step where it flows from the front, come from the new frontliner, if you will, flows up to that more experienced person on the team that they’re paired up with. That way it kind of drives the peer review process, increases their learning and knowledge. You can always go in, alter those workflows and start to remove that internal QA step as the comfort. level goes up that the person provisioning the evidence now has their arms around it and doesn’t need to leverage that capability. So, you know, it’s good to have that QA step, especially for the noobs, before it’s going up to either your consultant or to your assessor, you know, because it’s just going to improve or increase the quality of the, the quality of the deliverables that you’re going to end up providing up, you know, to those folks that you’ve got to go and send to as the next steps in the workflow.
That makes total sense. It makes total sense. Now, what role does compliance technology play in this? Well, you know, you want to be able to take advantage of the technology in the compliance space, you know, a great compliance management tool. It literally can be an invaluable training resource for your compliance team. You know, so we were talking about the TCT portal earlier, where, you know, it’s built to make it easy for new people, new personnel to be able to get up to speed quickly. Veterans can gain a deeper understanding of the of the security and compliance space. So, you know, here’s a here’s a couple of example examples of where compliance technology can, you know, can really can really assist an organization. So first off is having a reliable workflow you can you can kind of plan on. You know, you end up having a workflow where everything is laid out in a consistent streamline fashion. The information that you need is easy to find. You’ve got, you know, when you’ve got a, you know, kind of a simplified framework, you can make that, you know, make that learning experience substantively faster. The provisioning of guidance is another arena where an intrinsic benefit of the compliance technology is that it’s got built guidance, both, you know, in TCT Portal’s case, you can have guidance from the governing body for whatever particular certification, so you can have the guidance that comes straight from the PCI Council, as an example, or, you know, got additional realms of guidance that are coming from either your assessor or from your consultant. So, you know, it certainly goes a long way to assisting folks as they’re kind of going through the process. The other area where compliance technology comes into play is the notion of historical data, you know. We’ve talked about this on several of our other earlier podcasts, but the reality is that most people, when they’re going through and they aren’t using a tool. Oh my God, by the time you’re done with that engagement, you’ve got shit spread everywhere. Like there’s files in your email. There’s status updates in your text messages. There’s crap sitting on a file server. There’s crap sitting on a SharePoint. There’s crap sitting on a Sharefile site, et. It’s everywhere. And most organizations will go in and clean that up. Where technology comes into play from a compliance perspective is that everything is super easy to go in and identify. So as an example, if it’s been a year since we’ve done, you know, have been having to work on the compliance engagement, you know, now I can go back. I can see clearly from last year’s track, oh, who did what? You know, which person was assigned to which items on this particular engagement? I can go down to the requirement level and see what guidance did they provide? You know, what guidance, what guidance was there? What files did they provide? What explanations did they provide? Did they run into any roadblocks with the assessors when they did the submission? You know, all that fun stuff. And it’s immediately accessible, immediately referenceable. It’s huge. You can go back and, you know, go back and see all of this, all this information. You know, and certainly having that as a ready reference for new people, well, they can go back and look at, you know, what was done last year and they’re that much further ahead. They know exactly what they’ve got to go in and do. Even for the same person that did it last year, they now have an easy reference of exactly what it is that was provisioned. It just dramatically improves the efficiency and streamlining of the processing that happens, you know, during this period. You know, and the other thing, which I kind of alluded to is that because everything with your compliance technology is in one central location. You know, now you can, you know, you can write notes to yourself on the, on these items. You can put them into the history, you know, on that item so you can remember next year when you’re going in and taking a look at it. You can go in and put, you know, your attachments are going right against the requirement level and work flowing through the tool. Everything, just everything is just sitting right there. Um, you know, ready, uh, with, with a ready capability. So, you know, certainly for any of the listeners that haven’t had the opportunity to leverage compliance technology on their, on their compliance engagements. You’re, you’re still, uh, you’re still being forced to leverage a combination of a spreadsheet and what I love to call the human glue that holds, you know, holds a whole bag of shit together. Um, you know, it’s, it is a whole lot more sane when you go down the compliance technology route.
It’s just going to make your life remarkably easier. Yeah, it makes total sense.
Parting shots and thoughts for the folks this week, Adam. Well, you know, I entered the security compliance arena about two decades ago, like I was saying earlier. And, you know, I can tell you that you don’t stop learning. There’s always new technologies. There’s always new certifications. There’s always new iterations of certifications. There’s new best practices, new threats, you know, etc.
But, you know, and you intentionally provide training for your compliance personnel, you know, you’re ensuring that they’re staying at the top of their game. And that will go a long way to improving your organization’s kind of security and compliance stance. You know, certainly the leveraging of compliance technology, I can’t understate it enough. It is a world of difference going from, you know, somebody trying to manually hold all of this stuff together to really leveraging compliance technology to, you know, to dramatically improve the effectiveness and efficiency, you know, of your security and compliance engagement. It’s a big deal. And I’ve said it many times before, you know, I am a huge proponent of organizations doing what I call owning their own data. So there’s a lot of them that will use either their consultant or their assessor systems and call it done for their repository. But if anything changes, you decide to change assessors or whatever, you’re left high and dry. You know, I’m a huge proponent of organizations owning your own data, on your own compliance management repository, you know, allow your consultants and assessors to be able to integrate into your system.
That way, if you decide to make changes, make shifts, whatever it may be, you own that repository. It’s your tool for your engagements that you basically maintain control over, over time. It’s a really, really big deal that a lot of organizations, you know, haven’t had the opportunity to see the light yet, but we’re trying to change that.
Awesome stuff. And that right there, that is the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
Thanks for watching!
