By now you know that compliance means more than technology, policies, and IT resources. More than ever, it means people—your employees—equipped with the right skills and training to cover the myriad gaps between what will always be porous security end points. The only question is how to best bring about the necessary competencies. In short, you’ve got two options: 1) design and deliver the training yourself, or 2) outsource the task to the experts.
Many consider DIY approaches to awareness and compliance training because they believe it will save money. Whether it actually does depends on one thing: your objective. While it’s true that most security, privacy, and compliance regulations mandate awareness training programs, seldom do they prescribe the details of such programs. So it is possible to check the compliance box by simply having employees view a handful of PowerPoint slides and sign off on the deed. Pretty cheap. Pretty easy.
But there are at least four not-so-cheap-and-easy problems with that approach:
- Costly litigation demonstrates time and again that the minimalist approach may serve to check a box, but it won’t get you off the hook when a breach occurs.
- Regulatory bodies are catching on—the updated PCI regulations, for example, are much more explicit about awareness training requirements.
- The “check the box” mentality completely misses the point: protecting your organization, its assets, reputation, and customers.
- Quickly assembled “training” is also quickly forgotten—if it was ever absorbed in the first place. And that’s a far cry from achieving the correct objective of training: behavior change. While many regulations require only an annual training event, information security and compliance is not a single point-in-time activity. Good training requires ongoing reinforcement.
But let’s say you actually take this training business seriously; you still want to do it on your own, but are unsure about what it will take to be successful. The fact is training is a surprisingly deep discipline: part technology, part psychology, part communications science, and a few other parts and practices thrown in for good measure. Good training, to be effective, must be built upon sound principles of adult learning; it must adhere to proper curriculum development methods, and be created with production values that will engage, inspire, and ultimately change learner behavior. Are these your areas of expertise? You can see that there’s a lot that goes into creating a truly effective training program. In fact, e-Learning is such a large topic that we wrote a book about it!
Equally important, though, is the depth and breadth of subject matter expertise. Take the area of governance, risk, and compliance (GRC) for example. Covering this topic alone may require multiple courses, from Codes of Conduct to privacy principles, and should rely upon a multitude of disciplines, from IT to corporate law. And that’s just the beginning. Add to this the necessary mix of courses addressing security basics, phishing, HIPAA, BYOD, PCI awareness, records management, mobile computing . . . It’s a long list, indeed. Moreover, the content is constantly changing as both threat landscapes and regulations evolve.
Still thinking you want to tackle this on your own?
Verizon, in a recent compliance report, addressed this very training aspect, stressing, “Even with the best will in the world, and with sponsorship and budget secured early, your organization may lack the specialist expertise and internal resources needed. . . . While using external providers clearly comes at a cost, there’s a cost associated with using internal resources, too.”
The bottom line is that the primary argument for outsourcing awareness and compliance training is also a financial one. However counter-intuitive it may seem, DIY training is rarely a cost-effective proposition. But the make-versus-buy decision is greatly simplified when a competent, outsourced solution can be delivered in as little as 1/10th the time—and at a fraction of the cost—of building the training in-house. Most grossly underestimate what it takes to design, develop, and deliver such materials. Worse, it’s not a security-effective proposition; there is simply too much specialized content to master and manage in-house.
When all is said and done, outsourcing this vital activity is really the only viable option—that is, if your objective is to foster a sustainable culture of security and compliance behaviors that become organizational habits. Otherwise, frankly speaking, it is not the best use of your resources, or the time of your organization’s people. Training providers exist so that you can focus your time, energy, and resources on your core competencies, leaving training in the hands of experts.
The only remaining question, then, is how to select a training solution provider. Certainly they are not all created equal. The quality of courses, approaches to web-based training, incorporation of the principles of adult learning, as well as the ability to reflect your brand and culture vary tremendously. A good training provider will be able to address all the foregoing even as it simultaneously—and quickly—assembles an optimally tailored mix of courses built upon an enterprise-scale approach to e-Learning that works.
Want to learn more? Check out this powerful tool to help you sort good from bad. Then contact us. As award-winning experts in security and corporate compliance training, we’ll be happy to help you arrive at the most cost- and security-effective solution possible.
Photograph: Thomas Kokta/Radius Images