GRC Viewpoint

8 Best Practices for Successful Cybersecurity Compliance Training

Most regulations and frameworks these days mandate that organizations must impart regular training to employees. That said, evidence suggests that current training activities are not meeting the required risk mitigation objectives and the majority of employees report how training experiences are uninspiring and unmemorable. So how can organizations make compliance training more engaging and effective? Here are eight best practices that can help:

  • Create a Steering Committee:

Identify people in your organization that have an interest in compliance. Meet with them regularly to discuss how training can be made more engaging and effective rather than something that must be tolerated. Instead of repeating what was done last year, look at ways in which training tools, approaches, and the overall compliance strategy can be simplified, improved, or enhanced. 

  • Secure Leadership Buy-in:

If your leadership doesn’t view compliance as something that’s important or something that enhances the value proposition of the business, then it’s highly unlikely they will support, endorse or advocate your training program. To secure leadership buy-in, bring metrics and data, show real-world examples and risks of non-compliance, speak in ROI terms and highlight the benefits the business will gain if the compliance program attracts higher participation rates.

  • Assemble a Team:

Recruit a diverse team of individuals who can provide honest, unbiased feedback to you. 

This team will be different from the steering committee and the inputs you receive will act as data points for your discussion with the committee. To build your focus group, look for people who have an interest in compliance and that carry a level of influence amongst peers. Provide feedback from those who routinely critique the program and weigh suggestions that may improve the overall training program or process. 

  • Maintain a Balance of Build vs. Buy:

Content is one of the key pillars for effective training. For content to be effective, it must do three things: it must be meaningful, relevant, and personalized. Secondly, the concepts and principles must be easy to understand and follow. Lastly, the content must be sustainable so that it’s long-lasting. Look for the right mix of in-house and branded content. The idea is to have enough in-house content so that it feels relevant and personalized. Use content from an experienced compliance training provider to receive high production value and the appropriate amount of content that resonates with your audience.

  • Design the Program to be Inclusive:

When it comes to compliance, every employee will have varying degrees of competence and enthusiasm. That’s why it’s important to tailor the program based on the training needs of employees. When designing a program, it is also important that compliance managers keep the user experience of mobile or remote users in mind. Consider mobile usability when deciding on content for your program as this can go a long way toward making compliance training less painful for mobile users.

  • Use High-Quality Content:

Avoid subjecting your employees to “death by PowerPoint”. To enhance the overall learning experience, use a mix of video, graphics, interactive content, in-class training, tabletop exercises, and phishing simulations to identify bogus or suspicious emails and communications. Bring in experienced industry experts and speakers to improve attentiveness and credibility for the program.

  • Leverage Compliance Automation and Gamification:

Gartner says that within a few years, formal, annual compliance training will be reduced by half in favor of embedded workflow-based controls; defined as ” built-in, process-based mechanisms that shepherd employees to compliance within their workflows and may be detective, preventive, or corrective.” The model is said to improve participation rates substantially. Use of gamification can also make training activities more enjoyable and interesting. Organize contests between executives and teams to make the program more competitive. Use progress bars, dashboards, badges and ribbons to motivate employees. Provide gift cards, meal coupons, exclusive advantages and preferred parking spots to make training more gratifying.

  •  Train Frequently:

Most employees (90%) forget training within a week. This is why training should be an ongoing, frequent exercise instead of a once-a-year event. Try to break training into smaller segments, conduct it more often and make the content more consumable. Remember, 5-15 minutes per month is a lot more effective and less painful than four hours every February. 

While compliance is not foolproof, it certainly helps increase accountability in businesses, improves adherence to regulations and helps build an ongoing process of periodic review, monitoring and analysis of the organization’s compliance posture. Following the above best practices will not only ensure that you get better compliance on your compliance training but also ensure a better handle and pulse over the entire compliance culture of your organization. 

About the Author

Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms, with 50,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” 


Related Articles

Latest Articles