Compliance-Driven Training: How You Check the Box Matters

Whether you’re for it or against it, a believer or a scoffer, compliance-driven security awareness training initiatives are a reality that must be reckoned with. Not only are they not going anywhere, they are actually likely to multiply given emergence of additional cyber security–based regulations and some U.S. legislators eyeing global cyber laws.

Some of our security awareness training colleagues would have you believe that any training-related activities are a waste of time. That there is little to no value to delivering cyber security education (no matter what the mean old regulatory board/government entity thinks). Here’s our take:

1. If you approach cyber training like it’s a waste of time, it will be.
2. If you find no value in educating your employees, they won’t find value in it either.

Megalithic Training Is No Symphony

So many times, the attitude related to compliance training is “Let’s just get this over with.” And while we can certainly appreciate that thought process, we caution administrators that a giant, once- or twice-a-year content dump is not only not effective, it can be more disruptive and more of a time drain than a program that embraces a more regular, continuous approach to education.

How so? Well, consider that annual or semi-annual training is generally delivered on a restrictive schedule (i.e., users have a set day or a short window during which training must be completed). During that time, all employees in all departments must set time — and work — aside in order to attend or complete a looooooooooong, soup-to-nuts training exercise. Business, of course, must go on during this time frame, which means that employees and administrators alike stress out about fitting in training with other day-to-day responsibilities. The experience becomes a negative one, irritation abounds, and focus and attention suffer.

Compare that to training modules like ours, each of which is 10 to 15 minutes long and focuses on the ins and outs of a specific topic (think email security, passwords, and safe use of mobile devices). Instead of assigning them all at once, we recommend delivering them on an occasional — but regular — basis. With this approach, employees can choose when to allocate time to the training (usually within a 30- to 60-day period). This alone helps to ensure that users are more focused and attentive to the message. Couple that with the fact that the education is interactive and targeted to a single topic, and you’ll see why users tend to retain more information and get more out of this style of training.

If You’re Gonna Do It, Do It Right

Any parent with a school-aged child has seen the results of “phoning it in” as far as homework goes. I have an 11-year-old son who, bless him, still thinks I will not notice the difference between true effort and marginal effort. His protests of “I know, I know” — though so very helpful — are as half-hearted as the effort made. What shows in the sloppy work and mistakes is that he, in reality, did not know nearly as much as he thought he did when he completed the work.

How does grade-school English homework relate to compliance training? Quite simply, phoning it in leads to less-than-stellar outcomes.

Those who assume that employees already understand cyber security — or, far worse, who assume that employees are just too darn stupid to learn a darn thing about it — are playing a dangerous game. First, it opens the door to unnecessary risk. Second, this thought process leads to poor decision-making about cyber security training. Selecting the cheapest or otherwise “most expedient” route is not the ticket to saving time or effort in the long run. In fact, it could cost more.

Our research has shown that better trained, better educated employees suck less time and effort from your IT response and remediation teams — and less money from your budget. That’s why our bottom line for compliance-driven security awareness and training is this: if you’re going to take the time, give yourself the best shot at getting something out of it.

In developing our education materials, we rely on Learning Science Principles. Why? Because they have been proven valuable and successful over many, many years in many, many educational settings. Who are we to argue?