Our team at KnowBe4 recently got together to talk about planning for annual security and compliance training.
You might be thinking, “Aren’t you a little late in planning for the year? It’s March already...”
We are actually talking about 2025.
Not everyone trains millions of learners all around the world like we do, so your planning for compliance and security training might be on a different timescale. But if you don’t start thinking about how you will plan for next year soon, it can really sneak up on you.
That being said, I worked with our amazing team of Security and Compliance Content Specialists, who are talking to organizations every day and helping them plan, to come up with this list. If you have not connected with one of them, reach out through your KnowBe4 representative, and they will help you plan your program that combines compliance and cybersecurity training. Let’s get into our list:
10 Tips for a a Year-Long Security and Compliance Training Program
- Whether you are using just KnowBe4 to meet your compliance and security training needs or a combination of content providers, aligning these efforts is a huge tip. Our teams internally at KnowBe4 created a combined training plan that involved Legal, Compliance, Cybersecurity and HR. They were able to work on a plan that complements each other's training and ensure that it is spread out enough so as not to overwhelm the workforce. We often hear this is done through “tradition” where, for instance, the first quarter is always for HR training, and Legal compliance is done in the fourth quarter. Traditions can be hard to break but a more integrated program that has content from all areas throughout the year can have a lot of benefits for all divisions in an organization.
- Break it up into smaller, more frequent modules. My boss, Stu, had a great blog post about The Forgetting Curve that explains the science behind the need for more frequent cybersecurity training. The same applies to compliance training. All of us who have conducted compliance training in the past have noted the rise in reporting right after the annual training, some of which is far beyond the time when reporting should have taken place. If you are constantly reminded about being diligent about reporting things and how to do that (whether it’s a phishing email or a possible harassment issue) you are more likely to report it in a timely manner that can make the difference for an early intervention to be effective.
- Consider mixing content styles and types to to keep learners engaged. Marketers know the science behind changing behavior, and it’s not by watching one video or reading one poster or fact sheet. We always say, “train like a marketer” because there are lessons to be learned about how to get the message across from that discipline. Mixing it up with games, newsletters, interactive modules and videos is a great way to keep things fresh and engaging. People just disengage when they see the same old type of content. Don’t be afraid to include a few modules (or learning activities) rather than one large module. People tend to respond better to a few things they have to do that are 5-10 minutes than one 20-30 minute module. It may not be possible for every topic but when you can, include a number of different modules in a training event and/or campaign.
- Customize your training to increase effectiveness. We help both small organizations and some of the largest in the world with their training plans, and a good rule of thumb is 80/20. This means 80% of the content should be off-the-self from us and 20% should be specific to your organization to make it relevant, align with your overall culture, and specific enough to be actionable. We have been adding more features to make this easier for organizations, including the ability to upload our own video or SCORM compliant quiz to a training campaign and the successful Content Manager to add policy links and acknowledgements.
- Review your plan quarterly given new attack vectors, industry trends, regulatory changes and existing issues. Just because you plan a year ahead, doesn’t mean you can’t make content adjustments. It’s important to make sure you are getting feedback from the business leaders as well as the stakeholders who have a vested interest in security and compliance training. A great example of this last year was the proliferation of AI chatbots. Of course, many times these trends might not even have settled regulations or even best practices, but it’s good to be planning while that gets sorted out. Having the flexibility to address concerns that come up, or even placeholders in the long-term plan, can also make the training more relevant and topical.
- Plan for special occasions like holidays and significant compliance dates i.e. International Cyber Security Awareness Month in October, Data Privacy Day in January, and World Day Against Corruption in December. This is another concept that we can borrow from marketers: tying into the holidays or focused times of the year can make for a more impactful message. We all know that cybercriminals attack people personally during the holidays so some of this information can also help employees protect their families.
- Survey your users' satisfaction and revise your program accordingly. We talked about flexibility for topics, but this is another one we borrowed from some of the best organizations that are using our platform and content. The ability to adapt to the feedback they are receiving about the relevance and format of the content selected. Enabling surveying and comments for the organization can be scary, but if we don’t take it personally, we can often glean insights and make little adjustments that can have an impact.
- Leave room and promote the capability of additional optional learning. I was initially skeptical of this feature, thinking, “who is going to be interested in taking more security or compliance training?” But we have seen A LOT of people who are interested in these topics to learn more themselves. Obviously, not all content is suited for this, but series like “The Inside Man” (our edutainment series designed to teach cybersecurity awareness through an engaging narrative) or topics that can be helpful for security in their personal lives are good choices for optional learning. Getting people into the platform to look at content they are interested in, even if it’s a relatively small number of users, gets them talking about these interesting series with others and is a great way to drive engagement.
- Keep the dialogue open with your e-learning providers for current insights. At KnowBe4 we are constantly talking with our customers and sharing best practices. Use us and your other providers as a resource to help you with the planning process and share what others are doing successfully in your industry. We can also share examples that can help get some of the changes you know you need to make to leadership and others within the organization. We know this is often not as easy as I have written in this blog, but we want to partner with you because your success is our success.
- Foster a culture where following rules and regulations is prioritized by choosing a systematic and proactive approach to security and compliance training. If you have the attitude that this is not useful to the business, but we are, “checking the box”, that will be felt by your trainees. Some of the most successful organizations we work with are actively trying to have an impact on the culture. Culture is also hard to change and it takes sustained efforts over time to be able to make these sort of changes. Keep planning focused on measurable outcomes and incremental progress. "Culture beats strategy every time." While strategy outlines the path to achieve goals, culture determines how people actually behave and work together on a daily basis. If the culture is strong, it can enhance the effectiveness of any strategy. Conversely, if the culture is weak or negative, even the best strategies can fail because people might not be motivated or aligned enough to implement them effectively. It's like saying that the heart and soul of an organization (its culture) is what truly drives success, more than the brain (strategy) alone. So focus on fostering a culture of compliance rather than just having a compliance strategy.
I hope you found a few of these tips helpful as you begin your planning process. If you have ideas or best practices to share with us, please engage us. Also, if we can help you in your planning process, please don’t hesitate to reach out.