At KB4-CON 2023, we had a customer panel that I hosted discussing the connection between security and compliance training content when trying to change organizational security culture.
The panelists gave such great tips about how to run security and compliance training programs together, I thought I would blog about them. I was joined by:
- Katherine "Kitty" Gundelfinger an HR Director at LoanLogics
- Tarah Cicero a Senior Instructional Technologist at Lehigh University
- Steve Tieland, who is the Director of Corporate Security Operations at Pegasystems
Getting Organizational Alignment
All of our panelists talked about meeting with department heads to get their buy-in on what training would be the most valuable and leveraging committees to review and help select content. Both of these are great points as you want to establish alignment with the overall mission and other major initiatives and ensure that connection is clearly communicated. As Tara put it, “We have other training going on and we wanted to make sure that those connections were well communicated.”
Steve shared a frank conversation with the executives asking, “What do you want? Do you just want a checkbox?” Discussions like these helped get management buy-in from the start and helped with accountability. He also said that the HR and legal teams saw how much users liked the security training and how the security training was getting 99%-100% completion, so legal compliance training was added last year.
As a global company, Pegasystems has used Smart Groups to assign training. They met with the individual business units to find the training requirements for harassment, legal compliance, and other training. The panelists also touched on using the automated reminders that get progressively more “annoying” as the deadline approaches.
Training More Than Once per Year
“Communication and engagement throughout the year is key,” Kitty said, adding that she preferred to “Chunk it out.” Having so much online training and having a plan that spreads out training over the year to meet requirements is key to their success. Kitty also said that when people think of compliance training it is generally, “...long and boring but not KnowBe4, it’s more concise and engaging.”
All of our panelists agreed that taking a more holistic approach with a combined plan of security awareness and compliance content was a key best practice. They all use KnowBe4 Kevin Mitnick Security Awareness Training (KMSAT) and Compliance Plus content in a modular way that helps them meet requirements without overwhelming the employee base.
Reviewing Feedback Surveys
In addition to having leadership buy-in, all of our panelists talked about the various ways they engage with the people engaging with the content. They talked about using shorter, more interactive training with surveys and comments turned on and using the feedback from those surveys to improve the training plan for the next time. Our panel agreed that this is a great process for maintaining a dialog with your organization, and as long as you don’t take it personally, something that you can use to continue to improve.
Also, meeting with leaders around the organization to get feedback from them on the security and compliance training program was really helpful.
Having Accessible Content
Accessibility is making sure content is available for those team members with disabilities and use assistive technology, such as screen readers. Steve mentions that even custom training should be accessible for the users with disabilities, “...like KnowBe4 does with its content. So our users expect the same experience when completing training.” With the ability to upload your own content or even third-party content, making sure the content is accessible is a very important consideration.
This group of customers is doing a great job of combining the use of Diamond Level security awareness training with our Compliance Plus content. The development of KnowBe4's Compliance Plus training library is in response to customers wanting the ability to have the same features and quality of content our global publishing teams build for KMSAT. Even though they had access to less than 70 pieces of content from a third party, including in Diamond Level, they needed more topics to meet all their compliance needs. The Compliance Plus library currently includes 450 (and growing) pieces of content to address these needs. It is great to hear from customers who are using both successfully!
Reach out to us for a discussion about integrating your compliance and security awareness training.