How to Provide Security and Compliance Training to Diverse Workforces

By Barry Cooper  |  Posted 2010-06-01

How to Provide Security and Compliance Training to Diverse Workforces

Your IT security team has done due diligence in hardening your organization's IT infrastructure to align it with the latest regulations. You've deployed state-of-the-art Data Loss Prevention (DLP) and intrusion prevention systems (IPSes), firewalls, and antivirus and antimalware solutions. And you have personally overseen all recent compliance audits. You think you can now rest easy; after all, you've raised your organization's security and compliance posture to the highest level possible.

But, suddenly, your world is turned upside down after reading a letter from a credit card company informing you that it believes your organization is the victim of a breach that has compromised payment card information on millions of your customers. You wonder, "How could this be? We've taken every precaution possible!"

Several months later, a time-consuming and expensive forensic audit reveals that cyber-criminals penetrated your network using an employee's user name and password. It's possible that the criminals obtained the password because the employee opened up a document rigged to take advantage of a zero-day exploit.

In this case, it took only one oblivious employee-who had no understanding of how important it is to avoid opening attachments from unknown and unverified sources-to reduce your IT security infrastructure to the equivalent of an unlocked door with a red blinking sign that reads, "Come on in and take our cardholder data!"

To prevent data breaches and security incidents, organizations operating within regulated environments spend years continually hardening their IT systems and controlling access to information so that employees, customers and business partners only have access to what they need to do their jobs. However, with all of the effort put into information security strategies, one step is often overlooked: training.

Hardening your IT systems without training employees leaves a gaping security hole. Training employees on the latest standards and best practices on how to integrate information security and compliance-focused habits into their everyday functions (and how to recognize suspicious behavior) are all critical components that should be a part of any information security strategy.

Unfortunately, training is expensive and resource-intensive. It is no simple task to create a training curriculum, prepare materials (and keep them updated), and then ensure that the training is available around-the-clock to meet the schedules of employees who may be located throughout the world.

Cost-Effective Training Options

Cost-effective training options

Fortunately for regulated organizations, a variety of cost-effective training options are available that can be used to teach every employee how to reduce risk by bringing security best practices into their everyday work environment. These flexible training products and services can teach doctors, for example, that opening attachments from unknown and unverified sources is high-risk behavior. Or they can teach fast-food franchise managers that it's easy for a hacker to guess that the password "burger_and_fries" could grant access to a corporate intranet. Or these training products and services can teach hospital employees that just because a file is stamped with the initials "HIPAA" (the acronym for the Health Insurance Portability and Accountability Act) doesn't mean it's secure.

Benefits of effective training programs

Choosing a security and compliance training vendor and program for your workforce may seem like a difficult task. The good news is that there are countless numbers of online and on-premises options available. An effective training program needs to address the specific requirements of your organization.

When evaluating a vendor and a training program, make sure that, at a minimum, they can provide your employees with these eight benefits:

Benefit No. 1: Basic training in major industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS), HIPAA and other compliance-specific courses

Benefit No. 2: On-demand, Internet-based options that can extend training to a distributed and diverse workforce on a 24/7 basis

Benefit No. 3: Compatibility with your organization's current learning management system (LMS) to ensure that it is easy to integrate the training program into your organization

Benefit No. 4: A metrics feature that enables your organization to track participation, course completion and knowledge retention

Benefit No. 5: Real-world training delivered through courses developed by subject matter experts who have completed compliance and security assessments within your industry

Benefit No. 6: Interactive, media-rich content and curriculums that encourage student participation and knowledge retention

Benefit No. 7: Constantly updated best practices, security and compliance knowledge

Benefit No. 8: Flexible pricing options that respond to your budgetary requirements

Training is an important and vital component of any information security strategy. Make sure that you implement an effective training program that fits the needs of your organization. Your reputation, continued customer loyalty and even the organization's financial position can be negatively impacted by a data breach that proper training could have prevented.

Barry Cooper is Vice President of Training Services at FishNet Security. Barry has over 20 years of experience in IT. He has designed and provided training for technical courses for over 15 years. He has significant expertise in systems analysis, programming, and network engineering. Barry is responsible for security education services, operations, management and leadership of the FishNet Security's training organizations. In addition, he manages vendor, security and distance learning product development.

Barry has over 70 high-level security and technical certifications including CISSP, JNCI (Juniper instructor), CCSI (CheckPoint instructor) and CTT+ (Certified Technical Trainer). He is a member of the American Society for Training and Development (ASTD) and the United States Distance Learning Association. Barry earned a Bachelor's degree in Organizational Leadership from Calvary Bible College and is currently pursuing a Master's degree in Education. He can be reached at

Rocket Fuel