Training is a major component of employee development. Training takes a lot of different forms from sales training to workplace safety to sexual harassment to security and compliance. As the amount of training per employee has increased, the success of employee training, in terms of effectiveness and comprehension of training, has become more challenging.
Complicating this challenge, the tools used by companies to deliver and manage employee training, most commonly learning management systems (LMSs), have not kept pace with the work that employees do and the technologies employees use. As modern work has moved from email to chat (Slack and Teams), as technology has moved from on-premise to the cloud, as work has gone remote, and as tools have moved from web to mobile, employee training has lagged behind.
Effective training for a modern workforce using modern, cloud-based, and SaaS tools requires a fresh approach in 2021 and beyond. With a lens on compliance and privacy training, this guide covers the various compliance training requirements organizations face in 2021, why privacy and compliance training is table stakes for every company today, and how best to build an effective training program.
While the focus of this guide is on compliance training, both privacy and security awareness, the lessons contained herein are broadly applicable to employee learning and development.
The terms privacy, compliance, and security awareness are often used and the differences between them rarely appreciated. While the terms are related, they are separate and distinct. For smaller companies, these functions often overlap with employees having ownership and accountability across two or even all of them. As organizations grow, there is more separation between the functions and entire departments dedicated to each one.
Below is a summary table of how the functions are different from each other.
In practicality, the functions need to work together to create a functional privacy stack, also called an information security management system (ISMS), compliance program, or privacy program.
Each of the functions builds on the others. Privacy defines the policies and procedures for the ways data should be handled and protected, cybersecurity implements controls and technology to meet the policies and procedures, and compliance verifies the chain from privacy up through security does not have gaps.
Privacy makes promises. Cybersecurity implements those promises. Compliance validates promises are kept.
Ideally, these functions have boundaries to ensure separation of duties and to avoid conflicts of interest.
The following sections go into more detailed explanations of each function.
Privacy is the first step. Once a compliance DNA, or framework, is chosen or assigned to an organization, relevant controls need to be addressed with privacy policies and procedures. Given the dynamic nature of compliance regulations in 2020, privacy policies and procedures need to be revisited and kept up to date.
Once privacy policies have been written and acknowledged by all employees, it is up to cybersecurity to implement them. Cybersecurity often falls under IT. Cybersecurity is both in charge of configurations and security monitoring, with a plethora of new tools in the market and lots of noise from constant alerts.
With rapidly changing technology, especially services from cloud providers like AWS, Google, and Microsoft, keeping security configurations up to date is a constant challenge.
Compliance is about keeping promises. It’s about building trust. It is the best representation to the market, customers and partners that you have created and executed privacy policies and procedures. Compliance is largely about proof, and the collection of that proof can be a bane on both security and privacy.
Compliance, in larger organizations, is lumped into Governance, Risk, and Compliance (GRC). GRC, both the functional area and the product category, is associated with large, enterprise companies. In smaller organizations, formal GRC groups rarely exist; in these orgs, the functions of governance, risk, and compliance are divided between ops, IT, legal, and HR.
In modern technology companies, even larger ones, modern tools have been adapted to be GRC platforms. One notable example of this is Atlassian, which uses its own software products for GRC.
Compliance training have not been a high priority for many companies. This type of training used to be bolted on to existing, general-purpose training platforms. Security awareness and privacy training were often, at least by employees, seen as a checkbox. There was little focus on comprehension as the main goal was to ensure proof of training for audits.
This all changed in 2017 and 2018 with the rollout of GDPR. GDPR, by putting the onus on the entire organization to implement data protection by design and default, forced companies to care about personal data in ways they have never been forced to before. It also forced companies to train members of their workforce in privacy and regulations, not simply security awareness. GDPR was a catalyst for similar regulations like CCPA in California.
GDPR and CCPA are extremely broad in their reach and coverage. Modern technology companies, which by definition cross borders, are now confronted with the specter of complying with multiple data regulations.
Take, for example, a data collaboration platform like Slack. Slack has a global reach. It also has customers across specific verticals like healthcare, financial services, and government. Slack, like most technology companies, has a page dedicated to attesting to their security and compliance posture. Slack lists the following:
Complying with the above means constant, never-ending audit cycles. Audit cycles that require proof of relevant training of employees and contractors.
Below is an image of geographies and data protection enforcement. As you can see, the world is not uniform and complying across borders is extremely difficult.
The first step in building an effective privacy stack or compliance program is developing and adopting privacy policies and procedures. The second step, which is the actual implementation and execution of your policies and procedures, requires the training of employees. Unfortunately, this is just one more thing that companies have to do in 2020. And it is a lot harder for some companies than others.
Slack is a big company with lots of resources. Smaller technology companies often face similarly daunting compliance and privacy requirements without the resources to address them.
Data regulations are the new cost of doing business; but, in cases where companies have few resources to dedicate to implementing privacy through training, the cost of doing business can be too high and corners can be cut. This exposes organizations to risk - risk from regulators and risks from customers.
And, this does not take into account data regulations that are currently being negotiated or have passed but are not yet implemented. Compliance, and the myriad of unique training requirements contained herein, has become a dynamic, many-to-many problem for companies.
Compliance and cybersecurity are not just top of mind for consumers and legislators. If you sell software or services to businesses, your customers are increasingly demanding you walk the walk, meaning you implement your privacy policies and procedures. They are likely asking you to prove it on a regular basis, either annually or quarterly.
And, they are likely wanting to see cybersecurity as a core principle and competency across your entire workforce. Engineers and operations people may be implementing cybersecurity controls but enterprises expect all of your employees to be well versed in relevant regulations and privacy matters. It is unacceptable for sales and marketing people to punt on these questions. At Haekka, one of the most consistent responses we get to our training is how excited customers are to be able to easily empower their entire company with knowledge of compliance and privacy, not just their IT groups.
The Internet, connected devices in our homes and in our pockets, and the rise of e-commerce have reshaped the global economy. Personal data has become the new global currency and many of the largest companies in the world, most notably Google and Facebook, run on products and services that leverage personal data. Google and Facebook are just the tip of the data iceberg. There are countless other products and companies that leverage personal data to make money.
This explosion of personal data and data products over the last 20 years have powered much of the growth of the Internet and connected services. But, the last several years have seen increasing public concern and governmental debate about personal data practices. Today, in 2021, privacy and data regulations are eating the world. There are over 100 unique data regulations across the globe and the penalties for not complying with these regulations are higher than ever.
For starters, GRC platforms, the backbones of compliance programs, have failed to keep pace with the changes in work and technology. New, integrated risk management platforms are the new normal, though they are not widely adopted by small to medium size companies. Instead, small to medium-sized companies typically build their own mix of tools to track compliance operations, resulting in a hodgepodge of evidence sources and lots of work at audit time.
When it comes to privacy, even large enterprises with dedicated privacy people and budget are struggling to keep up with new regulations and training. They are also struggling to ensure their policies and procedures address the relevant regulatory controls. And those are companies with dedicated budgets for privacy, something most small to medium-sized companies do not have.
And, in cybersecurity, we are seeing an explosion of software tools and service offerings to fill gaps in implementations and monitoring of technology, especially on the cloud. The last several years have seen many security product acquisitions as large companies look to unify the disparate cybersecurity toolset into an integrated security platform. Small to medium-sized companies continue to deal with the exhaustion of alert fatigue, with very little signal to the amount of noise generated by disparate tools.
When it comes to compliance and security awareness training, the challenges facing all companies are daunting. The need to comply with multiple, and evolving, privacy and data regulations, coupled with the fact that each one has different requirements for training, leaves organizations struggling to meet all of the controls to which they attest compliance.
Additionally, training often falls across multiple groups within an organization, meaning that ownership for compliance training in totality is spread across multiple departments and individuals.
The specific content of the training is also dynamic. Security awareness training is constantly changing as the relevant threats and technologies change. OWASP, which maintains lists of the most common vulnerabilities to be aware of, changes based on the market. Privacy training, based on regulations, changes as regulations and company policies change.
Compliance, privacy, and security are not the same. And training for each is not the same. Understanding the differences is essential to ensure you cover all of your training requirements. Many companies skimp, unknowingly, because they think that each of these types of training are equivalent. They are not.
Privacy training is focused on two broad areas - 1) the policies and procedures of your organization and 2) the relevant regulation and laws.
Policies are typically written to map to the requirements or controls to which an organization must adhere. While the specific language varies from company to company, they are relatively similar across companies in a specific sector. These are usually the basis of compliance programs.
Procedures are the workflows or steps that employees need to follow. They are mapped up to policies.
Training on regulations is informing employees about their legal responsibilities in doing their jobs. Often, these align tightly or 100% with policies so this type of training overlaps with policy training.
Cybersecurity training for employees is commonly called security awareness training. It involves training on security best practices, like password settings, personal firewalls and VPNs, and the use of 2-factor authentication. We refer to these security awareness training as security hygiene. While not always a 1:1 to procedures, there should be alignment between cybersecurity implementation and procedures.
Compliance training is made up of both privacy training and security awareness training. It is what is required by the letter of the regulation, or regulations, to which you comply. It does not matter if it is HIPAA or GDPR or SOC 2 or CCPA, your employees should be trained in both privacy as well as security to meet the training requirements of these regulations.
The compliance training requirements for GDPR, CCPA, SOC 2, HIPAA, and HITRUST are listed in the summary table below and in detail further down.
For the purposes of the summary table below, we categorized training in the following ways: