Why Training Must Be Part of Your Comprehensive Security Compliance Plan
Security compliance training can’t be an afterthought. We explore the benefits and options for finding the right training for your organization.
- By Rachel Zahr
- January 21, 2021
As businesses around the world adopt or maintain a remote work culture, they continue planning for activities that took place largely in-person before the onset of the pandemic. This shift has forced organizations to adjust how they prepare and plan. One example is compliance audits, which have gone virtual this year.
Even in times of uncertainty, it remains the organization’s responsibility to stay sharp and on track when it comes to security knowledge, planning, and response, so security teams must learn to prepare for compliance audits in a new way. Now that many are administered remotely, teams must be aware of potential shortcomings. A virtual audit may not catch everything that its physical counterpart could have.
Just because audit oversights receive passing marks on a compliance report doesn’t mean an organization’s security stance also gets a good grade. Hackers exploit anything an auditor misses.
With headlines daily about new attack patterns, attack vectors, and creative cyberattacks, all of which have risen sharply over the course of 2020 (a trend I expect to continue), it’s more important than ever to arm your entire organization. Who is responsible for preparing for the ever-increasing chances of being a cyberattack target? The auditor? Your organization’s security team?
In fact, every employee plays a part in keeping your organization’s data and the data of your customers secure. Arm them with the security knowledge and training necessary to not just pass compliance audits but pass with high marks. Compliance audits -- and the standards themselves -- should be regarded as the minimum requirements. Striving for the gold standard in security regulation and compliance is one of the best ways to protect your organization, employees, and customers.
Employee Training Improves Compliance Rates
Compliance rates on security audits for industry standards and regulations such as the Payment Card Industry Data Security Standard (PCI DSS) have been falling according to a survey of industry professionals. In fact, compliance with PCI DSS declined for the first time since 2012, slipping from 42 percent in 2018 to only 26 percent in 2019. There are many reasons for the drop-off in compliance, but for 10 percent of respondents, a key factor was a decrease or elimination of compliance education.
Meanwhile, other regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), don’t have a pass/fail compliance system per se. However, for compliance, they do require training in security topics and best practices, including social engineering, passwords, and encryption, when employees are hired or when policies or procedures materially change.
One-time training designed to tick off a box on a checklist will not satisfy HIPAA requirements for compliance training. Although HIPAA does not specify how frequently training should occur to maintain compliance, the organization that oversees HIPAA said in a recent newsletter that monthly security updates and biannual training work well for many healthcare organizations in meeting the requirement.
Cutting Data Breach Costs
Failure to comply with the regulations that your organization needs to meet could carry some heavy penalties, including fines and revocation of licenses and/or certifications. Training keeps your organization current with applicable regulations and reduces the potential for information loss. The benefits of training can be dramatic. Over the last 14 years,, no confirmed data breach has occurred at an organization that was fully PCI DSS compliant. Organizations that have experienced a data breach see their average cost per occurrence reduced by $270,000 after their employees have completed PCI DSS compliance security training.
Resources to Meet Your Specific Organizational Needs
As cyberattackers continue to gain steam in upcoming months, the time to train your employees is now. Although you may have asked your team to undergo mandatory training to check that compliance box, an organization truly dedicated to protecting customer data and its overall reputation must ensure that teams are fully prepared with tools and relevant training resources.
For instance, plugins can be incorporated seamlessly into the integrated development environments (IDE) that identify vulnerabilities as developers code and train them to code securely. As coding errors are flagged, contextual guidance helps developers stop making the same mistake again. Such tools help you build security into your software as it develops.
Developers are only one group that needs to be made aware of potential threats. Consider e-learning training specific to a worker’s role (developer, architect, DevOps manager, security practitioner, executive) and relevant compliance standards (e.g., the GDPR, PCI DSS, CCPA, HIPAA), especially for your widely distributed remote teams.
Working remotely is not just an emergency step, it is the current new normal. In this environment, it is important to focus on more than trying to survive audits and cross your fingers against cyber attacks. Training, including e-learning, needs to be tailored to fit your organization’s specific business requirements. That is key to successfully navigating compliance audits and maintaining data security.
Rachel Zahr is a security solutions manager at Synopsys. Rachel began her career as an affiliate marketer, making the shift to cybersecurity where she focused on enterprise software and tooling. Rachel has spent years acquiring knowledge in topic areas such as DNS, CDN, WAF, bot management, cloud platforms, application security, and security training and knows her deep curiosity will help grow that list skyward. You can reach the author on LinkedIn.