Rethink compliance training in 2022

15 February 2022 by Catalyst

How can you use your existing investment in compliance training to go beyond simply meeting compliance requirements to creating a sense of responsibility among your employees? This post explores how creating context using role based training within your learning management system (LMS) can help.

 

One size fits all training methodology

Let’s use cyber security awareness as a training subject example. It is vitally important for organisations of all shapes and sizes, and increasingly the value of an optimised awareness program is paramount.

While a one-size-fits-all approach to training is easy for the learning and development team to manage, research shows that it does not work.  Unrelatable content and inappropriate delivery modes will undermine your efforts.

square peg not fillting into a round hole
A one-size-fits-all approach can be ill-fitting

Where it can go wrong

One example of a one- size- fits-all approach falling short is the introduction of simulated phishing campaigns alongside informational training. This approach involves the security team sending semi-believable phishing messages to the workforce, attempting to dupe them into following a request to give up credentials to follow a malicious website link. The workers that follow the link are then punished by redirecting them to a security awareness training module that explains what they did wrong. Spare the rod and spoil the child, right? Wrong.

Feedback shows that the ‘catch them out’ approach does nothing but alienate your team, it shatters their confidence and their trust. They feel victimised by the organisation that’s meant to support them.

Every staff member’s perspective is different, and data shows that depending on time of day, phase of compliance or reporting cycles, or individual health and wellbeing of each team member, they will make different decisions. The same person might acknowledge the phishing attempt first thing in the morning, but after lunch or before they head home after a particularly stressful day, they may not be so vigilant; so, what has that test really achieved?

Minimal input equals minimal output

The reality with training is that most people want it, but very few engage with it when they get started. It has to really grab the learner’s attention and provide meaningful alignment to their work or personal circumstances.

From a trainers perspective, the objective of security awareness training is simple – you just need to demonstrate to your auditor that you do it. You can buy an off the shelf training solution and push it out to everyone, mandating that they all watch a 90-minute video once a year and pass and exam. Rinse and repeat. Passing the audit is important.  However, when the boardroom requests its annual audit of security spend (again) and you’ve paid the awareness vendor a significant amount of money (again), they may well question the value. The only saving grace might be, you need it to remain complaint.

Get buy in from the basement to the boardroom

Getting buy in for your compliance training program is the most important first step in fulfilling your obligations for standards such as ISO 27001. Making training engagement fun and memorable can make it even more successful. But why stop there?

Role based training with your LMS

Rather than creating a single set of modules that you push to every member of the workforce, hoping they all review the content and answer a few questions, we recommend that you group training based on roles.  For example, you could profile the discipline of security from that broad awareness base, all the way up to the specialised roles in your business, such as security engineers, risk managers and even the executives that look after compliance.

Further … what if we told you that you can align your compliance training with a more rigorous architecture of needs that ensures everyone getting security training receives the right level of teaching for their role?  Not only that, what if it encouraged them to add value and take responsibility in their environment and day-to-day working routine?

An American physiologist called Abraham Maslow designed a theory of motivation which morphed into a useful assessment tool often used today to align training need (and even working condition needs) to individuals. This ‘hierarchy of needs’ is represented as a pyramid that helps visualise needs from physiological and safety and the bottom to those of growth such as cognitive and transcendent needs right at the top.

Maslows hierarchy of needs drawn on blackboard
Maslow’s hierarchy of needs illustrates a theory of components needed to motivate individuals

Since most people want to feel secure, they are most likely to take action if they feel valued and considered. Consequently, you need to connect with them on a personal level. Rather than dumping how to guides onto every team member, use your learning management system (LMS) to provide interactive training that engages your learners with content and situations that relate to them, in their working environments and their lives.

Create role based archetypes

Crafting your organisational learning and leadership skills into something that promotes positive change across the entire business, with no additional effort, has to be good. You can do this by designing a Maslow’s pyramid for each role based archetype of learner within the business, to understand their needs. You can then create situations and context that engage them as people, that shows how it might affect them.

As you move from one archetype to another, for example your administration team to the IT team, you will learn that their worlds are somewhat different. The kinds of people they are often differ too: their backgrounds, the experiences their jobs bring to them, their demographics, and even cultural differences.

Some of the most devastating cyber attacks of all time came into organisations through teams who simply weren’t aware they were being targeted. Not everyone is a big user of IT, some jobs are focused on interactions with people, some jobs are consumed with very specialised responsibilities. Any of these people can easily become targets. However, they might not understand the extent of the access their job affords them to cyber criminals.

Create context and content that is meaningful

Creating context that resonates with learners is key to raising their awareness and their responsibility. All staff can become champions of security in their own environment. They may even become advocates and help improve the culture of the business.

 

Totara Learn LMS Case Study

Discover how Catalyst IT services supported Kmart’s enterprise Totara Learn LMS.

Create role based training functionality for your LMS

Catalyst IT in an award winning, multi-region Platinum Totara Learning Partner.  We work with enterprise level Totara Learn LMS environments to create new functionality, integration and performance optimisation that helps our clients meet their compliance obligations and their learning and development goals.  Can we help you?

Totara Platinum Partner badeTotarar Global Partner of the Year badge