Your compliance personnel need to have a great breadth of knowledge across an entire compliance engagement. They may be generalists or specialists — or a mix of both. In either case, not just anyone can come in and fill that slot. It’s a true specialty skill.
Don’t take those people for granted. Exceptional compliance personnel are rare and in high demand. Getting to that level of expertise doesn’t just happen overnight — and in many organizations, it doesn’t happen at all.
That’s why it’s critical to have a strategic approach to training your security and compliance personnel to excel at their jobs.
Your Compliance Team Is Under Trained
I work with a wide variety of organizations on a broad range of engagements, and I continually find that the people provisioning compliance evidence are under trained in the realm of security and compliance. If you think that the personnel provisioning evidence for your compliance engagements are experts in security, simply because they have a technical background, chances are high that you’re mistaken.
My first experience with under-trained people was my very first time going through a PCI-DSS certification myself. Keep in mind I had been leading IT teams for the better part of 15 years at that point. But once I made it through my first engagement with PCI, I realized how little I knew at the beginning. It’s disconcerting to be in a position where you don’t know what you’re doing and you have people depending on you to get it right.
It was also startling to realize how little the people on my team knew. I was in IT management, but I had frontliners who were software architects and senior developers. I was operating under the assumption that all these people on my staff knew all about security and compliance. They didn’t — and they weren’t the exception to the norm.
There’s a difference between having the skills to keep operations going, and having the skills to know how to do those operations in a secure and compliant manner. Those are two different skill sets, and the vast majority of organizations take it for granted that their IT frontliners understand security and compliance.
Don’t assume that your IT personnel already understand security and compliance. They’re experts in their field, but that doesn’t mean they have expertise in security and compliance. It’s a different realm, and it’s unfair to place the burden of your security program on professionals that don’t have the proper training or experience.
What’s more, most people aren’t going to raise their hand and say, “I don’t know a damn thing about how to do my job securely.” They want to be successful, but they don’t want to lose their job. So they keep their mouth shut and do the best they can. Meanwhile, leadership remains blissfully unaware of the risk this position puts on everyone involved.
You can avoid placing your personnel between a rock and a hard place by taking a strategic approach to security and compliance training. Here are a few ways you can do that.
Determine Your Training Needs
Look at the backgrounds of the people on your team. Do they have certifications in security and compliance? Have they worked at secure and compliant organizations in the past? That will give you a sense of the training needs on your staff.
Also privately go to your Consultant or Assessor and ask them which of your personnel need to know more about what they’re doing? Chances are, these experts knew within a couple weeks of working with your team exactly who could use some training.
Get Certified in a Compliance Training Program
There are tons of third party security training options available for your compliance team, and you can get lost going down the rabbit hole. For most of your people, a basic overall security and compliance training course is a good start.
For those who need a broad base of knowledge, I’d recommend getting a CISSP certification. This is a general security style certificate that will get your feet wet in a range of areas. This is especially helpful for personnel who are new to the compliance arena.
If you’re going up against a PCI-DSS certification, you might also consider a PCI Internal Security Assessor (ISA) qualification. This training program gives you a certification as an internal auditor within your organization. The training will provide a broad spectrum of knowledge that’s specific to PCI-DSS.
In the end, there is no substitute for gaining years of experience in security and compliance. Becoming an expert takes time. No book compares with the value you get simply from doing compliance and learning from others on your team, your Consultant, and your Assessor.
At the end of the day, the initials behind your name don’t matter. What matters is what you as an individual do with the knowledge and skills that you have. It’s about you as a person and your experience — and how you leverage the education you have — not about the formal training and certifications that you’ve received.
Provide Mentoring to New Compliance Personnel
Formal training gets expensive. Mentoring can be just as effective, and it’s much more affordable. Build in a framework where your senior personnel take others under their wings to show them the ropes.
I can’t underestimate the value of being paired up with someone who knows what they’re doing. The rate of learning is dramatically accelerated under that model. Whenever you can, partner people up and do cross training.
In some organizations, people are reluctant to share their knowledge. They operate under an outdated belief that withholding expertise helps protect their job or their authority in the organization.
That may have been true years ago, but today you prove your value by sharing your knowledge and helping others to grow. That makes you a leader, with the potential for landing even greater leadership opportunities.
Besides, as a senior person on your team, your job is made so much easier when other people can help you carry the load!
Provide Cross Training for Specialists
If you have a decent sized team of people involved in your compliance engagement, you probably have some people with their own specialties. Perhaps one person is the expert on policies, while someone else delves into technical elements of your network and another person handles everything related to security testing or training.
If you lose a specialist on your team, you’ll feel the impact more acutely than losing a generalist. You can lessen that impact by cross-training personnel on related areas to expand their breadth of coverage.
Have a primary specialist paired with someone who can back them up. This builds up your business continuity and creates redundancy if someone suddenly leaves your team or is out of commission for a while.
Sit down and look at your compliance team to identify any single points of failure. That’ll give you a roadmap for training.
TCT Portal can be a valuable tool for cross training. The workflows within TCT Portal are flexible, dynamic, and customizable. For example, you can assign someone as the first step in the workflow, then have an internal quality assurance step with someone else who reviews their evidence before it passes up to your Consultant or Assessor. This ensures a higher quality of work, and it builds cross training into your process.
Take Advantage of Compliance Tech
A great compliance management tool can be an invaluable training resource for your compliance team. TCT Portal is built to make it easy for new personnel to get up to speed quickly, and to help veterans gain a deeper understanding of security and compliance.
Here’s a quick hit list of TCT Portal tools that can help train up your people.
The Rock Solid Business Case for Compliance Management Software
Discover How to Get a “Yes” from CFOs That Love to Say “No”
TCT Portal gives you a streamlined workflow that clarifies the engagement and compliance requirements. Everything is laid out in a consistent yet streamlined fashion, and the information you need is easy to find. When you have a simplified framework to operate in, you can learn by experience exponentially faster.
One of the intrinsic benefits of TCT Portal is the built-in guidance provisioned by the governing body of that certification. This guidance provides a ready resource for explanations and interpretations that you can learn from. And it’s always in easy reach.
Depending on the Consultant or Assessor you’re leveraging, if they’re using the TCT Portal for their other engagements, there is a distinct likelihood that they have additional guidance based on their experience with the compliance requirements, on top of their ability to provide examples.
Even if this isn’t your first rodeo, it’s easy to forget what you did the last time around. A typical PCI engagement has 500+ moving pieces. Very few people can remember everything they did the previous year — what they did, where they got the evidence, or what passed muster with the Assessor.
TCT Portal keeps historical records of prior years’ tracks and the final evidence that was leveraged for those tracks. These records can serve as a very helpful reference point for your team to remember, so you don’t have to go through the same guessing game every year.
When you have new personnel who are going through the compliance engagement for the first time, they can look at the historical record to see what was done and follow suit for the current engagement. It becomes tremendously easier to get onboarded and find your way in a complicated and unfamiliar program.
Attach notes and documents
Because TCT Portal keeps everything in one centralized location, it’s easy to write notes to yourself and drop them into the history as helpful reminders when you go through the next cycle.
You can also attach documentation to the Portal that explains where to get certain information, what system to pull it from, and other helpful information.
Never Stop Learning
I entered the security and compliance arena almost two decades ago, and I can tell you from personal experience that the learning never stops. There are always new technologies, new certification changes, new best practices, and new threats to get your arms around.
When you intentionally provide training opportunities for your compliance personnel, you ensure that they stay at the top of their game — which will greatly improve your organization’s security stance.
Keep current on the latest trends and technologies in the security and compliance realm — subscribe to our blog.
Get equipped with insider expertise
Subscribe to the TCT blog