Get a Demo

How to Train Your Compliance Personnel for Greater Security Success

,
0

Your compliance personnel need to have a great breadth of knowledge across an entire compliance engagement. They may be generalists or specialists — or a mix of both. In either case, not just anyone can come in and fill that slot. It’s a true specialty skill.

Don’t take those people for granted. Exceptional compliance personnel are rare and in high demand. Getting to that level of expertise doesn’t just happen overnight — and in many organizations, it doesn’t happen at all.

That’s why it’s critical to have a strategic approach to training your security and compliance personnel to excel at their jobs.

Your Compliance Team Is Under Trained

I work with a wide variety of organizations on a broad range of engagements, and I continually find that the people provisioning compliance evidence are under trained in the realm of security and compliance. If you think that the personnel provisioning evidence for your compliance engagements are experts in security, simply because they have a technical background, chances are high that you’re mistaken.

My first experience with under-trained people was my very first time going through a PCI-DSS certification myself. Keep in mind I had been leading IT teams for the better part of 15 years at that point. But once I made it through my first engagement with PCI, I realized how little I knew at the beginning. It’s disconcerting to be in a position where you don’t know what you’re doing and you have people depending on you to get it right.

It was also startling to realize how little the people on my team knew. I was in IT management, but I had frontliners who were software architects and senior developers. I was operating under the assumption that all these people on my staff knew all about security and compliance. They didn’t — and they weren’t the exception to the norm.

There’s a difference between having the skills to keep operations going, and having the skills to know how to do those operations in a secure and compliant manner. Those are two different skill sets, and the vast majority of organizations take it for granted that their IT frontliners understand security and compliance.

Don’t assume that your IT personnel already understand security and compliance. They’re experts in their field, but that doesn’t mean they have expertise in security and compliance. It’s a different realm, and it’s unfair to place the burden of your security program on professionals that don’t have the proper training or experience.

What’s more, most people aren’t going to raise their hand and say, “I don’t know a damn thing about how to do my job securely.” They want to be successful, but they don’t want to lose their job. So they keep their mouth shut and do the best they can. Meanwhile, leadership remains blissfully unaware of the risk this position puts on everyone involved.

You can avoid placing your personnel between a rock and a hard place by taking a strategic approach to security and compliance training. Here are a few ways you can do that.

Featured eBook

Straight Talk on Getting Your Sh*t Together for PCI DSS

This kick-a$$ ebook helps streamline your compliance the right way.

Get the Ebook

Determine Your Training Needs

Look at the backgrounds of the people on your team. Do they have certifications in security and compliance? Have they worked at secure and compliant organizations in the past? That will give you a sense of the training needs on your staff.

Also privately go to your Consultant or Assessor and ask them which of your personnel need to know more about what they’re doing? Chances are, these experts knew within a couple weeks of working with your team exactly who could use some training.

Get Certified in a Compliance Training Program

There are tons of third party security training options available for your compliance team, and you can get lost going down the rabbit hole. For most of your people, a basic overall security and compliance training course is a good start.

For those who need a broad base of knowledge, I’d recommend getting a CISSP certification. This is a general security style certificate that will get your feet wet in a range of areas. This is especially helpful for personnel who are new to the compliance arena.

If you’re going up against a PCI-DSS certification, you might also consider a PCI Internal Security Assessor (ISA) qualification. This training program gives you a certification as an internal auditor within your organization. The training will provide a broad spectrum of knowledge that’s specific to PCI-DSS.

In the end, there is no substitute for gaining years of experience in security and compliance. Becoming an expert takes time. No book compares with the value you get simply from doing compliance and learning from others on your team, your Consultant, and your Assessor.

At the end of the day, the initials behind your name don’t matter. What matters is what you as an individual do with the knowledge and skills that you have. It’s about you as a person and your experience — and how you leverage the education you have — not about the formal training and certifications that you’ve received.

Provide Mentoring to New Compliance Personnel

Formal training gets expensive. Mentoring can be just as effective, and it’s much more affordable. Build in a framework where your senior personnel take others under their wings to show them the ropes.

I can’t underestimate the value of being paired up with someone who knows what they’re doing. The rate of learning is dramatically accelerated under that model. Whenever you can, partner people up and do cross training.

In some organizations, people are reluctant to share their knowledge. They operate under an outdated belief that withholding expertise helps protect their job or their authority in the organization.

That may have been true years ago, but today you prove your value by sharing your knowledge and helping others to grow. That makes you a leader, with the potential for landing even greater leadership opportunities.

Besides, as a senior person on your team, your job is made so much easier when other people can help you carry the load!

Provide Cross Training for Specialists

If you have a decent sized team of people involved in your compliance engagement, you probably have some people with their own specialties. Perhaps one person is the expert on policies, while someone else delves into technical elements of your network and another person handles everything related to security testing or training.

If you lose a specialist on your team, you’ll feel the impact more acutely than losing a generalist. You can lessen that impact by cross-training personnel on related areas to expand their breadth of coverage.

Have a primary specialist paired with someone who can back them up. This builds up your business continuity and creates redundancy if someone suddenly leaves your team or is out of commission for a while.

Sit down and look at your compliance team to identify any single points of failure. That’ll give you a roadmap for training.

TCT Portal can be a valuable tool for cross training. The workflows within TCT Portal are flexible, dynamic, and customizable. For example, you can assign someone as the first step in the workflow, then have an internal quality assurance step with someone else who reviews their evidence before it passes up to your Consultant or Assessor. This ensures a higher quality of work, and it builds cross training into your process.

Take Advantage of Compliance Tech

A great compliance management tool can be an invaluable training resource for your compliance team. TCT Portal is built to make it easy for new personnel to get up to speed quickly, and to help veterans gain a deeper understanding of security and compliance.

Here’s a quick hit list of TCT Portal tools that can help train up your people.

Featured eBook

The Rock Solid Business Case for Compliance Management Software

Discover How to Get a “Yes” from CFOs That Love to Say “No”

Reliable workflow

TCT Portal gives you a streamlined workflow that clarifies the engagement and compliance requirements. Everything is laid out in a consistent yet streamlined fashion, and the information you need is easy to find. When you have a simplified framework to operate in, you can learn by experience exponentially faster.

Guidance provisioning

One of the intrinsic benefits of TCT Portal is the built-in guidance provisioned by the governing body of that certification. This guidance provides a ready resource for explanations and interpretations that you can learn from. And it’s always in easy reach.

Depending on the Consultant or Assessor you’re leveraging, if they’re using the TCT Portal for their other engagements, there is a distinct likelihood that they have additional guidance based on their experience with the compliance requirements, on top of their ability to provide examples.

Historical data

Even if this isn’t your first rodeo, it’s easy to forget what you did the last time around. A typical PCI engagement has 500+ moving pieces. Very few people can remember everything they did the previous year — what they did, where they got the evidence, or what passed muster with the Assessor.

TCT Portal keeps historical records of prior years’ tracks and the final evidence that was leveraged for those tracks. These records can serve as a very helpful reference point for your team to remember, so you don’t have to go through the same guessing game every year.

When you have new personnel who are going through the compliance engagement for the first time, they can look at the historical record to see what was done and follow suit for the current engagement. It becomes tremendously easier to get onboarded and find your way in a complicated and unfamiliar program.

Related: Run a Smooth Compliance Program in the Midst of Employee Turnover

Attach notes and documents

Because TCT Portal keeps everything in one centralized location, it’s easy to write notes to yourself and drop them into the history as helpful reminders when you go through the next cycle.

You can also attach documentation to the Portal that explains where to get certain information, what system to pull it from, and other helpful information.

Never Stop Learning

I entered the security and compliance arena almost two decades ago, and I can tell you from personal experience that the learning never stops. There are always new technologies, new certification changes, new best practices, and new threats to get your arms around.

When you intentionally provide training opportunities for your compliance personnel, you ensure that they stay at the top of their game — which will greatly improve your organization’s security stance.

Keep current on the latest trends and technologies in the security and compliance realm — subscribe to our blog.

Subscribe

Get equipped with insider expertise

Subscribe to the TCT blog

Sometimes it seems easy for many companies to offer platitudes about how they’re thankful for their customers and staff. I’m sure their gratitude is real, but often it feels like they’re only sharing a holiday message because it’s expected from “human” brands.

At TCT, we don’t take anything for granted, and Thanksgiving is just one of many reminders that our clients really do mean everything to us. So I’m taking a moment to thank you, our customers, from the bottom of my heart — not because it’s the expected thing to do, but because it’s true.

We really are thankful for our customers, every single day.

Gratitude for Our Clients

As TCT has continued to grow, I’m very thankful for the relationships we have built with our clients. It’s telling when someone at a client organization gets to know TCT and likes the solution so much that when they change employers they immediately start recommending TCT Portal to their new boss. It’s even more telling when that happens many times over.

That’s one of the strongest compliments we could hope for. We don’t take it for granted that clients love us enough to spread the word about our compliance management solution.

It’s challenging to build a company from nothing, and our success wouldn’t have been possible without the kinds of relationships we get to enjoy with our clients. For that, I’m extremely grateful.

Thankful for Our Staff

That kind of customer enthusiasm is a compliment to our support staff as well as the people who develop TCT Portal. Our team has been working hard all year, and they’ve done an amazing job of taking care of our customers.

Over the course of the year, our staff have expertly navigated the waters so that we could release a second instance of TCT Portal in Europe. Meanwhile, they continued to give our existing customers world-class service.

One of the greatest things about working with the folks at TCT is the sense of shared purpose and camaraderie. I’ve never been part of a team that worked so well together. The faith that these people put in each other and the organization is both humbling and rewarding.

Looking Ahead

I mentioned earlier that we’ve expanded to Europe. That’s a dream come true for us, and I’m thankful that we can extend our capability to help others. At TCT, we often talk tongue-in-cheek about helping to make compliance management suck less. We now have the opportunity to help organizations in Europe that need help making their compliance management suck less.

TCT was born out of a desire to help others, and it’s a thrill to further spread that outreach across the globe.

A side benefit of this expansion is that we’ll have a whole new set of inputs from our customers in Europe — requests for features and functionality they want to see on the platform. TCT has always been a collaborative organization.

We listen to the inputs from our customers to help us make the compliance management solution as useful as possible for our entire client base. Expanding to Europe introduces a whole new group of people to the Portal, and I can’t wait to hear their suggestions for requests for new features.

There’s more coming in the months and years ahead, and if you’re not already on board, I hope you’ll come along for the ride. You’ll be thankful you did. This is just the start of good things to come.

Subscribe

Get equipped with insider expertise

Subscribe to the TCT blog