It is a question that is often asked: Should organizations build their own Security Awareness and Compliance Training programs in-house, or should they outsource this service to a provider? In this blog post, we will take a look at this conundrum and review the pros and cons of each.
Every organization, no matter its size, should have a Security Awareness and Compliance Training program. The program may be housed in various departments—Human Resources, IT, Security and Compliance, etc. No matter who has ultimate responsibility, the need for security awareness and compliance is beyond debate. As we have seen in recent incidents at AT&T, multiple school districts in Louisiana, and the City of Baltimore, even the best network, hardware, and software security solutions can be undermined by a single human being.
What is often up for discussion is (1) the source of the content for the program (2) who should administer the program.
Possible Configurations of Your Security Awareness and Compliance Program
Option 1: In-House Content and Administration: In this scenario, the organization controls every aspect of the Security Awareness and Compliance training programs internally. A team gets buy-in from management, determines the training needs, creates and maintains the content to be presented to users, places the content on a learning platform, schedules training, monitors completion of the training, determines next steps for employees who fail to complete (or fail to master) the content of the training, generates reporting related to training, and attests to any governmental or industry bodies that are required. This team is also responsible for making sure that new employees are trained during onboarding.
Option 2: Vendor-Provided Content, In-House Administration: With this scenario, the administration of the program is done internally by the organization – determining need, scheduling, monitoring, remediation, reporting, and attestation. The content that is offered during the training is provided by an outside vendor and may be Off-the-Shelf (OTS) or customized content. The vendor may also provide the learning platform on which the content is presented to the end user, or the content may be housed on an internal platform. These platforms should provide functionality for scheduling and tracking, as well as remediation and reporting. Responsibility for attestation still lies in-house.
Option 3: In-House Content; Vendor-Provided Administration: If an organization uses this scenario, they create and maintain the content using internal resources, but the administration of the programs are done as a managed service by a vendor. This scenario also allows for the situation where the organization provides specialized content that is company-specific (e.g., reviewing the Information Security Policy, internal procedures reviews, etc.) to the managed services partner, but also purchases more general Security Awareness and Compliance training content from the vendor. Responsibility for attestation still lies in-house.
Option 4: Vendor-Provided Content and Administration: In this final scenario, the vendor creates and executes all aspects of the Security Awareness and Compliance training programs–except for attestation, which is still the organization’s responsibility. Content may be provided as OTS, or may be customized for the organization. This scenario still requires in-house oversight, but their input is on selection of content, approving implementation plans and reviewing periodic status reports. Choosing the Right Strategy for Your Organization
With so many ways in which to meet an organization’s needs, how does one choose the best path forward? Here are some things to consider when making a determination.
- A successful Security Awareness and Compliance Training Program is measured by what does not happen – events, incidents, and breaches. One of the key elements of that success is the quality of the content presented. This means not only that the content is engaging, but also accurate and up-to-date. Consider whether your organization has the resources to properly build a variety of training resources that meet best practices for instructional design for adult learners, as well as being able to maintain knowledge of security, legal and regulatory environments to update content as needed.
- Each of the scenarios share common traits– the need for hosting content, scheduling, monitoring, and reporting. If you are considering in-house administration, think about what systems you have available to support these activities. Administration is not trivial and is essential for being able to report and attest accurately. Many Enterprise Resource Planning (ERP) systems or corporate Learning Management Systems offer modules to support training and professional development. Review the capabilities offered to ensure that they support the unique needs related to Security Awareness and Compliance Training. If you do not have an ERP or LMS, or your systemis not adequate for your needs, review the options provided by vendors. Be sure that the vendor platform offers the ability to integrate with your backend systems (either via API or web hooks) so that you can pull training information back to your System of Record (SOR) for your employee records.
- Due diligence is key. You know your organization best. You know your industry and the regulatory environment in which it operates. All of these are points of consideration when planning and implementing your programs. Do not choose in-house administration and/or content creation and maintenance if you do not have a team of people who have the skills and time to properly do all of the tasks required for success. If you choose to work with a vendor, be sure to properly vet all aspects of the company and the programs and content they offer. Just like when looking for a new car or house, know what you need before you start shopping.
- Consider your end users’ universe. Remember that you may need to not only train your regular full-time workforce, but also temporary workers, contractors, and vendors. You will need to be able to provide content in a number of learning modalities, as well as multiple formats (microlearning, courses, digital assets, etc.), to ensure coverage and comprehension. Most employees will require training on multiple content in relation to Security Awareness and Compliance. With end users, you will want to strongly consider the pairing of phishing education and simulation as part of the Program.
- There can be considerable cost around Security Awareness and Compliance Training programs that are entirely in-house. There is resource overhead in relation to the administration. There are also costs around the hosting of the content. The bulk of the cost, however, is around the training content. As noted above, assurance of success with end users lies in engaging, accurate, and up-to-date content offered in multiple formats. If you require that the content be offered in multiple languages, costs can grow. This training cannot be “one and done”. It requires consistent reinforcement with supplemental materials. There is both personnel and technology costs to content creation and upkeep. Subject Matter Experts (SME) can be expensive in these fields, so many companies do not keep these resources in-house full-time. This can make the upkeep of content a challenge.
In-House Capabilities Required with Each Configuration
So, what is the best Security Awareness and Compliance Training option for YOUR organization? Like many things in life, there is no one correct answer to that question. There are pros and cons to each of the four configurations described above, so we suggest that as you zero in on your approach, you ensure you are accounting for these possibly unanticipated aspects:
Option 1: In-House Content and Administration
- Security and compliance expertise
- Learning and communications design expertise
- Localization capacity (if applicable)
- Maintenance plans to keep content up to date with the regulatory
and technical environment - Delivery platform with adequate tracking and reporting capability for attestation
- Resource(s) to coordinate all stakeholders and manage rollout and reporting
Option 2: Vendor-Provided Content and In-House Administration
- Identification of any requirements for content customization and/or localization
- Delivery platform with adequate tracking and reporting capability for attestation
- Resource(s) to coordinate all stakeholders and manage rollout and reporting
Option 3: In-House Content and Vendor-Provided Administration
- Security and compliance expertise
- Learning and communications design expertise
- Localization capacity (if applicable)
- Maintenance plans to keep content up to date with the regulatory
and technical environment - Resource to serve as point of contact with vendor to identify goals, provide inputs, review plans and reports
- Coordination of reporting with vendor for attestation
Option 4: Vendor-Provided Content and Administration
- Identification of any requirements for content customization and/or localization
- Resource to serve as point of contact with vendor to identify goals, provide inputs, review plans and reports
- Coordination of reporting with vendor for attestation
Gone are the days where a 20-minute slide presentation once a year to check the training box is sufficient. Security Awareness and Compliance Training programs should be well-planned and well-executed to provide the best defense of your most important assets. Choosing the right means of building and implementing your programs is essential, but the good news is, you have options!
What Can You Do?
GLS is a leader in Security Awareness and Compliance Training content creation and maintenance. We also offer phishing education and simulation, as well as managed services for program administration. Using our Human Firewall 2.0 Program will help you to layout a multi-tiered, multi-format program that can be tailored to your organization’s training needs over multiple years. Contact us to take a look at GLS’ award-winning content and OnDemand Learning Management System.
Still not sure what is the best option for your organization? Contact Us to chat about your situation and we can offer plans and options that fit your needs.