Expert Insights on Quickly and Easily Training Employees on Security & Privacy to Meet Compliance Requirements

  • December 29, 2022

Anna Fitzgerald

Senior Content Marketing Manager at Secureframe


Fortuna Gyeltsen

Senior Compliance Manager at Secureframe

Most compliance frameworks require organizations to conduct and track completion of employee training to ensure their workforce is up-to-date on security and privacy best practices. But the process of training and tracking completion can be time-consuming and tedious, forcing you to waste precious resources that could have been spent on higher priorities. 

In our Secureframe Webinar | Expert Insights held on Wednesday, December 14, compliance expert Fortuna Gyeltsen, CISSP, CISA, PMP, CCSK, Security+ showed how easy it is to onboard, track, and train employees through automation to ensure compliance.

If you missed it, check out the video replay on demand. We’re also recapping her insights and expert advice for making training your workforce easy and automatic below.

The challenges of security & privacy training today

Most compliance frameworks require organizations to conduct and track completion of employee training to ensure their workforce is up-to-date on security and privacy best practices. 

Secureframe training modules required for 7+ frameworks

There are challenges that organizations face today when trying to complete security and privacy training to meet compliance requirements. Let’s take a look at them below.

1. Difficult to know what security and privacy training content is needed

Some frameworks require specialized training based on the industry or the data handled, making it difficult to understand exactly what security training content needs to be included.

For example, Security Awareness Training is required for SOC 2, ISO 27001, NIST 800-53, and more.  Some of these frameworks require additional topics to be covered in the training, like insider threats. HIPAA, GDPR, and CCPA require framework-specific training. HIPAA training must cover the different rules to safeguard PHI. GDPR and CCPA are specialized privacy training with content specific to those laws. PCI DSS requires general cardholder data training and Secure Coding (a type of role-based training if you have developers) that incorporates the new OS updates. 

2. Need processes for ensuring all new and current employees and contractors are trained

To meet requirements for security and privacy training, you need to set up processes for ensuring all onboarded employees are completing training upon hire and current employees are regularly trained. Plus, you need to track completion of all training.

3. Most compliance training is dated and unengaging

Requirements on how security training is administered can be met in multiple ways, but we believe video training is the best and most efficient. It’s more engaging than reading a policy and less resource-intensive than scenarios or live training. The problem is that most video training is dated and unengaging, making it harder for employees to remember crucial information. 

4. Most platforms require a third-party vendor for training

Finally, most compliance automation platforms require you to pay for and set up an integration with a third-party vendor for training. That means more vendors to manage and more costs. 

How Secureframe Training Solves Those Challenges

Secureframe Training is our newest product, leveraging proprietary training to address all the challenges above. Its key benefits include that it’s:

  • Comprehensive training meets compliance requirements
  • Kept up-to-date with frameworks
  • Modern and engaging
  • All-in-one: No additional vendors

Let’s take a closer look at the ways Secureframe Training solves the challenges of security and privacy training today. 

1. Secureframe Training is automated

Secureframe Training not only ensures the right training for the frameworks that matter in your business, including SOC 2, ISO 27001, NIST, HIPAA, GDPR, CCPA, AND PCI DSS. It also provides an easier way to onboard, track, and train employees to achieve continuous compliance through automation.

With this product, you can include training and onboarding for all new employees or target specific groups. For example, not everyone needs to complete secure coding training. You can specify the developers on your team and a group for that particular module.

Once employees have completed the training module and passed a knowledge quiz, they're automatically certified.

Reminders are automatically sent to those who haven't yet completed the training, and since many frameworks require annual recertification, refresher training and reminders are also automatically sent to employees to ensure continuous compliance.

2. Secureframe Training is modern, current, and engaging

Framework requirements change over time. For example, the newest version of NIST 800-53 revision 5 includes a new control family focused on supply chain risk management. There is a requirement within that new control family to administer training on anti-counterfeit software and components. We've already included that content for that in Secureframe training.

Many frameworks require training content to be refreshed or at least reviewed on an annual basis to remain relevant. Secureframe training modules are kept up-to-date with the latest regulations and laws by myself and other members of our compliance team so you don't have to.

The content is also modern and engaging, so that crucial information sticks long after the training.

3. Secureframe Training is part of our end-to-end platform

Secureframe Training was developed as part of our all-in-one security and privacy compliance platform to make training your workforce easy and automatic. That means that you don't have to figure out what training modules or topics you need on your own. Based on the frameworks designated in your Secureframe instance, the relevant modules will automatically be included.

You don't need to manage any additional vendors, and fewer vendors to manage also means it's a more cost-effective option.

You can also easily distribute training to all employees, or target specific groups of personnel in the same integrated platform that you track policy acceptance and other audit evidence.

If you're ready to automate training and ensure your employees are up-to-speed on the latest best practices to protect against cyberattacks, schedule a demo of Secureframe today.

Secureframe Training FAQs

During the Secureframe Expert Insights webinar on Secureframe Training, Fortuna Gyeltsen, CISSP, CISA, PMP, CCSK, Security+ shared her expertise with attendees who submitted questions live or in advance. Here’s a recap of the questions and answers.

How do you actually know that somebody has gone through and watched the training video and actually understands it? Is it the organization's responsibility to just provide the training, or do they have to prove there's a reasonable level of understanding?

Secureframe Training includes video training with quizzes. So after someone watches the video, then they have to answer a section of questions at the end and pass in order to have that green check mark under their name and the tracking.

Our videos were also created to be engaging to help employees fully understand what’s required of them and the threats facing them, like phishing. 

What topics are covered in the Security Awareness Training module?

In the Secureframe module, we cover phishing, ransomware, password use, and multi-factor authentication. As I mentioned before, there's also some specific topics based on the frameworks, like insider threat, information spillage, and anti-counterfeit software and components.

How soon are courses typically updated when changes to compliance frameworks are made, like PCI DSS 4.0?

When compliance frameworks are changing, we typically get notified far in advance that changes are coming. But a lot of times, those governing bodies are still working through the changes. So once they become published, then that would be reflected in the training, and that would be done by our in-house compliance team.

If security training is assigned but an employee claims that because they live in another country they are not required to take the training due to international law, how would you handle this issue?

There are two possible ways. One, I'm not aware of any international law that prohibits an employee from taking basic security awareness training, so you could say it's a required part of our organization’s onboarding process. Two, when an employee onboards, then they also read an acceptable use policy, code of conduct, employee handbook, or something of that sort. So at the very least, there are still the policies that they need to read through and accept, and a lot of the policies that we have templated in the Secureframe platform also cover these topics. It's just that the videos go in more depth and are more engaging.

Are the training videos available in any other languages? Or will they be available in other languages at some point?

They are currently only available in English, but we are exploring options to add subtitles in other languages so stay tuned for updates.

Join our next Secureframe Webinar | Expert Insights

We’re hosting Secureframe webinars regularly throughout 2023 to address the biggest security, privacy, and compliance pain points that we hear and questions that we get from prospects, customers, and security professionals. Keep an eye out for upcoming registration details, or check out recordings of past events if you missed out.