HIPAA requires it. The Payment Card Industry Data Security Standard requires it. The ISO 27001 standard requires it. In fact, every regulation that mandates that reasonable measures be taken to protect information implicitly requires that companies maintain a program to regularly inform employees on what those measures are.
How are companies doing at meeting this requirement? In a poll two years ago of members of the International Association of Privacy Professionals, three quarters of respondents said their companies do some form of internal privacy training. This is a good number. But if you peel back the cover, you'll find that what “training” means varies widely.
Many large corporations have a check-box, compliance mentality toward privacy training. These are the top five shortcuts I see them taking instead of using the opportunity to deeply root out information risk:
- Doing separate training for privacy, security, records management and code of ethics. Do you get one set of messages from your CPO, one from your CISO and an annual code of ethics sign-off from Legal? You're not alone. In the largest companies, when the people running each of these functions need to get their messages out to the employee population, they tend to not want to water down the uniqueness of their messages by mixing them with related topics. They also want to control their own destinies. As a result, they each go their own way with training and awareness. What's the outcome? Confused and over-messaged employees who just want one place to go to know the do's and don'ts of information management.
- Equating "campaign" with "program." When privacy leaders get money to devote to "soft" projects like privacy training, the natural first step is to launch an awareness campaign. Some go so far as to deploy computer-based training modules. They may think that a program is now in place. But there's a difference between hitting employees with one or two messages a year and surrounding them with reminders that the policies are for real, have teeth and are baked into the culture. A true program has an annually refreshed calendar of messages and training going out to different employee populations throughout the year.
- Equating "awareness" with "training." Does your company post some PowerPoint presentations to an intranet site, send out some e-mails, put up some posters, and call this a privacy and security training program? An effective information-risk program will certainly include awareness campaigns -- messages sent to broad populations about specific policy objectives. But it will also include the delivery of role-based training, which is aimed at educating smaller groups about the processes and procedures of implementing those policy objectives.
- Using one or two communications channels. Let's face it: We live in a multimedia world. Our employees are used to surround sound, big-screen TVs, sophisticated visual effects, podcasts, chat, user-generated content and more. Yet, how many of our awareness campaigns at work are limited to a few e-mails and a couple of PowerPoint decks. If you really need to connect with your employees, consider how you can incorporate sound, moving pictures and interactive content into your approach.
- No measurement. Security experts regularly opine that insiders are the biggest threat to corporate information, and the list of breaches maintained by privacyrights.org is dotted with incidents resulting from employee mistakes. Employee training is probably the most important component of a corporation's information-risk management. Yet few companies actually measure the effectiveness of their privacy training and awareness programs. So, in an economic downturn, these “soft” budgets become target No. 1 for the red pen.
I still remember the most effective training session I ever had, 10 years ago. The trainer had walked us past the data center, gathered us in a conference room, and drew a big circle on the board. She paused, looked us in the eyes, and said, ”Everything you do at this company will fall somewhere on this board.” Some of our choices, she said, would be deemed wrong by everyone and would fall outside the circle. Some would fall into a gray area, and so would fall on the edge of the circle. But at this company, she said, putting a dot on the board, we are at the center of the circle.
That told me everything I needed to know about that company's policies and ethics. Will employees remember as much about your awareness program 10 years from now?
Jay Cline is a former chief privacy officer at a Fortune 500 company and is now president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com.