Compliance training, never a fun topic and I think that is too bad. A combination of companies checking the box, lacking imagination, and being stuck with rules that require doing it annually. Do we really need to review the employee manual if it hasn’t changed since last time? Or if we were notified of updates as they happened?
Imagine you wanted to do this training not just because you wanted to, but to make your company stronger and less vulnerable, how would you do it and how much time/money would you invest in that? That is what I want to see the C levels working on.
Disheartening it is to see comments about it being a losing battle. It’s hard to argue that security is hard and getting harder, but often it feels like we’d rather give up than try. Frustration, lack of a bigger picture, and an unrealistic view of the effectiveness of security all contribute to that. Here’s a contrived example – how hard is it for someone to steal your car? If it’s locked and you have possession of the key it can still be stolen, but it takes more effort and usually deliberate effort. Just because removing the key doesn’t eliminate the risk doesn’t mean we shouldn’t remove the key!