The Training team, at Security Compass, is constantly looking for ways to help our customers get the best rate of return on their investment with us. Whether it be role-based learning (courses carefully selected based on job function), or our new SSP Suites (a partnership with (ISC)2 that leads to a secure coding certificate), we are always seeking new ways to help our customers increase their employees’ adoption rate. Our newest initiative are these articles — a quarterly publication of proven techniques to assist you in getting your employees to utilize the training tools you have invested in.
Proven Approaches to Increasing Training Adoption Rates
It is clear that the importance of security training is widely understood by upper management — yet many organizations still have difficulties encouraging their employees to complete the training. So for this installment of our blog, I asked some of our medium and large customers to share the tips and tricks they have tried in order to raise their rate of adoption.
Every customer with a 90% — 100% completion rate had the same advice to share: make your courses mandatory. They stressed the importance of making it clear that employees are required to take the courses — then following up to ensure that they have actually done so.
As making courses mandatory may not be possible in all situations, some of the following additional approaches may come in handy.
Even if you can’t make completion of all courses mandatory, designate at least one course as required or strongly recommended. Some customers use our Security Awareness course (one of our shortest courses), as part of their on-boarding process for new employees, while others use it as a recommended course for existing employees’ continued career growth. This allows employees to test the waters: they get to see how quick and easy the courses are to complete, which usually leads to an interest in additional courses.
Sooner than later:
This recommendation may seem a little counter intuitive, but setting a short timeline for course completion helps to limit the amount of time employees have to procrastinate. Various customers have found this approach to be useful, with the most popular timeframes being 30, 60 or 90 days.
As demonstrated recently in Batman v Superman, even Superman can’t do it alone. As awesome as you are, you still need back-up in order to get your organization’s employees to take the courses — especially if you work in a very large company. Having the assistance of each team lead can really help. While you spearhead the training initiative, direct Supervisors can follow-up with their teams, to ensure that each member takes the assigned courses.
Constant reminders can be annoying. But, they can also be very effective in reminding employees that they are nearing their course completion deadlines. Whether these reminders are an automated email, or a visit to their desk for a friendly face-to-face, the purpose is to keep the need to complete their training on each employee’s mind. From what we’ve heard, your employees will likely complete the training as soon as possible, just to make the friendly reminders stop.
In a lot of cases, the carrot is more effective than the stick. But not everyone likes carrots. Incentives can be a great motivational tool — but they are only effective if the right incentives are used. While cash or gift cards may encourage some employees to complete their courses, this will not work for all — or perhaps monetary incentives may not be allowed in your organization. However, something as simple as bragging rights might be enough to get your employees excited about completing their training as soon as possible. This is where simple Gamification concepts — such as individual or team leaderboards — can come in handy. Perhaps your Java development team wants to prove, once again, that they are the best team in the organization, by winning the lunch promised to the team that completes their courses first. Or perhaps course completion is another component of the year-end performance review. The incentive that will work in your organization depends on your employees, and what they value.
“Radical” can be interpreted differently, depending on your organization’s policies. Some of the more radical ideas that have been proven to work include
- Limiting Network Access — Employees who do not complete their courses experience a network outage, until they complete their assigned courses.
- Public Shaming — On a regular basis, the VP publishes a list of employees who do not complete their courses, and distributes this list across the organization. Details shared include the name of the employee, their department, and their direct supervisor.
- Offering Cash — Yes, we mentioned that this may not work in all cases, but randomly choosing a name from amongst the first 10 users to complete their courses, and providing them with a $300 gift card is pretty radical…and effective.
Buy-in and Culture change:
This is pretty simple, but explaining the reasons why training is important can help your employees to understand why they should take time out of their busy schedules to complete the courses. Whether the driving principle is compliance requirements, or to save money and time fixing vulnerabilities, explaining the reasons to your staff can help them to buy-in to the need for training. Getting everyone on the same page can lead to a culture change, where software security becomes a major driving principle in every action employees choose to take.
Ultimately, what will work in your organization comes down to your organization’s policies and culture. Employees are understandably busy, and often don’t have the time, or bandwidth, to handle additional optional tasks — regardless of the benefits. Making courses mandatory is the only way to guarantee a high adoption rate. There are, however, other approaches which can be used to encourage your employees to complete their training and improve your organization’s overall training adoption rate.
If there have been other approaches that have worked in your organization, we’d love to hear from you. Feel free to share them with us at [email protected].
About Security Compass
Security Compass, a leading provider of cybersecurity solutions, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows. Its flagship product, SD Elements, allows organizations to balance the need to accelerate software time-to-market while managing risk by automating significant portions of proactive manual processes for security and compliance. SD Elements is the world’s first Balanced Development Automation platform. Security Compass is the trusted solution provider to leading financial and technology organizations, the U.S. Department of Defense, government agencies, and renowned global brands across multiple industries. The company is headquartered in Toronto, with offices in the U.S. and India. For more information, please visit https://www.securitycompass.com/