I manage an employee training program and wondered how often we should have refresher courses on company policy about data protection and confidential company information. What are your recommendations?
In developing any program we first have to look at the needs gap. What are the requirements of our corporate policy about data protection and confidential company information, and what are the skills our team needs to understand to adhere to that policy?
As training managers, we are charged with creating orientation training for new employees as well as skill and behavior training modules. During the orientation is when most of the corporate policy and procedures are first presented. Yet our staff needs to be reminded from time to time about the importance of this very sensitive issue. Carolyn Balling, professional development manager, Northern California Human Resources Association, said, "Is this really a job for the training department or is it a job for the internal communications department, and second, would our team members even attend the training?"
Our staff is increasingly busy with their work. Their most valuable asset is their time. When it comes to training, they have to weigh the value of this program against their daily duties and responsibilities. Usually skill and behavior training is a priority over policy training. Lee Stapleton, training manager at Organic Inc., said "It's hard enough to fill even our skill-based programs. Our team would be challenged to attend a policy and procedure training with their busy schedules. They would not see the value to themselves personally."
When we think about what we are really trying to do, mainly it is to remind our team of the importance of protecting data and confidential information. Our staff does understand the concept; their mistakes mostly arise from errors in judgment.
My recommendation would be to work with your internal communications department and create a company-wide initiative. The immediate step is to enroll the management team. This could include a short management meeting, similar to a train-the-trainer program, that highlights the challenges of protecting data and confidential information, the cost impact of data breaches, and case studies on the importance of protection. From there, training can be supported and delivered to the whole company through the internal newsletter and/or an e-mail blast. I would suggest conducting an annual audit to determine the necessity of this program.
Jerry Ervin is president of Paragon Strategies, a management training, coaching, and strategic meeting facilitation firm in San Francisco. Have a question about dealing with insider security issues? Drop us a line.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.