Does your organization provide privacy or other security training to employees using an internal or external resource? How often do employees need to attend either of the two training types?

8.5k views4 Upvotes8 Comments

Sort by:

Chief Information Security Officera month ago

Recommended guidance: System access for employees on extended leave exceeding 14 consecutive days (excluding scheduled PTO) will be disabled to prevent unauthorized access. Access will be limited to essential HR and payroll systems as required. All accounts will be reviewed for reactivation upon return, following account management and reauthorization procedures.

CISO| Legal & Regulatory APAC lead in Media4 months ago

A mandatory training on privacy and security, plus additional focused training for key personnel few HR roles, system admins. This is combination of internal, I recently heard that one of the organization have introduced learning nuggets in form of instagram reels, innovative and quite effective.

CISO and Head of Digital Channels in Healthcare and Biotech4 months ago

We mandate comprehensive privacy and security training for all employees and third-party partners with logical access to systems or sensitive data.

Internal Training Programs: Customized modules developed in-house, tailored to our specific policies, tools, and threat landscape (e.g., phishing, IoT risks, data handling).
Third-Party Inclusion: Contractors, vendors, and partners with system access must complete the same training to ensure consistent security practices.
Multi-Lingual Support: Training materials are localized into multiple languages to accommodate global teams and ensure comprehension.

1 Reply

no title4 months ago

Yes - we have mandatory training each year on information security-related topics.

Chief Privacy Officer in Finance (non-banking)a year ago

We are delivering an all-employee privacy training (as a module of a Infosec/privacy combined training). This is online and built internally. There are couple of commun slides to remind the principles, and we select a theme for the year (incident management, data minimization, AI, etc...)
This is annual and mandatory.

We also deliver thematic trainings (internally built) to employees working with sensitive data, and finally we are offering on-demand trainings (using OT learning platform)

CEO in Manufacturing4 years ago

We use KnowBe4 training. Employees are phish tested every month and sent to remedial training if they fall for a test. They also do regular training every six months.

Content you might like

Do you have cyber insurance? If so, does it require multi-factor authentication (MFA)?

We have cyber insurance and it requires MFA44%

We have cyber insurance, but MFA is not required45%

We don't have cyber insurance10%

View Results

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?

Has your company had a data breach in the last 12 months?

Yes70%

No30%

We’re preparing for an IPO on the NYSE as a Foreign Private Issuer and evaluating CIS Benchmarks to measure OS and database hardening.

Our proposed tiers:
• Tier 1 (70–80%) baseline
• Tier 2 (85–90%) for sensitive data
• Tier 3 (95–100%) for mission-critical systems

Is 80% compliance defensible for IPO due diligence with SEC or SFC? Should Tier 3 be considered mandatory for critical systems? And can compensating controls (e.g., PAM, microsegmentation) offset gaps in legacy environments?

Does your organization provide privacy or other security training to employees using an internal or external resource? How often do employees need to attend either of the two training types?

Sort by:

Content you might like

Do you have cyber insurance? If so, does it require multi-factor authentication (MFA)?

Has your company had a data breach in the last 12 months?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go