I have been asked to re-assess our organisations 80% target for compliance training completions. Wanted to see what targets other org's have set?

Governance, Risk & Compliance Regulatory Compliance

1.3k views4 Comments

Sort by:

CIO in Retail9 months ago

The compliance training goal depends on the regulation you are tied to, so depending on that, you may need to reach 100% or some other slightly lower percentage. In our case, most of the time we are required to meet 100% of the objective.

VP Cybersecurity in Banking9 months ago

I'm currently with a financial institution and we have a 100% compliance target and we also remove access if your course material has not been passed. Training material is more detailed in the first 2 years of employment and then refresher material is given in subsequent years to make it less burdensome but also effective.

VP of IT in Retail9 months ago

The target has always been 100% in my current and past organizations. My last company had a hard date of May 31st, and after that your account would be disabled. You would then need to go to HR and complete your training to regain access. That's a sign of a company that truly sees compliance as must do.

Director of Information Security in Energy and Utilities9 months ago

I think the target needs to correspond to your organization's risk profile. Why 80%? Why not 70% or 90%? If your organization is in a highly regulated environment, then 80% sounds low to me. You might even have different target % for different sections/divisions within your company. My target is 100% for high-risk users and 80% for medium and below.

Content you might like

Which pitfalls—model bias, false positives/negatives, data quality, regulatory constraints—often impede AI-based security tools, and how can they be mitigated in a financial-services context?

AI deepfakes have cost the industry over $200M this year. As CISOs, can we scale detection fast enough, or is regulatory pressure the only way to drive adoption?

As enterprise AI adoption accelerates, how is your organization adapting its governance and risk oversight to keep pace?

Established AI governance framework with defined policies and oversight40%

Currently developing governance models and risk controls68%

Relying on existing security/compliance frameworks (no AI-specific policy)34%

No formal AI governance approach in place2%

View Results

Seeking insights for research universities regarding CMMC 2.0 adoption and compliance. I'm listing our full question set below, but we would welcome insights on any or all of these:

1. What is the anticipated timeline for CMMC 2.0 adoption by the Federal Government? Any insights on the expected rollout and implementation schedule?

2. From a Higher Ed CIO perspective, what are the key operational differences between each "level" in CMMC 2.0? Are there any specific challenges or considerations especially for research universities?

3. For a research university, which CMMC level would be the most suitable target? Are there any key dates or deadlines that Higher Eds and researchers should be aware of in their compliance journey?

4. What are the most crucial features or elements of CMMC that universities need to achieve compliance? Any recommendations or best practices?

5. Specifically, are there any requirements in CMMC for 7/24/365 "eyes on glass" network and/or endpoint monitoring? If there is an endpoint requirement, does it extend to all servers and laptops issued by the university, or is it limited to hosts involved in research grants? What is expected to demonstrate compliance in this regard?

6. Apart from CMMC compliance, are there other considerations or or strategies to consider when seeking to qualify for/reduce cyber risk insurance costs?

What percentage of your help desk calls are password or MFA related?

< 10%21%

10-20%34%

21-30%28%

31-40%7%

41-50%4%

51-60%2%

61-70%

71-80%

> 80%1%