Why mere compliance increases risk

In some cases, poor training is as bad as–if not worse than–no training it all, say John Schroeter and Tom Pendergast

The Department of Health and Human Services recently confirmed that a lack of training is a common cause of HIPAA compliance difficulties. But is that really such a surprise? Given the poor state of awareness training in many organizations, it's no wonder that HIPAA violations are actually on the rise. The fact is, to achieve formal, "letter of the law" compliance, just about any form of training will do to "check the box." But as we continue to see, bad training is, in the final analysis, practically equivalent to–or worse than–no training at all, and hence the disappointing results reported by HHS and by others who wonder why their compliance training fails.

[Pulling it all together: A special report on GRC]

It should be obvious that there is more to this "compliance thing" than simply doing the least one can do. For starters, ask yourself, in addition to being compliant, is your organization also competent to see that the spirit of the law is also fulfilled? Does your organization, in the true spirit of compliance, promote a culture that respects the interests of customers, patients, shareholders, and other constituents? Does everyone in the organization see themselves as responsible for the security of protected information, whether it is health information, credit card data, or the many other forms of personal information collected today? Do your executives actively model the importance of privacy and security? Do they seek out and identify potential gaps? If the answer to any of these questions is "no," then not only does your organization lack the requisite privacy competence–and this may come as a surprise–it may not actually even be in compliance. Here, then, are four clues that your "compliance" status may, in fact, be putting your organization–and your customers–in serious jeopardy:

1. You believe the minimum mandatory training will shield your organization from liability.

Just ask any number of HIPAA-compliant organizations who found out the hard way. Too many organizations, while having all their HIPAA papers in order, have still been found to be legally negligent—even though a level of training was provided that satisfied the minimum regulatory requirement! Why? Because the behavior HIPAA seeks to regulate was not changed. Consequently, organizations have been found liable for breaching a standard of care that in turn resulted in the inappropriate disclosure of health information. In other words, because the spirit of the law was ignored, the training was ineffective, and a liability resulted. A growing body of case law clearly demonstrates that satisfying the letter of the law alone just won't cut it.

2. You believe that the objective is regulatory compliance.

Simply being compliant does not translate to a safe and secure organization. Not by a long shot. And if you're only motivated by avoiding the penalties for compliance violations, you've really missed the point. Regulatory fines are actually a drop in the bucket compared with the true costs of a breach, which also include loss of trust, customers, opportunity, and more. Besides, achieving compliance is only the first step in safeguarding your organization—and your customers. What the law is ultimately seeking is a culture of security-aware behavior.

[Five security missteps made in the name of compliance]

3. You believe that checking the box will improve your overall risk profile

The truth is that a check-the-box approach to compliance actually leaves your organization with a very poor risk profile. Because it breeds a false sense of security ("We're compliant!"), it also courts disaster. More important, the increased risk that inevitably follows "complacent compliance" endangers not only the security of your information and the privacy of your customers, but your brand's greatest asset—your hard-earned trust-worthy reputation.

4. You don't believe that training above the minimum standard will make any difference.

Take two organizations: one that gives awareness training the short shrift and another that takes it seriously. Which would you consider more trustworthy: the company that gave its people an annual 30-minute PowerPoint or the one that tied the training to the culture and corporate values of the organization and reinforced it throughout the year with habit-forming reminders? As a CEO, would you deliberately and consciously set out to test the theory that there's no difference between the two positions? Yet, chances are, unless you've instituted formal awareness training in your organization, that's exactly what you are doing.


In the end, complying with the letter of the law while neglecting its spirit–and the strategic benefits it provides–is precisely the attitude that can leave your organization exposed, destroy customer trust, consume precious capital, and tarnish your brand. Conversely, just a small investment in true behavior-changing training and reinforcement will pay huge dividends in fortifying the security of your organization—and protect your customers in the ways the laws actually require.

John Schroeter is Director of Marketing at MediaPro, a provider of security awareness training solutions. Tom Pendergast, Ph.D., is Director of Product Strategy and Instructional Design at MediaPro.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)