Role-Based, Just-In-Time, Behavior-Changing — With Evidence
Security Training only works if it changes behavior and stands up in audits.
SolveForce delivers a program that is role-based, just-in-time, and metrics-driven—wired to your stack so lessons appear at the moment of risk and completion/effectiveness are provable.
Connective tissue:
🧭 GRC → /grc • 📊 Evidence/Automation → /siem-soar • 🚨 IR & Drills → /incident-response • /tabletop
👤 IAM & Access → /iam • 🔐 ZTNA/NAC/SASE → /ztna / /nac / /sase
🔏 Data & Privacy → /data-governance • /dlp
💳 PCI → /pci-dss • 🏥 HIPAA → /healthcare-networks • 🏛️ NIST/FedRAMP → /nist • /fedramp
🎯 Outcomes (Why our program)
- Behavior change — fewer risky clicks, faster reporting, fewer secret/key leaks, better access hygiene.
- Just-in-time coaching — micro-lessons triggered by real events (e.g., secret found in PR, suspicious share link).
- Role relevance — tracks for execs, finance/AP, IT/helpdesk, dev/DevOps, data stewards, OT/ICS, contact center, healthcare, retail payments.
- Audit-grade proof — completion, quiz, simulation, drill and attestation evidence exported to SIEM/SOAR.
🧭 Scope (What we deliver & operate)
- Core baseline — annual + onboarding: phishing/BEC, passwords/passkeys, MFA, data labels, safe sharing, incident reporting.
- Role-based paths
- Exec/Board: risk, incident comms, fiduciary duties, wire-fraud scenarios.
- Finance/AP: BEC/wire fraud, vendor spoof, dual-control.
- Helpdesk/IT: identity proofing, token/session safety, escalation SOPs.
- Developers/DevOps: secrets hygiene, supply chain (SBOM, signing), IaC policy-as-code, vulns triage.
- Data Stewards/Analysts: labeling, DLP, tokenization, privacy by design.
- Contact Center (CCaaS): PCI redaction/tokenization, recording policies.
- Healthcare: HIPAA/42 CFR Part 2, minimum necessary, ePHI handling.
- OT/ICS: safety first, change control, vendor access with ZTNA/PAM.
- Simulations & labs — phishing/BEC, smishing/QRishing, OAuth-app consent, secure coding/k8s/cloud labs.
- Drills — incident tabletops and mini-TTX (ransomware, key leak, data exfil) with AAR artifacts.
- Policy attestation & exceptions — annual sign-off and tracked, time-boxed exceptions in GRC.
🧱 Building Blocks (Spelled out)
- Microlearning: 3–7 minute lessons; scenario-based; accessible; localized.
- Learning intercepts (JIT):
- Secret detected in PR → 90-second lesson + auto-rotate guide.
- Public link to Restricted data → label/DLP nudge + one-click fix.
- MFA fatigue detected → “how to report” card + session hygiene.
- LMS + SIEM wiring: all completions, quiz scores, and sim results stream to SIEM/SOAR for dashboards and audits. → /siem-soar
- Gamification w/ guardrails: leaderboards and badges for teams; no shaming.
- Accessibility: WCAG-aware content; audio/transcripts; low-bandwidth variants.
🧰 Reference Programs (pick & mix)
1) Phishing & BEC Defense — monthly sims, VIP/vendor impersonation, time-of-click training, report-rate coaching.
2) Dev & Cloud Secure SDLC — secrets hygiene, supply chain, signed artifacts/SBOM, IaC gates, k8s/network policies.
3) PCI Awareness — PAN scopes, tokenization, hosted fields, redaction & recording rules. → /pci-dss
4) HIPAA & Privacy — PHI labels, minimum necessary, e-mail/DLP encryption, subject-rights workflows.
5) Zero-Trust in Practice — ZTNA usage, device posture, least privilege & JIT/PAM. → /ztna • /pam
6) Incident Ready — how to escalate, evidence handling, comms trees; annual TTX + ad-hoc micro-drills. → /tabletop
📐 SLO Guardrails (what we commit to)
| Domain | KPI / SLO | Target (Recommended) |
|---|---|---|
| Coverage | Baseline completion (regulated roles) | ≥ 99% by due date |
| Role-based track completion | ≥ 95% | |
| Behavior | Phish sim failure rate (rolling 4Q) | ↓ trend, target < 5% |
| Median time-to-report phishing | ≤ 10 min | |
| Secret leak rate in PRs | ↓ 50%+ by Q2 of program | |
| Effectiveness | Post-lesson retention quiz (30–90d) | ≥ 85–90% pass |
| Drills | TTX participation & AAR closure | 100% / ≤ 30 days |
| Evidence | LMS/sim logs to SIEM | ≤ 120 s delivery |
SLO breaches open tickets and trigger SOAR nudges (auto-assign lesson, notify manager, schedule micro-drill). → /siem-soar
🔒 Compliance Mapping (examples)
- SOC 2 (CC2.2), ISO 27001 (Clause 7.3 awareness & Annex A controls), PCI DSS (Req. 12.6), HIPAA (164.308(a)(5)),
NIST 800-53 (AT family), CMMC (AT), FedRAMP ConMon evidence.
📊 Observability & Evidence
- Dashboards: completion/overdue, sim failure & report-rate, quiz retention, secrets-in-PRs, DLP blocks, JIT intercepts.
- Evidence pack: rosters, certificates, sim artifacts, policy attestations, TTX AARs—exportable to auditors.
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Assess & map — personas, risks, frameworks, policies to teach.
2) Design tracks — baseline + role paths; choose sim cadence; define JIT intercepts.
3) Integrate — LMS ↔ HRIS/IdP; SIEM/SOAR; code scanning & DLP hooks for JIT.
4) Pilot & adjust — one BU/site; tune difficulty & tone; set KPIs.
5) Launch — org-wide with quarterly micro-refreshers; publish dashboards.
6) Exercise — TTX + incident micro-drills; attach AARs and close gaps.
7) Improve — quarterly review of SLOs, content gaps, repeat-clicker coaching; update roadmap.
✅ Pre-Engagement Checklist
- 👥 Persona list (exec, finance, IT, dev, data, CCaaS, OT/ICS, healthcare).
- 📜 Policy library & attestation cadence; exception process.
- 📨 Sim cadence & channels (email/SMS/QR/OAuth consent).
- 🔐 Identity & device posture sources (IdP/MDM/EDR).
- 🧑💻 Dev/Cloud scanners for JIT (SAST/SCA/secret & IaC).
- 🔏 DLP labels & triggers; encryption methods.
- 📊 LMS/SIEM endpoints; reporting cadence & owners.
- 🗓️ Audit calendar; frameworks in scope (SOC2/ISO/NIST/PCI/HIPAA/FedRAMP).
🔄 Where Security Training Fits (Recursive View)
1) Grammar — training outcomes flow into /grc metrics.
2) Syntax — JIT intercepts tie to /iam, /dlp, /siem-soar, and SDLC gates.
3) Semantics — /cybersecurity defines the controls; training operationalizes them.
4) Pragmatics — /solveforce-ai powers adaptive lessons and grounded assistant content.