BlogSecurity
May 16, 2024

Vanta’s approach to AI Risk & Secure Code Training

Written by
Jess Chang
Senior Technical Program Manager, Security & Enterprise Engineering
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

We’re excited to share that we've expanded Vanta’s security and privacy training library with additional training modules, including AI Risk, Secure Coding, Insider Threat, and Social Engineering. Along with our existing modules for Security Awareness (required for SOC 2, ISO 27001, NIST, and more), HIPAA, GDPR, CCPA/CPRA, and PCI DSS, our training content is developed by Vanta’s in-house team of security, privacy, and compliance experts to help ensure your employees learn about important principles for each topic. This includes how your employees might encounter these principles in their day-to-day roles at your company as well as in their personal lives.

Combined with our established training management features in Vanta, our proprietary security and privacy training library allows you to automate training assignments, segment training for different groups, and equip your employees with up-to-date security and privacy knowledge—all directly in the Vanta platform. 

Putting customers first is one of our core principles at Vanta, and this applies to everything from how we build product to how we approach the development of our AI Risk and Secure Code Training modules. We’re especially excited about these modules because training content about AI risk and secure coding generally tends to be complex, fear-inducing, and abstract. By taking a principles-based, relatable, and direct approach, we aim to challenge these tendencies and help customers retain the content. In addition, Vanta’s AI Risk Training aligns with our recent release of the NIST AI RMF and underscores the importance of AI governance and common risks to consider while interacting with AI technologies. 

Vanta’s overall brand strategy also influenced how we made decisions around our security education content. In this post, we’ll walk you through our approach to building AI Risk and Secure Code Training and share examples and best practices, including our security design principles and industry resources we’ve found helpful 

Our approach to training content

The Security team at Vanta is responsible for creating the security and privacy training library in our product, which draws on our subject matter expertise and craft. We previously shared the principles that inform our internal approach to learning about security and privacy. With these in mind, one of the first steps in creating any training content is to start by scoping and brainstorming. 

This typically includes things like requirements, key points, industry best practices, and behaviors we’d like to influence. From here, we move through different stages with our immensely talented creative partners, including a visual outline, storyboarding, voiceover recording, animation, and delivery.

When we kicked off the our brainstorming sessions for our AI Risk Training, which aligns with Vanta’s recent release of the NIST AI Risk Management Framework (NIST AI RMF), it was clear that the AI landscape is rapidly-evolving and that its risks, regulations, and best practices will continue to evolve in the years to come. 

Similarly, industry guidance and best practices for secure coding has and will continue to change based on evolving security risks. For instance, the OWASP Top 10 is updated every few years based on analysis of a large dataset of identified application vulnerabilities. While secure coding principles may stay similar, they may be renamed, rescoped, reordered—or even consolidated depending on the criticality of security risks.

To address this, we’ve focused on core principles within each topic and have committed to updating our content alongside the evolving risk landscape to help our customers understand and keep security best practices top of mind. 

Our security design principles

As security practitioners, we’ve seen it all with visuals that speak to us and represent our industry—and ones that don’t. To create our internal design principles for conveying security imagery and concepts to our employees and customers, we built on and drew inspiration from our Security team’s experience and the joint work of the Hewlett Foundation and IDEO. Our goal is to make these security concepts and principles concrete, human, and understandable by all. 

At a high level, we depict actions in a positive manner—or in simpler terms, as do’s vs. don’ts. This helps learners visualize the behaviors and actions that follow security best practices rather than as actions to avoid doing. There are occasions where it’s helpful to see positive and negative examples side-by-side to be able to visually identify differences, and where relevant, we follow this practice. 

More specifically, here are the principles we’ve codified and incorporated into Vanta’s Security and Privacy Training Library:

1. Security is everyone’s responsibility

Whether in their personal life or for work, each person has an important role in protecting sensitive and confidential information. We utilize imagery that depicts individuals taking action and reporting potential risks proactively while steering clear of imagery that implies someone’s always watching, or that someone else is responsible and will take action. 

2. Security should be human, relatable, and accessible

Security imagery should reflect people and their day-to-day interactions with security concepts. We use visual metaphors or direct examples for concepts that may be complex or specialized. To be human and relatable, we also highlight and reflect the diversity of the industry and the world we live in—including challenging stereotypes where they exist.

3. Security should be accurate without provoking fear or anxiety

We want to ensure learners understand security concepts without making them fearful or anxious about their own safety, privacy, or security. Ensuring imagery and depictions are accurate also helps build credibility and trust, and helps them understand where and how to take action.

Examples of Vanta training content 

Vanta’s AI Risk Training provides an overview of foundational areas and key terms, emerging laws and regulations, and principles for AI safety and security. Given that the exact context and applicability will depend on the tools, policies, and processes that each organization has in place, our training focuses on principles for AI safety and security rather than procedural or policy requirements. 

Examples of areas we focus on include:

  • Applications of AI
  • Contextualizing risk
  • Unintended harms and intentional abuses
  • Operational, functional, and security risks
  • Importance of internal policies and procedures
  • Legal, regulatory, and ethical standards and risks
  • Monitoring and auditing
  • Best practices for AI risk management

Within each area, the training includes common applications and examples to help ensure the principles are clear and understandable by learners without prior knowledge of AI technology.

In Vanta’s Secure Code Training, our content follows a similar approach that provides guidelines and examples that can be applied across a variety of contexts. We also outline principles for secure software design that can be incorporated into, but are not specific to policies, standards, or frameworks. 

To create this training, we drew from industry resources such as the OWASP Top Ten as well as the expertise of our internal security team, to combine both long standing principles and applied knowledge into a coherent module. Our Security team helped define general guidelines and examples for secure coding best practices—such as building threat models, making your assumptions explicit, keeping it simple, and being careful about what you log. 

To follow our own design principle of making security human, relatable, and accessible, we distilled these into concrete principles and partnered closely with our creative team to translate these into relevant visual representations and  analogies. We also created real code snippets to directly depict these principles instead of using illustrations of assets that lean in a technical direction but aren’t specific—avoiding elements such as binary numbers, server racks, and more. 

And lastly, to tie it all together, you’ll notice from the screenshots we’ve provided that our security training might look a bit different from what you might expect from a typical mandatory training. Featuring our friendly llama host Sam, we’ve created something playful that speaks to audiences of all ages and keeps them engaged—including toddlers and young children of our own Vanta’ns and customers alike who’ve enjoyed our security training videos. 

In the words of Gabe Horwitz, co-founder of eqtble (a Vanta customer):

We give credit to Vanta’s brand strategy, which established the foundation for our creative style. Vanta’s ethos of being approachable and designing “with a wink” is what created the space for our internal Security team and experts to be playful in creating our security and privacy training library.

More resources

To learn more about the industry discussion behind cybersecurity visuals, we recommend resources from Hewlett Foundation and IDEO, specifically the Reimagining Visuals for Cybersecurity report and CyberVisuals, as well as A Visual Exploration of Cybersecurity Concepts

We’re grateful to every Vanta’n and friend of Vanta’s who has helped make our security and privacy training library possible, from its inception as a wacky idea to a library of resources for our customers. Looking ahead, we’re excited to continue creating and delivering new content for our customers and build our collective knowledge and culture of security in fun, memorable, and engaging ways.

See it in action

Keep an eye out for more security and privacy training offerings from Vanta! As always, we welcome your feedback. Let us know what you think by reaching out to your Customer Success Manager—especially if there's another topic you’d like to see as part of Vanta’s security and privacy training library. And stay in the loop on Vanta news via LinkedIn.

To check out our security and privacy training modules, log in to your Vanta account or learn more here. If you’re not yet a Vanta customer, request a demo today.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.