COMPANIES NEED BOTH a well-trained security force and a general employee population that is aware enough of security issues to know what to look out for and what to report. Security managers should take the lead within their organizations in designing and implementing training programs to achieve these objectives. To develop such a training program, security managers must set up a training plan that is tailored to the various types of employees who need instruction. There should also be a tracking system to ensure that the program is working as intended.
A Tailored Plan
A training plan should target the entire work force, and there should be standardization in terms of the overall security message, but the specific training must be tailored to the various needs of sectors within the workplace. For companies that work on government contracts involving classified data, a primary focus of training will be protecting that information. The plan must address those issues separately for employees with security clearances and those without.
Most cleared employees are government personnel or government contractors. However, within government contracting companies, some employees could be cleared while others are not. For example, in most contracting environments, all employees who work on the contract as well as the security employees would be cleared but HR and administrative employees may not be cleared.
Cleared employees. Cleared employees may be further divided into different levels of security depending on their level of clearance. There are three major categories: Confidential, Secret, and Top Secret. Those cleared for government intelligence activity have even higher levels. All of this training may be provided by the employer.
Federal law requires that all cleared employees undergo initial training and annual refresher training. The training is based on the National Industrial Security Program Operating Manual (NISPOM). The initial training and the annual training for cleared employees includes a threat awareness briefing as well as units on defensive security, the classification system, employee reporting obligations and requirements, and security procedures and duties applicable to the employee’s job.
The basic training and materials for annual training is the same for all three categories of clearance. Then, based on that annual training baseline, those at higher clearance levels are given additional, more specific training. For example, personnel cleared for intelligence information receive training based on intelligence community directives (ICDs), which are issued by the Director of National Intelligence, an office established by Congress following the 9-11 attacks. ICDs offer details about discovering and disseminating intelligence information and conducting surveillance.
However, the government-mandated training does not contain other, important topics that should be included as part of a comprehensive training program. These include security training on foreign travel and physical security procedures for the company.
Uncleared employees. It is also important to train uncleared employees to recognize classified documents and basic security requirements so they can assist in protecting the national security information entrusted to the organization. Companies should include uncleared employees in their unclassified security orientation programs from the beginning. Unfortunately, many companies that conduct new-hire orientations fail to give security much room on the agenda. What they should do during orientation is give this general population a basic understanding of the classification systems—
Confidential, Secret, and Top Secret. All new hires should be shown examples of the coversheets for each of these classifications and told that if they ever see one lying around, they must secure it immediately and report the incident to security.
To reinforce the message given at orientation, the security department should prepare a follow-up message. This message should be e-mailed to employees. The e-mail message can include information on how to report security concerns and how to get help if the new employee has security questions.
It will also help if the general work force understands why security is important—the threats that it protects against—as well as how to report problems. One way of conveying this security message to cleared and uncleared employees is by hosting a brown bag lunch with a threat awareness speaker or a cybersecurity speaker who can explain the types of adversaries and attack scenarios the company may face. The speakers could address topics such as various types of hacking attacks, the types of vulnerabilities found in the Internet sites visited at work, or the threat of disclosing personal information over the Internet.
Security personnel. Apart from cleared and uncleared personnel, security personnel need their own focused type of training. A core group of classes should be established for each of the various security professional levels. If an employee is hired as a security specialist I, for example, there should be classes tied to that level versus those of a security specialist II, security manager I, security manager II, and so forth. The idea is to create a series of classes for security employees to work toward while they remain in a certain security bracket.
Some training may be detailed, such as security essentials, protecting classified documents, introduction to certain software programs, business writing, and basic leadership training for a security specialist I. The security manager I position would have other specific classes, such as a facility security officer course, introduction to personnel security, advanced software programs, effective time management, and program management.
This type of tiered training can also help to show security personnel that there is a career path within the department, which can help with morale and retention. Employees can see the types of classes necessary to move up to the next category. This provides a visible route for employees to follow if they wish to progress with the company.
One of the training categories should be aimed specifically at the security manager, and it should address business skills as well as security issues. It is imperative, for example, to equip security managers with the necessary tools to manage a budget, work with program leaders, and solve conflicts with employees. Security managers must also learn basic leadership and employee interaction skills. Therefore, it is important to develop a security professional training track for your corporation or unit so that instruction in these skills can be offered to those within the ranks being groomed for promotion to management positions.
Tracking and Metrics
The company should have a system for documenting employee training and the costs associated with the programs. This data can inform future training decisions. Tracking also helps when building budgets, to determine how many training dollars are necessary for individual employees each year.
With regard to security personnel, a tracking system can be as simple as a spreadsheet listing every employee in the security department, the class attended, the dates, type of class attended, and the costs. With this type of data, the security manager can quickly determine that sending an employee who has had no training for the year to a class might be a better use of dollars than sending another employee who may have attended three classes. Similarly, the tracking system can justify sending an employee who has attended free classes all year to a $1,000 class instead of sending an employee who attended one class but spent $6,000.
Tracking also yields data that can help with development of metrics. Metrics are a way to quantify results and report details to upper management. Although management may not be interested in the detailed level of tracking, they are interested in the return on the training investment and metrics can help assess the results of the training dollars invested. Through analysis of costs, classes, and the percentage of people trained, security managers can develop the data needed to gain senior management support for further training dollars.
Metrics can also help manage the cost of training. For example, a metric could show that of the 550 employees hired that year, 200 received some form of new-hire orientation, which would be 36 percent. A manager would then need to find a way to ensure that more employees are receiving new-hire orientation. Or that might be justification for requesting additional funding. For instance, security managers can show that out of all their security personnel, 78 percent received some form of training that year.
An additional important metric that would be tracked at several times during the year would be the percentage of cleared employees who received the required annual security training. If security managers know they have 950 cleared employees and 650 have had annual training by October, then they are 68 percent complete. They know that they have two months to complete the required annual security training for the other 32 percent of cleared employees.
A strategic plan for security training is essential in any security department. The plan should define the type of training given and taken by security professionals. It should also provide metrics for senior managers to use and validate the money spent on security training. If training, tracking, and metrics are all included in the plan, security can improve employee knowledge while simultaneously tracking and improving employee security performance and the protection of classified information.
Kerrie L. Kavulic is security training and education program manager, corporate security, for SAIC, headquartered in McLean, Virginia. She is a member of the ASIS International Defense and Intelligence Council.