What Works? Culture-Informed Security Training Tips
Every organization’s culture will be a little different, and security teams will need to adapt their security training and awareness outreach to suit that culture. However, there’s definite value to be gained from other security leaders’ successes and challenges. Here, Security Management checks in with ASIS International members, researchers, and more to pull together some good practices.
Know Your Audience
How well do you know the needs, wants, and problems of your organization’s non-security workforce, from the C-suite to the frontline?
“Knowing the subject inside and out gives you an edge over the audience,” says Youssef Kchiere, a security professional with 20 years of experience with NATO, UN peacekeeping missions, and the Moroccan Royal Armed Forces. “As the expert, the audience will soon judge your ability to provide something more than common wisdom, or prevailing knowledge that could be acquired through reading manuals or visualizing videos. The promise of added value is key to enticing their interest, attention, and curiosity. Delivering on that promise rests on the second half of the rule.
“Knowing the audience allows you to tailor your message, tune your language, and choose the most appropriate medium and method of delivery that fits the audience’s educational and professional background,” he continues. “The presenter should not come across as arrogant or overly humble and should keep the audience’s attention through content that is engaging but maintains the appropriate level of seriousness given the context and content.
“Making training engaging and effective is also a matter of iteration and improvement. A trainer should dedicate enough time to preparation and rehearsal before delivering the training. He should also be alert enough to know when he is losing his audience’s interest, and humble enough to learn from the audience and his mistakes as he improves on the content and delivery methods. To call back the previous point, knowing the material well allows for adjustments on the fly and can aid in effective audience engagement activities like Q&As.”
Connect Employees’ Interests to the Company’s Goals
Make security training more engaging by connecting organizational risks—including national security, espionage, and intellectual property protection—to employees’ specific functions and their personal lives, advises Dora Korbmacher, CPP, security and controlled information manager at Saab Brasil Ltd.
“We point out impacts that an employee, his family, or friends might suffer depending on personal characteristics or issues in cases of espionage or intelligence collection,” she says. “It is in their own interest that they expose their personal lives, the personal lives of colleagues, and friends as little as possible. This not only makes them and the people they care about harder targets for intelligence collectors and spies, but also for criminals. This is important in Brazil.”
Korbmacher also leverages free cybersecurity education that is entertaining, informative, and easy for multiple audiences—including employees’ children or elders—to understand. “Since most people already worry about their most vulnerable family members, they pay attention to what we want to get across,” she adds.
Tie Security to Corporate Goals for Buy-In
Getting buy-in across an organization is critical for the successful adoption of security initiatives or new technology. Getting buy-in from leadership is the first milestone, especially if the security leader is trying to establish a mandatory training program and to set a reliable cadence for sessions, says James Curtis, APP, global physical security manager for Akamai Technologies.
To get that support both up and down the chain, Curtis recommends tying training to a company’s corporate goals and ethos.
If a company is focused on duty of care, for example, security can make the session resonate by outlining the elements of the proposed security training that are focused on safety and tying them to that goal.
“Furthermore, another example could be if a company’s goal/ethos encourages collaboration (one team), this could be used to empower the employee base to be responsible for security at the workplace and report suspicious activity or behavior,” Curtis adds.
Piggyback on Other Initiatives
If you’re struggling to get security training time on the calendar, see if there are any other departments’ initiatives you can take advantage of, says Rachel Briggs, OBE, CEO and co-founder of The Clarity Factory, which studies and consults on a variety of security management issues.
If the security leader wants to influence security awareness around supply chains, for example, he or she needs to connect with those business units.
“The first port of call has to be going and talking and listening—understanding what are the demands of this job, what are the realities of how you work and how you organize yourself, how much time have you got available, and are there things that you are doing already that we could piggyback onto,” Briggs says.
“One of the mistakes I see folks making a lot is creating whole new suites of materials and wanting to allocate new meetings, extra meetings, or extra time on the calendar,” she continues. Security leaders have a much greater chance of success by asking those business unit leaders what they are already doing to communicate with their teams—such as a regular all-hands meeting or quick weekly check-in—and asking for five minutes in those sessions for a quick security briefing.
“Now you have a captive audience; you’ve got people who are listening,” Briggs says. “They had to be there for that Monday morning weekly meeting anyway, and you’ve managed to monopolize five minutes of their time. You’re probably landing much better, much more memorably, than if you were trying to pull people off into something that half of them wouldn’t have time to go to, so they would be feeling distracted.”
Overall, Briggs advises, listen closely and look for opportunities to work with the grain, rather than against it, in terms of workplace culture and the reality of how people function in your organization.
Claire Meyer is editor-in-chief of Security Management. Connect with her on LinkedIn or email her directly at [email protected].