Building a security awareness training program
Snapshot
Our client, a leading fashion retailer, was aware that its organization was at risk and their employees and contractors needed to improve upon general security practices. With threat data from the Incident Management team and to satisfy auditing requirements, the Governance, Risk and Compliance (GRC) team was tasked with developing a company-wide Security Awareness training program.
If successful, the program would raise awareness of the critical nature of solid security practices, deliver clear guidance on implementing these practices and provide the ability to scale to the large global employee and contractor base. A successful program would report a 90+% completion rate and an increase of potential threats reported to the Incident Management team with fewer threats introduced by employee actions.
If successful, the program would raise awareness of the critical nature of solid security practices, deliver clear guidance on how to implement these practices, and scale to the global employee and contractor base.
Challenge
Kalles Group (KG) was brought in to partner with the GRC team to build the solution. Without an existing security training program, the team would need to start from the ground up by conducting an analysis, presenting options to management, receiving approval, and then building the solution.
To begin, the team reached out to key areas such as Incident Management and various IT groups to uncover current threats and practices, as well as identify and prioritize the core group of security tasks and best practices all employees and contractors would need to
know about and implement.
It became clear early on that developing the training program in-house would be costly and time-consuming, and the required expertise would add additional length to the project. Therefore, the decision was made to take advantage of existing resources and outsource the project’s delivery to a qualified third party. RFPs (requests for proposals) were sent out to qualified providers, and the team conducted careful analysis to identify a core set of eligible programs presented to key stakeholders for selection.
Approach
A Security Awareness training program was packaged and presented to management for review and approval. The program would take a multi-pronged approach:
- 20 minutes of required Security Awareness training provided online each quarter, four times a year
- Skills and information would be supplemented with posters in every building in high-traffic areas such as elevators, cafeterias, and lobbies
- The company Intranet site would also reinforce the content with scrolling tips and articles that would be refreshed at various intervals
- Monthly brown bag presentations would be held with industry security experts on various security topics
- Security podcasts would be developed in-house to further support ongoing learning and retention
Results
The Security Awareness training program was initially rolled out to the Technology, Human Resources and Finance groups. The following month, it was expanded to all corporate employees and, finally, to retail stores.
The program was delivered on time and within budget. The organization showed auditors and assessors that a consistent and ongoing training program that raised awareness of security best practices was in place and required for all employees and contractors. In addition to satisfying auditing requirements, measures were put into place to track employee and contractor attendance, potential threat reports, and the number and type of recorded incidents.
The GRC and Kalles Group team partnered to build an effective long-term training solution that would help reduce security risks and threats to the organization going forward.
As employees share the value of the training they have received, training attendance has increased by more than 50% and fewer courses have been cancelled due to low attendance.